Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
TPM QUOTE TOOLS(8)					    TPM	QUOTE TOOLS(8)

NAME
       tpm_quote_tools - an overview of	TPM Quote Tools

PROGRAMS
       tpm_mkuuid,   tpm_mkaik,	 tpm_loadkey,  tpm_unloadkey,  tpm_getpcrhash,
       tpm_updatepcrhash, tpm_getquote,	tpm_verifyquote

DESCRIPTION
       TPM Quote Tools is a collection of programs that	 provide  support  for
       TPM based attestation using the TPM quote operation.

       A  TPM contains a set of	Platform Configuration Registers (PCRs).  In a
       well configured machine,	some of	these registers	are set	to known  val-
       ues  during  the	boot up	process	or at other times.  For	example, a PCR
       might contain the hash of a boot	loader in memory before	it is run.

       The TPM quote operation is used to authoritatively verify the  contents
       of  a TPM's Platform Configuration Registers (PCRs).  During provision-
       ing, a composite	hash of	a selected set of PCRs is computed.   The  TPM
       quote operation produces	a composite hash that can be compared with the
       one computed while provisioning.

       To  use the TPM quote operation,	keys must be generated.	 During	provi-
       sioning,	an Attestation Identity	Key (AIK) is generated for  each  TPM,
       and the public part of the key is made available	to entities that vali-
       date quotes.

       The  TPM	quote operation	returns	signed data and	a signature.  The data
       that is signed contains the PCRs	selected for the operation,  the  com-
       posite  hash  for the selected PCRs, and	a nonce	provided as input, and
       used to prevent replay attacks.	At provisioning	time, the data that is
       signed is stored, not just the composite	hash.  The signature  is  dis-
       carded.

       An  entity  that	 wishes	 to  evaluate a	machine	generates a nonce, and
       sends it	along with the set of PCR used to generate the	composite  PCR
       hash  at	 provisioning  time.  For this use of the TPM quote operation,
       the signed data is ignored, and the signature returned is used to vali-
       date the	state of the TPM's PCRs.  Given	the signature, the  evaluating
       entity  replaces	the nonce in the signed	data generated at provisioning
       time, and checks	to see if the signature	is valid for the data.	If so,
       this check ensures the selected PCRs contain values that	match the ones
       measured	during provisioning.

       A typical scenario for an enterprise using these	 tools	follows.   The
       tools  expect AIKs to be	referenced via one enterprise-wide Universally
       Unique Identifier (UUID).  The program tpm_mkuuid creates one.

       For each	machine	being checked, an AIK is created using tpm_mkaik.  The
       key blob	produced is bound to the UUID on its machine  using  tpm_load-
       key.   The  public  key associated with the AIK is sent to the entities
       that verify quotes.  Finally, the expected PCR composite	 hash  is  ob-
       tained  using  tpm_getpcrhash.	When the expected PCR values change, a
       new hash	can be generated with tpm_updatepcrhash.

       The program to obtain a quote, and thus measure the  current  state  of
       the  PCRs  is  tpm_getquote.   The  program that	verifies the quote de-
       scribes the same	PCR  composite	hash  as  was  measured	 initially  is
       tpm_verifyquote.

SEE ALSO
       tpm_mkuuid(8), tpm_mkaik(8), tpm_loadkey(8), tpm_unloadkey(8), tpm_get-
       pcrhash(8), tpm_updatepcrhash(8), tpm_getquote(8), tpm_verifyquote(8)

				   Oct 2010		    TPM	QUOTE TOOLS(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=tpm_quote_tools&sektion=8&manpath=FreeBSD+Ports+15.0>

home | help