Trusted Platform Module (TPM)

To provide an untamperable hardware forroot of trust, the Trusted Platform Module (TPM), a cryptographic co-processor chip, is developed using the specifications of Trusted Computing Group [106]. The TPM chip is shipped with all modern processors and chipsets [22, 23]. TPM measures the BIOS before loading it into the memory. It also provides the hardware for hashing the BIOS and the registers to store an aggregated hash of all the measured hash values. The operations cannot be tampered with, since all operations are peformed in the TPM hardware.

A TPM contains the following components in its architecture (Figure 2.3):

I/O: The input output controller of trusted platform module manages the information flow over the communication bus of the TPM, by routing messages to appropriate components of the TPM.

Cryptographic Co-Processor: The cryptographic co-processor, implements cryptographic operations within the TPM. This includes asymmetric key generation (RSA), encryption/decryption (RSA), Hashing (SHA-1) and Random Number Generation.

Key generation: This component generates key pairs for the use of RSA algorithm. A TPM can support up to 2048 bit keys.

Hash-based Message Authentication Code (HMAC) Engine: The HMAC engine is re- sponsible for the calculation of HMAC as per RFC 2104. HMAC calculation is used to provide

2.5. RemoteAttestation 31 Communication Bus I/O Cryptographic Coprocessor Key Generation RNG Power Detection Volatile Memory Execution Engine Non-Volatile Memory Opt-in SHA-1 Engine HMAC Engine Figure 2.3: TPM Architecture

proof of data created by TPM and for verifying the HMAC of the data arriving to TPM.

Random number generator (RNG): The RNG component generates random bits that are used for nonces, key generation and randomness in signatures.

SHA1 Engine: The SHA1 engine is a message digest engine which uses the Secure Hash Algorithm [33]. This algorithm hashes the data given and produces a 20 byte digest. This forms the basis of the HMAC engine (Hash based message authentication code) which is used for computing digital signatures and creates objects necessary for integrity protection. The hash interfaces are exposed outside the TPM to support measurement during platform boot phases (measurement of BIOS).

Power Detection: This component manages the power states of TPM in conjunction with physical server power states. This component identifies reboots in the platform and notifies TPM of the reset.

Opt-In: This component provides mechanisms to allow the TPM to be turned on/off.

Execution engine: The execution engine runs program code to execute TPM commands that are received from the BIOS and TPM driver of the OS. The TPM commands provides TPM management functions such as starting a TPM, protecting the TPM by a password and also operational functions such as encryption and decryption of data and storing integrity values in its registers.

Non-volatile memory: Non-volatile memory is used to store persistent identity information of the TPM. It stores keys, that are used to authenticate the TPM.

Apart from these components, a TPM has special registers called Platform Configuration Registers that holds the aggregated hash of integrity values of the loaded applications.

Platform configuration registers (PCR): A platform configuration register is a 160-bit stor- age for the integrity values. A TPM has a minimum of 16 PCR registers. However, the latest TPM ship with 24 registers [106]. A PCR is designed to hold an aggregated hash value, Ag, that can act as the proof of all the measured hash values by a server.

The aggregated hash value at given stagen(value representing the hash of all the softwares loaded till this stage,n) is given by,

Agn =H(Agn−1||H(Sn)) (2.1)

Every time a software binary,Snis loaded in the memory, its hash value,H(Sn) is concate-

nated withAgn−1, the aggregated hash of all the softwares up toSn−1. The new aggregated hash

Agn is given by the hash of the concatenated value, Agn−1 || H(Sn). This process is referred to

asextendand is used widely in the architectures that use TPM for remote attestation.

Equation (1) can be further expanded as follows:

2.5. RemoteAttestation 33

The aggregated hash property is not commutative and hence a change in the loading order of software causes a change in hash values. For example, measuring Si and Si+1 is not the same as measuringSi+1andSi. The other hash property is also onewayness, where it is crypto-

graphically impossible for an attacker to determine the input message (hash values of software) given a PCR value.

The values in PCR are modified only using a PCR E xtend command. This command is invoked by the BIOS or the operating system with the hash of the software binary,H(Sn), that

is most recently loaded in the memory and a PCR number that will identify the PCR among the 24 PCRs. PCR E xtend replaces the value of the PCR indicated by the PCR number with the hash of the current value contained in that PCR and hash of the most recently loaded software binary,H(Sn), concatenated together (Equation 1). Hence the PCR value cannot be overwritten

to a known secure hash value by a malicious program, because PCR values are updated only through thePCR E xtendoperation.

Signed PCR values are retrieved by the operating system in the server using aT PM Quote operation. T PM Quote provides the invoker with the cryptographically signed aggregated hash value with a key that uniquely identifies the TPM. A third party verifier is provided with the measurement list (Section 2.5.2) and the value ofT PM Quoteoperation. The authenticity of a measurement list can be verified by calculating the aggregated hash of the values provided in the list and comparing it with the aggregated hash that is digitally signed by the TPM.

Thus TPM through its PCRs allows platform integrity reporting by creating a nearly un- forgeable hash-key summary of the hardware and software configuration [TODO]. This hash- key summary serves as the proof for a third party that the software has not been changed.