Trusted Computing TCG Service Provider Interface (TSPI) TCG Service Provider(TSP) TSS Core Service Interface (TCSI) TSS Core Services(TCS) TSS-TCG Software brary Interface (TDDLI) ICG Device Driver Library (DDL Stack TPM Device Driver Trusted Platform Module(TPM) TCG Software Stack
1 Trusted Computing TSS - TCG Software Stack TCG Software Stack 2010-04-28
Overview · Introduction Application TPM Internals TCG Service Provider Interface (TSPI) TCG Service Provider(TSP) TPM Device Driver(TDD TSS Core Service Interface (TCSI) TCG Device Driver Library (Tddl) TSS Core Services(TCS) TCG Core Services(tcs) TPM Device Driver Library Interface(TDDLI) ICG Device Driver Library (DDL TCG Service Provider (tsp) TPM Device Driver Trusted Platform Module(TPM) TCG Software Stack 2
2 • Introduction • TPM Internals • TPM Device Driver (TDD) • TCG Device Driver Library (TDDL) • TCG Core Services (TCS) • TCG Service Provider (TSP) TCG Software Stack Overview
Overview · Introduction Application TSS Overview TCG Service Provider Interface (TSPI) TSS Architecture TCG Service Provider(TSP) TPM Internals TSS Core Service Interface (TCSI) TSS Core Services(TCS) ° TPM Device driver(TDD TPM Device Driver Library Interface(TDDLI) ICG Device Driver Library (DDL TCG Device Driver Library (TDdl TPM Device Driver TCG Core Services(tcs) TCG Service Provider(tsp) Trusted Platform Module(TPM) TCG Software Stack 3
3 • Introduction – TSS Overview – TSS Architecture • TPM Internals • TPM Device Driver (TDD) • TCG Device Driver Library (TDDL) • TCG Core Services (TCS) • TCG Service Provider (TSP) TCG Software Stack Overview
Introduction TCG Software Stack(TSS) TSS是与TPM进行交互的核心软件部件 Specification Version 1.2 Level 1 Errata A Patl: Commands and Structures TSS的设计规范由TCG颁布 March 7, 2007 TSS12规范已有750余页 厂商自行设计的TSS须符合TSS标准≡≡=二 TSS的设计目的 1.为应用程序提供到TPM功能的单入口点 2提供对TPM的同步访问 3.按标准构建字节流隐藏应用程序所构建的命令流 4.TPM的资源管理 TCG Software Stack
4 Introduction • TSS是与TPM进行交互的核心软件部件 • TSS的设计规范由TCG颁布 – TSS 1.2规范已有750余页 – 厂商自行设计的TSS必须符合TSS 1.2标准 • TSS的设计目的 – 1. 为应用程序提供到TPM功能的单入口点 – 2. 提供对TPM的同步访问 – 3. 按标准构建字节流隐藏应用程序所构建的命令流 – 4. TPM的资源管理 TCG Software Stack
Introduction ·TSS体系结构 Application User Processer TCG服务提供者(TSP TCG Service Provider Interface(TSPn TCG Service Provider(TSP) 顶层模块 Mode 提供标准的AP接口 X ISS Core Service Interface(ICS) m Pre TS核心服务(TCS) TSS Core Services (TCS) 管理服务 IPM Device Driver Library Intertace(IDOLI) TCG Device Drver Library(TDDL TCG设备驱动库(TDD 提供标准的驱动接口 Kernel Mode TPM Device Driver Trusted Platform Module(TPM) TCG Software Stack 5
5 Introduction • TSS体系结构 – TCG服务提供者(TSP) • 顶层模块 • 提供标准的API接口 – TSS核心服务(TCS) • 管理服务 – TCG设备驱动库(TDDL) • 提供标准的驱动接口 TCG Software Stack
Overview Introduction Application · TPM Internals TCG Service Provider Interface (TSPI) TCG Service Provider(TSP) I/O、 Execution Engine、RNG、 TSS Core Service Interface (TCSI) TPM Device Driver(TDD TSS Core Services(TCS) ICG Device Driver library (TDdl) e no ore w em ou TCG Core Services(tCs) TPM Device Driver TCG Service Provider(tsp) Trusted Platform Module(TPM) TCG Software Stack 6
