1TPM QUOTE TOOLS(8)                                          TPM QUOTE TOOLS(8)
2
3
4

NAME

6       tpm_quote_tools - an overview of TPM Quote Tools
7

PROGRAMS

9       tpm_mkuuid,   tpm_mkaik,  tpm_loadkey,  tpm_unloadkey,  tpm_getpcrhash,
10       tpm_updatepcrhash, tpm_getquote, tpm_verifyquote
11

DESCRIPTION

13       TPM Quote Tools is a collection of programs that  provide  support  for
14       TPM based attestation using the TPM quote operation.
15
16       A  TPM contains a set of Platform Configuration Registers (PCRs).  In a
17       well configured machine, some of these registers are set to known  val‐
18       ues  during  the boot up process or at other times.  For example, a PCR
19       might contain the hash of a boot loader in memory before it is run.
20
21       The TPM quote operation is used to authoritatively verify the  contents
22       of  a TPM's Platform Configuration Registers (PCRs).  During provision‐
23       ing, a composite hash of a selected set of PCRs is computed.   The  TPM
24       quote operation produces a composite hash that can be compared with the
25       one computed while provisioning.
26
27       To use the TPM quote operation, keys must be generated.  During  provi‐
28       sioning,  an  Attestation Identity Key (AIK) is generated for each TPM,
29       and the public part of the key is made available to entities that vali‐
30       date quotes.
31
32       The  TPM quote operation returns signed data and a signature.  The data
33       that is signed contains the PCRs selected for the operation,  the  com‐
34       posite  hash  for the selected PCRs, and a nonce provided as input, and
35       used to prevent replay attacks.  At provisioning time, the data that is
36       signed  is  stored, not just the composite hash.  The signature is dis‐
37       carded.
38
39       An entity that wishes to evaluate a  machine  generates  a  nonce,  and
40       sends  it  along with the set of PCR used to generate the composite PCR
41       hash at provisioning time.  For this use of the  TPM  quote  operation,
42       the signed data is ignored, and the signature returned is used to vali‐
43       date the state of the TPM's PCRs.  Given the signature, the  evaluating
44       entity  replaces the nonce in the signed data generated at provisioning
45       time, and checks to see if the signature is valid for the data.  If so,
46       this check ensures the selected PCRs contain values that match the ones
47       measured during provisioning.
48
49       A typical scenario for an enterprise using these  tools  follows.   The
50       tools  expect AIKs to be referenced via one enterprise-wide Universally
51       Unique Identifier (UUID).  The program tpm_mkuuid creates one.
52
53       For each machine being checked, an AIK is created using tpm_mkaik.  The
54       key  blob  produced is bound to the UUID on its machine using tpm_load‐
55       key.  The public key associated with the AIK is sent  to  the  entities
56       that  verify  quotes.   Finally,  the  expected  PCR  composite hash is
57       obtained using tpm_getpcrhash.  When the expected PCR values change,  a
58       new hash can be generated with tpm_updatepcrhash.
59
60       The  program  to  obtain a quote, and thus measure the current state of
61       the  PCRs  is  tpm_getquote.   The  program  that  verifies  the  quote
62       describes  the  same  PCR  composite  hash as was measured initially is
63       tpm_verifyquote.
64

SEE ALSO

66       tpm_mkuuid(8), tpm_mkaik(8), tpm_loadkey(8), tpm_unloadkey(8), tpm_get‐
67       pcrhash(8), tpm_updatepcrhash(8), tpm_getquote(8), tpm_verifyquote(8)
68
69
70
71                                   Oct 2010                 TPM QUOTE TOOLS(8)
Impressum