Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

tpm_quote_tools(8) [centos man page]

tpm_mkuuid, tpm_mkaik, tpm_loadkey, tpm_unloadkey, tpm_getpcrhash, tpm_updatepcrhash, tpm_getquote, tpm_verifyquote DESCRIPTION
TPM Quote Tools is a collection of programs that provide support for TPM based attestation using the TPM quote operation. A TPM contains a set of Platform Configuration Registers (PCRs). In a well configured machine, some of these registers are set to known values during the boot up process or at other times. For example, a PCR might contain the hash of a boot loader in memory before it is run. The TPM quote operation is used to authoritatively verify the contents of a TPM's Platform Configuration Registers (PCRs). During provi- sioning, a composite hash of a selected set of PCRs is computed. The TPM quote operation produces a composite hash that can be compared with the one computed while provisioning. To use the TPM quote operation, keys must be generated. During provisioning, an Attestation Identity Key (AIK) is generated for each TPM, and the public part of the key is made available to entities that validate quotes. The TPM quote operation returns signed data and a signature. The data that is signed contains the PCRs selected for the operation, the composite hash for the selected PCRs, and a nonce provided as input, and used to prevent replay attacks. At provisioning time, the data that is signed is stored, not just the composite hash. The signature is discarded. An entity that wishes to evaluate a machine generates a nonce, and sends it along with the set of PCR used to generate the composite PCR hash at provisioning time. For this use of the TPM quote operation, the signed data is ignored, and the signature returned is used to val- idate the state of the TPM's PCRs. Given the signature, the evaluating entity replaces the nonce in the signed data generated at provi- sioning time, and checks to see if the signature is valid for the data. If so, this check ensures the selected PCRs contain values that match the ones measured during provisioning. A typical scenario for an enterprise using these tools follows. The tools expect AIKs to be referenced via one enterprise-wide Universally Unique Identifier (UUID). The program tpm_mkuuid creates one. For each machine being checked, an AIK is created using tpm_mkaik. The key blob produced is bound to the UUID on its machine using tpm_loadkey. The public key associated with the AIK is sent to the entities that verify quotes. Finally, the expected PCR composite hash is obtained using tpm_getpcrhash. When the expected PCR values change, a new hash can be generated with tpm_updatepcrhash. The program to obtain a quote, and thus measure the current state of the PCRs is tpm_getquote. The program that verifies the quote describes the same PCR composite hash as was measured initially is tpm_verifyquote. SEE ALSO
tpm_mkuuid(8), tpm_mkaik(8), tpm_loadkey(8), tpm_unloadkey(8), tpm_getpcrhash(8), tpm_updatepcrhash(8), tpm_getquote(8), tpm_verifyquote(8) Oct 2010 TPM QUOTE TOOLS(8)

Check Out this Related Man Page

Tspi_TPM_GetPubEndorsementKey(3)			     Library Functions Manual				  Tspi_TPM_GetPubEndorsementKey(3)

						     TCG Software Stack Developer's Reference

Tspi_TPM_GetPubEndorsementKey - create a TSS key object from the TPM's public endorsement key SYNOPSIS
#include <tss/platform.h> #include <tss/tcpa_defines.h> #include <tss/tcpa_typedef.h> #include <tss/tcpa_struct.h> #include <tss/tss_typedef.h> #include <tss/tss_structs.h> #include <tss/tspi.h> TSS_RESULT Tspi_TPM_GetPubEndorsementKey(TSS_HTPM hTPM, TSS_BOOL fOwnerAuthorized, TSS_VALIDATION* pValidationData, TSS_HKEY* phEndorsementPubKey); DESCRIPTION
Tspi_TPM_GetPubEndorsementKey This function retrieves the public endorsement key (PubEK) from the TPM and creates a TSS key object for it, whose handle is returned in phEndorsementPubKey. Due to the fact that different TPM chips validate the PubEK in different ways, application verification of the PubEK (using a non-NULL pValidationData is broken. Tspi_TPM_GetPubEndorsementKey should be called with a NULL pValida- tionData parameter to allow the TSS to verify the PubEK itself. PARAMETERS
hTPM The hTPM parameter is used to specify the handle of the TPM object. fOwnerAuthorized If TRUE, the TPM owner secret must be provided to get the public endorsement key. If FALSE, no TPM owner secret must be provided to get the public endorsement key. pValidationData If non-NULL, the application should set the pValidationData->rgbExternalData parameter to 20 bytes of random data before calling Tspi_TPM_GetPubEndorsementKey. On successful completion of the command, the structure will provide buffers containing the validation data and the buffer the validation data was computed from. phEndorsementPubKey Receives a handle to a key object representing the TPM's public endorsement key. RETURN CODES
Tspi_TPM_GetPubEndorsementKey returns TSS_SUCCESS on success, otherwise one of the following values is returned: TSS_E_INVALID_HANDLE hTPM is not a valid handle. TSS_E_INTERNAL_ERROR An internal SW error has been detected. TSS_E_BAD_PARAMETER One or more parameters is bad. TPM_E_DISABLED_CMD Reading of PubEK from TPM has been disabled. CONFORMING TO
Tspi_TPM_GetPubEndorsementKey conforms to the Trusted Computing Group Software Specification version 1.1 Golden SEE ALSO
Tspi_Key_GetPubKey(3). TSS 1.1 2004-05-25 Tspi_TPM_GetPubEndorsementKey(3)
Man Page

Featured Tech Videos