6 • Introduction • TPM Internals – I/O、Execution Engine、RNG、…… • TPM Device Driver (TDD) • TCG Device Driver Library (TDDL) • TCG Core Services (TCS) • TCG Service Provider (TSP) TCG Software Stack Overview
TPMInternals ·IO 管理流经通信总线的信号流 典型的LPC总线( Low Pin Count bus · Execution Engine 命令的校验及解析 命令码的执行 控制内部执行流 微控制器 TPM RSA Engine RNG I/O(LPC Bus) Non-volatile storage (special keys, owner secret, .. RSAkey-generator Volatile storage SHAl Engine Opt-in I Execution Engine keyslots, PCR registers, .. TCG Software Stack
7 TPM Internals • I/O – 管理流经通信总线的信号流 – 典型的 LPC总线 (Low PinCount Bus) • Execution Engine – 命令的校验及解析 – 命令码的执行 – 控制内部执行流 – 微控制器 TCG Software Stack RSA Engine RSA key-generator SHA1 Engine RNG Opt-in I/O(LPC Bus) Execution Engine Non-volatile storage (special keys, owner secret, …) Volatile storage (keyslots, PCR registers, …) TPM
TPMInternals SHA-1 Engine(160 bits) 主要被TPM使用,作为其可信的哈希算法 在平台启动过程中,其接口暴露在TPM外以进行度量工作 未来的TPM版本会加入更多的哈希算法 RNG TPM内部的随机源 N once ,密钥的生成, TPM RSA Engine RNG I/O(LPC Bus) Non-volatile storage (special keys, owner secret, .. RSAkey-generator Volatile storage I SHAl Engine Opt-in Execution engine keyslots, PCR registers, .. TCG Software Stack 8
8 • SHA-1 Engine (160 bits) – 主要被TPM使用,作为其可信的哈希算法 – 在平台启动过程中,其接口暴露在TPM外以进行度量工作 – 未来的TPM版本会加入更多的哈希算法 • RNG – TPM内部的随机源 – Nonce , 密钥的生成, ... TCG Software Stack RSA Engine RSA key-generator SHA1 Engine RNG Opt-in I/O(LPC Bus) Execution Engine Non-volatile storage (special keys, owner secret, …) Volatile storage (keyslots, PCR registers, …) TPM TPM Internals
TPMInternals RSA Engine and Key generator 非对称密钥的生成(RSA;存储SK及AIK密钥大 >=2048) 必须支持512,1024,2048bt的密钥 建议使用2048位的密钥 RSA密钥生成遵循PKCS#标准 RSA密钥在使用的时候要加载到TPM内部 TPM I RSA Engine RNG I/O(LPC Bus) Non-volatile storage (special keys, owner secret, .. RSAkey-generator Volatile storage SHAl Engine Opt-in Execution engine keyslots, PCR registers, .. TCG Software Stack 9
9 • RSA Engine and Key Generator – 非对称密钥的生成 (RSA;存储SK及AIK 密钥大小 >= 2048) – 必须支持 512, 1024, 2048 bit 的密钥 – 建议使用2048位的密钥 – RSA密钥生成遵循PKCS #1 标准 – RSA密钥在使用的时候要加载到TPM内部 TCG Software Stack RSA Engine RSA key-generator SHA1 Engine RNG Opt-in I/O(LPC Bus) Execution Engine Non-volatile storage (special keys, owner secret, …) Volatile storage (keyslots, PCR registers, …) TPM TPM Internals
TPMInternals · Volatile memory 密钥槽(10个)、PCR值(24个) 密钥句柄、授权会话句柄等 ·Non- Volatile memor EK(2048b、EK证书 SRK2048b)及属主( Owner授权数据(60bi等 ·Optn:平台属主决定是否使用TPM TPM RSA Engine RNG I/O(LPC Bus) Non-volatile storage ( (Special keys, owner secret, RSAkey-generator Volatile storage SHAl Engine I Opt-in Execution Engine i(keyslots, PCR registers,; TCG Software Stack
10 • Volatile Memory – 密钥槽(10个)、 PCR值(24个) – 密钥句柄、授权会话句柄等 • Non-Volatile Memory – EK(2048bit)、 EK证书 – SRK(2048bit)及属主(Owner)授权数据(160bit)等 • Opt-In: 平台属主决定是否使用TPM TCG Software Stack RSA Engine RSA key-generator SHA1 Engine RNG Opt-in I/O(LPC Bus) Execution Engine Non-volatile storage (special keys, owner secret, …) Volatile storage (keyslots, PCR registers, …) TPM TPM Internals