1fapi-profile(5) File Formats Manual fapi-profile(5)
2
3
4
6 fapi-config(5)
7
9 FAPI Cryptographic Profile
10
11 Cryptographic profiles determine the cryptographic algorithms and pa‐
12 rameters for all keys and operations of a specific TPM interaction.
13 The values affected by these profiles are:
14
15 · the name hash algorithm
16
17 · asymmetric signature algorithm, scheme and parameters (such as curve,
18 keysize, default padding, hash, etc)
19
20 · PCR bank selection (which PCR banks shall be extended, quoted and
21 read)
22
23 Two exemplary profiles for RSA and ECC are installed with the TSS. By
24 default, the RSA cryptographic profile is activated. The user is free
25 to create own cryptographic profiles according to his needs.
26
27 Specific profiles are activated in the FAPI configuration file. If not
28 otherwise specified during TSS installation, the default location for
29 the exemplary profiles is /etc/tpm2-tss/profiles/ and /etc/tpm2-tss/
30 for the FAPI configuration file.
31
32 The parameters of the profile are:
33
34 · type: The asymmetric algorithm used for this profile.
35
36 · nameAlg: The hash algorithm which will be used for sessions and keys.
37
38 · srk_template: The type definition for the /SRK object. See the type
39 parameter of Fapi_CreateKey.
40
41 · srk_description: The description to be set for the /EK object. See
42 Fapi_GetDescription.
43
44 · ek_template: The type definition for the /EK object. See the type
45 parameter of Fapi_CreateKey.
46
47 · ek_description: The description to be set for the /SRK object. See
48 Fapi_GetDescription.
49
50 · ecc_signing_scheme: The signing scheme used for ECC keys.
51
52 · rsa_signing_scheme: The signing scheme used for RSA keys.
53
54 · keyBits: The key size for RSA keys.
55
56 · exponent: The exponent of RSA keys.
57
58 · sym_mode: The block cipher mode for symmetric encryption.
59
60 · sym_parameters: The algorithm and parameters used for symmetric en‐
61 cryption.
62
63 · sym_block_size: The block size used for symmetric encryption.
64
65 · pcr_selection: The PCR registers and banks used by FAPI.
66
67 · curveID: The curve ID for ECC keys.
68
69 · ek_policy: The JSON encoded policy for the /EK object.
70
71 · srk_policy: The JSON encoded policy for the /SRK object.
72
73 · eh_policy: The JSON encoded policy for the endorsement hierarchy /HE.
74
75 · sh_policy: The JSON encoded policy for the owner hierarchy /HS.
76
77 · lockout_policy: The JSON encoded policy for the lockout hierarchy
78 /LOCKOUT.
79
80 · newMaxTries: Count of authorization failures before the lockout is
81 imposed. If not set the default is 5.
82
83 · newRecoveryTime: Time in seconds before the authorization failure
84 count is automatically decremented. A value of zero indicates that
85 DA protection is disabled. If not set the default is 1000.
86
87 · lockoutRecovery: Time in seconds after a lockoutAuth failure before
88 use of lockoutAuth is allowed A value of zero indicates that a reboot
89 is required. If not set the default is 1000.
90
92 The following JSON encoded example shows the standard profile for ECC
93 keys:
94
95 {
96 "type": "TPM2_ALG_ECC",
97 "nameAlg":"TPM2_ALG_SHA256",
98 "srk_template": "system,restricted,decrypt,0x81000001",
99 "srk_description": "Storage root key SRK",
100 "ek_template": "system,restricted,decrypt",
101 "ek_description": "Endorsement key EK",
102 "ecc_signing_scheme": {
103 "scheme":"TPM2_ALG_ECDSA",
104 "details":{
105 "hashAlg":"TPM2_ALG_SHA256"
106 },
107 },
108 "sym_mode":"TPM2_ALG_CFB",
109 "sym_parameters": {
110 "algorithm":"TPM2_ALG_AES",
111 "keyBits":"128",
112 "mode":"TPM2_ALG_CFB"
113 },
114 "sym_block_size": 16,
115 "pcr_selection": [
116 { "hash": "TPM2_ALG_SHA1",
117 "pcrSelect": [ ],
118 },
119 { "hash": "TPM2_ALG_SHA256",
120 "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
121 }
122 ],
123 "curveID": "TPM2_ECC_NIST_P256",
124 "ek_policy": {
125 "description": "Endorsement hierarchy used for policy secret.",
126 "policy":[
127 {
128 "type":"POLICYSECRET",
129 "objectName": "4000000b",
130 }
131 ]
132 }
133 }
134
135 Beside the cryptographic parameters descriptions for the storage root
136 key and the endorsement key can be set. For the endorsement hierarchy
137 the policy "ek_policy" is set according to the TCG Credential profile
138 EK 2.0. The values of the constants are the same as the constants de‐
139 fined in the TSS header files, where the prefix TPM2_ can be omitted.
140
141 The key type of the storage root key and the endorsement key is defined
142 by the JSON fields srk_template and ek_template. The type consists of
143 a list of comma and/or space separated keywords. If a keyword is not
144 present the inverse of the reference TPM attribute bits SHALL be set or
145 cleared. The keywords are:
146
147 · sign: Sets the sign attribute of a key.
148
149 · decrypt: Sets the decrypt attribute of a key.
150
151 · If neither sign nor decrypt are provided, both attributes SHALL be
152 set.
153
154 · restricted: Sets the restricted attribute of a key.
155
156 · If restricted is set, either sign or decrypt (but not both) SHALL be
157 set.
158
159 · noda: Sets the noda attribute of a key or NV index.
160
161 · A hexadecimal number: Marks a key object to be made persistent and
162 sets the persistent object handle to this value.
163
164 The RSA profile has specific values for the signing scheme and the de‐
165 crypt scheme:
166
167 "rsa_signing_scheme": {
168 "scheme":"TPM2_ALG_RSAPSS",
169 "details":{
170 "hashAlg":"TPM2_ALG_SHA256"
171 }
172
173
174 "rsa_decrypt_scheme": {
175 "scheme":"TPM2_ALG_OAEP",
176 "details":{
177 "hashAlg":"TPM2_ALG_SHA256"
178 }
179 },
180
181 Possible values for the signing schemes are:
182
183 · RSA: RSASSA, RSAPSS
184
185 · ECC: ECDSA, ECDAA
186
187 Possible modes for symmetric encryption are:
188
189 · CTR, OFB, CBC, CFB, ECB, NULL
190
191 Possible modes for the RSA decrypt scheme are:
192
193 · RSAES, OAEP
194
195 The following curve ids can be used:
196
197 · ECC_NIST_P192, ECC_NIST_P224, ECC_NIST_P256, ECC_NIST_P384,
198 ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, ECC_SM2_P256
199
201 This page is part of release 3.0.3 of Open Source implementation of the
202 TCG TPM2 Software Stack (TSS2). A description of the project, informa‐
203 tion about reporting bugs, and the latest version of this page can be
204 found at https://github.com/tpm2-software/tpm2-tss/.
205
206
207
208TPM2 Software Stack JULI 2020 fapi-profile(5)