Difference between revisions of "TPM"
From Teknologisk videncenter
m |
m (→tmp2_getcap - capabilities) |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | =TPM - Trusted Platform Module= | + | ==TPM - Trusted Platform Module== |
| + | |||
| + | ==(tpm2_tools (Linux)== | ||
| + | === tmp2_getcap - capabilities=== | ||
| − | |||
<source lang=bash> | <source lang=bash> | ||
| + | heth@tpm2:~$ sudo tpm2_getcap -l | ||
| + | - algorithms | ||
| + | - commands | ||
| + | - pcrs | ||
| + | - properties-fixed | ||
| + | - properties-variable | ||
| + | - ecc-curves | ||
| + | - handles-transient | ||
| + | - handles-persistent | ||
| + | - handles-permanent | ||
| + | - handles-pcr | ||
| + | - handles-nv-index | ||
| + | - handles-loaded-session | ||
| + | - handles-saved-session | ||
| + | heth@tpm2:~$ sudo tpm2_getcap pcrs | ||
| + | selected-pcrs: | ||
| + | - sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] | ||
| + | - sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ] | ||
| + | heth@tpm2:~$ sudo tpm2_getcap ecc-curves | ||
| + | TPM2_ECC_NIST_P256: 0x3 | ||
| + | TPM2_ECC_BN_P256: 0x10 | ||
| + | heth@tpm2:~$ | ||
| + | </source> | ||
| − | =endorsement key (EK)= | + | ==endorsement key (EK)== |
A TPM2 Endorsement Key (EK) Certificate is a digital certificate, usually burned into the Trusted Platform Module (TPM) chip during manufacturing, that validates the authenticity of the TPM's unique endorsement key ( | A TPM2 Endorsement Key (EK) Certificate is a digital certificate, usually burned into the Trusted Platform Module (TPM) chip during manufacturing, that validates the authenticity of the TPM's unique endorsement key ( | ||
). It acts as a trusted, hardware-backed identity, allowing external parties to verify that a device uses a genuine TPM. | ). It acts as a trusted, hardware-backed identity, allowing external parties to verify that a device uses a genuine TPM. | ||
| − | ==Key details about the EK Certificate:== | + | ===Key details about the EK Certificate:=== |
;Purpose: The EK is an RSA or ECC key pair used to verify the TPM's legitimacy. The private key never leaves the TPM, ensuring security. | ;Purpose: The EK is an RSA or ECC key pair used to verify the TPM's legitimacy. The private key never leaves the TPM, ensuring security. | ||
;Issuer: It is typically signed by the TPM manufacturer's certificate authority (CA), certifying the TPM's legitimacy. | ;Issuer: It is typically signed by the TPM manufacturer's certificate authority (CA), certifying the TPM's legitimacy. | ||
| Line 24: | Line 49: | ||
0003660 9cff 006c | 0003660 9cff 006c | ||
</source> | </source> | ||
| + | |||
=Links= | =Links= | ||
*[https://github.com/microsoft/ms-tpm-20-ref/tree/main Microsoft Official TPM 2.0 Reference Implementation] (Includes TPM2 Simulator) | *[https://github.com/microsoft/ms-tpm-20-ref/tree/main Microsoft Official TPM 2.0 Reference Implementation] (Includes TPM2 Simulator) | ||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 18:07, 1 April 2026
Contents
TPM - Trusted Platform Module
(tpm2_tools (Linux)
tmp2_getcap - capabilities
heth@tpm2:~$ sudo tpm2_getcap -l
- algorithms
- commands
- pcrs
- properties-fixed
- properties-variable
- ecc-curves
- handles-transient
- handles-persistent
- handles-permanent
- handles-pcr
- handles-nv-index
- handles-loaded-session
- handles-saved-session
heth@tpm2:~$ sudo tpm2_getcap pcrs
selected-pcrs:
- sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
- sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
heth@tpm2:~$ sudo tpm2_getcap ecc-curves
TPM2_ECC_NIST_P256: 0x3
TPM2_ECC_BN_P256: 0x10
heth@tpm2:~$
endorsement key (EK)
A TPM2 Endorsement Key (EK) Certificate is a digital certificate, usually burned into the Trusted Platform Module (TPM) chip during manufacturing, that validates the authenticity of the TPM's unique endorsement key ( ). It acts as a trusted, hardware-backed identity, allowing external parties to verify that a device uses a genuine TPM.
Key details about the EK Certificate:
- Purpose
- The EK is an RSA or ECC key pair used to verify the TPM's legitimacy. The private key never leaves the TPM, ensuring security.
- Issuer
- It is typically signed by the TPM manufacturer's certificate authority (CA), certifying the TPM's legitimacy.
- Use Cases
- It is critical for Remote Attestation, where a server checks the EK certificate to ensure a client device has a real, untampered TPM before sharing secrets.
- Accessing the Certificate
- EK certificates can be found in the TPM’s Non-Volatile (NV) memory or retrieved from manufacturer web servers (like Intel's) using specialized tools.
- Difference from other Keys
- Unlike the Storage Root Key (SRK), the EK is permanent. It is not used for signing operations, but for encryption.
heth@tpm2:~$ sudo tpm2_getekcertificate | od -h
0000000 8230 9c04 8230 8403 03a0 0102 0202 7604
0000020 e292 3095 060d 2a09 4886 f786 010d 0b01
0000040 0005 8130 3183 300b 0609 5503 0604 0213
0000060 4544 2131 1f30 0306 0455 0c0a 4918 666e
....
0003640 b7c4 c27d 04da 3c75 c145 a234 e32b c20f
0003660 9cff 006c
Links
- Microsoft Official TPM 2.0 Reference Implementation (Includes TPM2 Simulator)