Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tpm_quote_tools(8) [centos man page]

TPM QUOTE 
TOOLS(8)														TPM QUOTE TOOLS(8)

NAME

       TPM Quote Tools

PROGRAMS

       tpm_mkuuid, tpm_mkaik, tpm_loadkey, tpm_unloadkey, tpm_getpcrhash, tpm_updatepcrhash, tpm_getquote, tpm_verifyquote

DESCRIPTION

       TPM Quote Tools is a collection of programs that provide support for TPM based attestation using the TPM quote operation.

       A  TPM  contains  a set of Platform Configuration Registers (PCRs).  In a well configured machine, some of these registers are set to known
       values during the boot up process or at other times.  For example, a PCR might contain the hash of a boot loader in  memory  before  it	is
       run.

       The  TPM  quote operation is used to authoritatively verify the contents of a TPM's Platform Configuration Registers (PCRs).  During provi-
       sioning, a composite hash of a selected set of PCRs is computed.  The TPM quote operation produces a composite hash that  can  be  compared
       with the one computed while provisioning.

       To  use the TPM quote operation, keys must be generated.  During provisioning, an Attestation Identity Key (AIK) is generated for each TPM,
       and the public part of the key is made available to entities that validate quotes.

       The TPM quote operation returns signed data and a signature.  The data that is signed contains the PCRs selected  for  the  operation,  the
       composite  hash	for  the selected PCRs, and a nonce provided as input, and used to prevent replay attacks.  At provisioning time, the data
       that is signed is stored, not just the composite hash.  The signature is discarded.

       An entity that wishes to evaluate a machine generates a nonce, and sends it along with the set of PCR used to generate  the  composite  PCR
       hash at provisioning time.  For this use of the TPM quote operation, the signed data is ignored, and the signature returned is used to val-
       idate the state of the TPM's PCRs.  Given the signature, the evaluating entity replaces the nonce in the signed data  generated	at  provi-
       sioning	time,  and  checks to see if the signature is valid for the data.  If so, this check ensures the selected PCRs contain values that
       match the ones measured during provisioning.

       A typical scenario for an enterprise using these tools follows.	The tools expect AIKs to be referenced via one enterprise-wide Universally
       Unique Identifier (UUID).  The program tpm_mkuuid creates one.

       For  each  machine  being  checked,  an	AIK  is  created using tpm_mkaik.  The key blob produced is bound to the UUID on its machine using
       tpm_loadkey.  The public key associated with the AIK is sent to the entities that verify quotes.  Finally, the expected PCR composite  hash
       is obtained using tpm_getpcrhash.  When the expected PCR values change, a new hash can be generated with tpm_updatepcrhash.

       The  program  to  obtain  a  quote,  and  thus  measure the current state of the PCRs is tpm_getquote.  The program that verifies the quote
       describes the same PCR composite hash as was measured initially is tpm_verifyquote.

SEE ALSO

       tpm_mkuuid(8), tpm_mkaik(8), tpm_loadkey(8), tpm_unloadkey(8), tpm_getpcrhash(8), tpm_updatepcrhash(8), tpm_getquote(8), tpm_verifyquote(8)

								     Oct 2010							TPM QUOTE TOOLS(8)

Check Out this Related Man Page

tcsd.conf(5)							File Formats Manual						      tcsd.conf(5)

								TCG Software Stack

NAME

       tcsd.conf - configuration file for the trousers TCS daemon.

DESCRIPTION

       This  file,  by	default  /etc/tcsd.conf  is  read by the trousers TCSD daemon, tcsd (see tcsd(8)). The tcsd.conf file that is installed by
       trousers contains all the default options, commented out.

OPTIONS

       port The port that TCSD will listen on for connections, local and remote, from applications.

       num_threads The maximum number of threads that the TCSD will spawn simultaneously to service applications. After num_threads  threads  have
       been spawned, any application that attempts to connect to the TCSD will receive an error.

       system_ps_file  The  location of the system persistent storage file. The system persistent storage file holds keys and data across restarts
       of the TCSD and system reboots.

       firmware_log_file Path to the file containing the current firmware PCR event log data. The interface to this log is usually provided by the
       TPM device driver.

       kernel_log_file	Path to the file containing the current kernel PCR event log data. By default, this data will be parsed in the format pro-
       vided by the Integrity Measurement Architecture LSM.

       firmware_pcrs A list of PCR indices that are manipulated only by the system firmware and therefore are not extended or logged by the  TCSD.
       Applications that call Tcsi_PcrExtend on PCRs listed here will receive an error.

       kernel_pcrs  A  list  of PCR indices that are manipulated only by the kernel and therefore are not extended or logged by the TCSD. Applica-
       tions that call Tcsi_PcrExtend on PCRs listed here will receive an error.

       platform_cred Path to the platform credential for your TPM.  Your TPM manufacturer may have provided you with a set  of	credentials  (cer-
       tificates)  that should be used when creating identities using your TPM. When a user of your TPM makes an identity, this credential will be
       encrypted as part of that process. See the 1.1b TPM Main specification section 9.3 for information on this process.

       conformance_cred Path to the conformance credential for your TPM.  Your TPM manufacturer may have provided you with a  set  of  credentials
       (certificates) that should be used when creating identities using your TPM. When a user of your TPM makes an identity, this credential will
       be encrypted as part of that process. See the 1.1b TPM Main specification section 9.3 for information on this process.

       endorsement_cred Path to the endorsement credential for your TPM.  Your TPM manufacturer may have provided you with a  set  of  credentials
       (certificates) that should be used when creating identities using your TPM. When a user of your TPM makes an identity, this credential will
       be encrypted as part of that process. See the 1.1b TPM Main specification section 9.3 for information on this process.

       remote_ops A list of TCS commands which will be allowed to be executed on this machine's TCSD by TSP's on non-local hosts (over the  inter-
       net). By default, access to all operations is denied.

       host_platform_class  Determines	the  TCG specification of the host's platform class. This refers to one of the specifications contained in
       the TCG web site. The default is PC specification version 1.2 .

       all_platform_classes Specifies all the TCG defined platforms associated with the host platform. The host_platform_class must not be defined
       here. By default, all platforms but the host platform are associated.

EXAMPLE

	      port = 30003
	      num_threads = 10
	      system_ps_file = /usr/local/var/tpm/system.data
	      firmware_log_file = /proc/tpm/firmware_events
	      kernel_log_file = /proc/tcg/measurement_events
	      firmware_pcrs = 0,1,2,3,4,5,6,7
	      kernel_pcrs = 10,11
	      platform_cred = /usr/local/var/lib/tpm/platform.cert
	      conformance_cred = /usr/local/var/lib/tpm/conformance.cert
	      endorsement_cred = /usr/local/var/lib/tpm/endorsement.cert
	      remote_ops = create_key,random
	      host_platform_class = server_12
	      all_platform_classes = pc_11,pc_12,mobile_12

SEE ALSO

       tcsd(8)

AUTHOR

       Kent Yoder

REPORTING BUGS

       Report bugs to <trousers-tech@lists.sf.net>

TSS 1.1 							    2006-07-14							      tcsd.conf(5)
Man Page