TPM

From Teknologisk videncenter
Revision as of 18:07, 1 April 2026 by Heth (talk | contribs) (tmp2_getcap - capabilities)
Jump to: navigation, search

TPM - Trusted Platform Module

(tpm2_tools (Linux)

tmp2_getcap - capabilities

heth@tpm2:~$ sudo tpm2_getcap -l 

- algorithms
- commands
- pcrs
- properties-fixed
- properties-variable
- ecc-curves
- handles-transient
- handles-persistent
- handles-permanent
- handles-pcr
- handles-nv-index
- handles-loaded-session
- handles-saved-session
heth@tpm2:~$ sudo tpm2_getcap pcrs
selected-pcrs:
  - sha1: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
  - sha256: [ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
heth@tpm2:~$ sudo tpm2_getcap ecc-curves
TPM2_ECC_NIST_P256: 0x3
TPM2_ECC_BN_P256: 0x10
heth@tpm2:~$

endorsement key (EK)

A TPM2 Endorsement Key (EK) Certificate is a digital certificate, usually burned into the Trusted Platform Module (TPM) chip during manufacturing, that validates the authenticity of the TPM's unique endorsement key ( ). It acts as a trusted, hardware-backed identity, allowing external parties to verify that a device uses a genuine TPM.

Key details about the EK Certificate:

Purpose
The EK is an RSA or ECC key pair used to verify the TPM's legitimacy. The private key never leaves the TPM, ensuring security.
Issuer
It is typically signed by the TPM manufacturer's certificate authority (CA), certifying the TPM's legitimacy.
Use Cases
It is critical for Remote Attestation, where a server checks the EK certificate to ensure a client device has a real, untampered TPM before sharing secrets.
Accessing the Certificate
EK certificates can be found in the TPM’s Non-Volatile (NV) memory or retrieved from manufacturer web servers (like Intel's) using specialized tools.
Difference from other Keys
Unlike the Storage Root Key (SRK), the EK is permanent. It is not used for signing operations, but for encryption.
 heth@tpm2:~$ sudo tpm2_getekcertificate | od -h
0000000 8230 9c04 8230 8403 03a0 0102 0202 7604
0000020 e292 3095 060d 2a09 4886 f786 010d 0b01
0000040 0005 8130 3183 300b 0609 5503 0604 0213
0000060 4544 2131 1f30 0306 0455 0c0a 4918 666e
....
0003640 b7c4 c27d 04da 3c75 c145 a234 e32b c20f
0003660 9cff 006c

Links

Retrieved from "http://mars.merhot.dk/w/index.php?title=TPM&oldid=41726"