TPMS_SYMCIPHER_PARMS

This structure contains the parameters for a symmetric block cipher object.

Table 131 — Definition of TPMS_SYMCIPHER_PARMS Structure

Parameter Type Description

11.1.10 TPM2B_SENSITIVE_DATA

This buffer holds the secret data of a data object. It can hold as much as 128 octets of data. MAX_SYM_DATA shall be 128.

NOTE A named value rather than a numeric is used to make coding clearer. A numeric value does not indicate the reason that it has the specific value that is has.

Table 132 — Definition of TPM2B_SENSITIVE_DATA Structure

Parameter Type Description

size UINT16

buffer[size]{: MAX_SYM_DATA} BYTE the keyed hash private data structure

11.1.11 TPMS_SENSITIVE_CREATE

This structure defines the values to be placed in the sensitive area of a created object. This structure is only used within a TPM2B_SENSITIVE_CREATE structure.

NOTE When sent to the TPM or unsealed, data is usually encrypted using parameter encryption.

If data.size is not zero, and the object is not a keyedHash, data.size must match the size indicated in the keySize of public.parameters. If the object is a keyedHash, data.size may be any value up to the maximum allowed in a TPM2B_SENSITIVE_DATA.

For an asymmetric object, data shall be an Empty Buffer and sensitiveDataOrigin shall be SET.

Table 133 — Definition of TPMS_SENSITIVE_CREATE Structure <IN>

Parameter Type Description

userAuth TPM2B_AUTH the USER auth secret value

data TPM2B_SENSITIVE_DATA data to be sealed

11.1.12 TPM2B_SENSITIVE_CREATE

This structure contains the sensitive creation data in a sized buffer. This structure is defined so that both the userAuth and data values of the TPMS_SENSITIVE_CREATE may be passed as a single parameter for parameter encryption purposes.

Table 134 — Definition of TPM2B_SENSITIVE_CREATE Structure <IN, S>

Parameter Type Description

size= UINT16 size of sensitive in octets (may not be zero)

NOTE The userAuth and data parameters in this buffer may both be zero length but the minimum size of this parameter will be the sum of the size fields of the two parameters of the TPMS_SENSITIVE_CREATE.

11.1.13 TPMS_SCHEME_HASH

This structure is the scheme data for schemes that only require a hash to complete their definition.

Table 135 — Definition of TPMS_SCHEME_HASH Structure

Parameter Type Description

hashAlg TPMI_ALG_HASH the hash algorithm used to digest the message

11.1.14 TPMS_SCHEME_ECDAA

This definition is for split signing schemes that require a commit count.

Table 136 — Definition of {ECC} TPMS_SCHEME_ECDAA Structure

Parameter Type Description

hashAlg TPMI_ALG_HASH the hash algorithm used to digest the message

count UINT16 the counter value that is used between TPM2_Commit() and the sign

operation

11.1.15 TPMI_ALG_HASH_SCHEME

This is the list of values that may appear in a keyedHash as the scheme parameter.

Table 137 — Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type

Values Comments

TPM_ALG_HMAC the "signing" scheme

TPM_ALG_XOR the "obfuscation" scheme

+TPM_ALG_NULL #TPM_RC_VALUE

11.1.16 HMAC_SIG_SCHEME

Table 138 — Definition of Types for HMAC_SIG_SCHEME

Type Name Description

TPMS_SCHEME_HASH TPMS_SCHEME_HMAC

11.1.17 TPMS_SCHEME_XOR

This structure is for the XOR encryption scheme.

Table 139 — Definition of TPMS_SCHEME_XOR Structure

Parameter Type Description

hashAlg +TPMI_ALG_HASH the hash algorithm used to digest the message

11.1.18 TPMU_SCHEME_HMAC

Table 140 — Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S>

Parameter Type Selector Description

hmac TPMS_SCHEME_HMAC TPM_ALG_HMAC the "signing" scheme

xor TPMS_SCHEME_XOR TPM_ALG_XOR the "obfuscation" scheme

null TPM_ALG_NULL

11.1.19 TPMT_KEYEDHASH_SCHEME

This structure is used for a hash signing object.

Table 141 — Definition of TPMT_KEYEDHASH_SCHEME Structure

Parameter Type Description

scheme +TPMI_ALG_KEYEDHASH_SCHEME selects the scheme

11.2 Asymmetric

11.2.1 Signing Schemes

11.2.1.1 Introduction

These structures are used to define the method in which the signature is to be created. These schemes would appear in an object’s public area and in commands where the signing scheme is variable.

Every scheme is required to indicate a hash that is used in digesting the message.

11.2.1.2 RSA Signature Schemes

These are the RSA schemes that only need a hash algorithm as a scheme parameter.

For the TPM_ALG_RSAPSS signing scheme, the same hash algorithm is used for digesting TPM- generated data (an attestation structure) and in the KDF used for the masking operation. The salt size is always the largest salt value that will fit into the available space.

Table 142 — Definition of {RSA} Types for RSA Signature Schemes

Type Name Description

TPMS_SCHEME_HASH TPMS_SIG_SCHEME_!ALG.AX

11.2.1.3 ECC Signature Schemes

Most of the ECC signagure schemes only require a hash algorithm to complete the definition and can be typed as TPMS_SCHEME_HASH. Anonymous algorithms also require a count value so they are typed to be TPMS_SCHEME_ECDAA.

Table 143 — Definition of {ECC} Types for ECC Signature Schemes

Type Name Description

TPMS_SCHEME_HASH TPMS_SIG_SCHEME_!ALG.AX all asymmetric signing schemes

11.2.1.4 TPMU_SIG_SCHEME

The union of all of the signature schemes.

NOTE The TPMS_SIG_SCHEME_!ALG is determined by Table 142 or Table 143 and will be either a TPMS_SCHEME_HASH or a TPMS_SCHEME_ECDAA.

Table 144 — Definition of TPMU_SIG_SCHEME Union <IN/OUT, S>

Parameter Type Selector Description

!ALG.ax TPMS_SIG_SCHEME_!ALG TPM_ALG_!ALG all singing schemes including

anonymous schemes

hmac TPMS_SCHEME_HMAC TPM_ALG_HMAC the HMAC scheme

any TPMS_SCHEME_HASH selector that allows access to

digest for any signing scheme

null TPM_ALG_NULL no scheme or default

11.2.1.5 TPMT_SIG_SCHEME

Table 145 — Definition of TPMT_SIG_SCHEME Structure

Parameter Type Description

scheme +TPMI_ALG_SIG_SCHEME scheme selector

[scheme]details TPMU_SIG_SCHEME scheme parameters