1fapi-profile(5)               File Formats Manual              fapi-profile(5)
2
3
4

SEE ALSO

6       fapi-config(5)
7

DESCRIPTION

9       FAPI Cryptographic Profile
10
11       Cryptographic  profiles  determine the cryptographic algorithms and pa‐
12       rameters for all keys and operations of  a  specific  TPM  interaction.
13       The values affected by these profiles are:
14
15       • the name hash algorithm
16
17       • asymmetric signature algorithm, scheme and parameters (such as curve,
18         keysize, default padding, hash, etc)
19
20       • PCR bank selection (which PCR banks shall  be  extended,  quoted  and
21         read)
22
23       Two  exemplary profiles for RSA and ECC are installed with the TSS.  By
24       default, the RSA cryptographic profile is activated.  The user is  free
25       to create own cryptographic profiles according to his needs.
26
27       Specific profiles are activated in the FAPI configuration file.  If not
28       otherwise specified during TSS installation, the default  location  for
29       the  exemplary  profiles  is /etc/tpm2-tss/profiles/ and /etc/tpm2-tss/
30       for the FAPI configuration file.
31
32       The parameters of the profile are:
33
34       • type: The asymmetric algorithm used for this profile.
35
36       • nameAlg: The hash algorithm which will be used for sessions and keys.
37
38       • srk_template: The type definition for the /SRK object.  See the  type
39         parameter of Fapi_CreateKey.
40
41       • srk_description:  The  description to be set for the /EK object.  See
42         Fapi_GetDescription.
43
44       • ek_template: The type definition for the /EK object.   See  the  type
45         parameter of Fapi_CreateKey.
46
47       • ek_description:  The  description to be set for the /SRK object.  See
48         Fapi_GetDescription.
49
50       • ecc_signing_scheme: The signing scheme used for ECC keys.
51
52       • rsa_signing_scheme: The signing scheme used for RSA keys.
53
54       • keyBits: The key size for RSA keys.
55
56       • exponent: The exponent of RSA keys.
57
58       • sym_mode: The block cipher mode for symmetric encryption.
59
60       • sym_parameters: The algorithm and parameters used for  symmetric  en‐
61         cryption.
62
63       • sym_block_size: The block size used for symmetric encryption.
64
65       • pcr_selection: The PCR registers and banks used by FAPI.
66
67       • curveID: The curve ID for ECC keys.
68
69       • ek_policy: The JSON encoded policy for the /EK object.
70
71       • srk_policy: The JSON encoded policy for the /SRK object.
72
73       • eh_policy: The JSON encoded policy for the endorsement hierarchy /HE.
74
75       • sh_policy: The JSON encoded policy for the owner hierarchy /HS.
76
77       • lockout_policy:  The  JSON  encoded  policy for the lockout hierarchy
78         /LOCKOUT.
79
80       • newMaxTries: Count of authorization failures before  the  lockout  is
81         imposed.  If not set the default is 5.
82
83       • newRecoveryTime:  Time  in  seconds  before the authorization failure
84         count is automatically decremented.  A value of zero  indicates  that
85         DA protection is disabled.  If not set the default is 1000.
86
87       • lockoutRecovery:  Time  in seconds after a lockoutAuth failure before
88         use of lockoutAuth is allowed A value of zero indicates that a reboot
89         is required.  If not set the default is 1000.
90

EXAMPLES

92       The  following  JSON encoded example shows the standard profile for ECC
93       keys:
94
95              {
96                  "type": "TPM2_ALG_ECC",
97                  "nameAlg":"TPM2_ALG_SHA256",
98                  "srk_template": "system,restricted,decrypt,0x81000001",
99                  "srk_description": "Storage root key SRK",
100                  "ek_template":  "system,restricted,decrypt",
101                  "ek_description": "Endorsement key EK",
102                  "ecc_signing_scheme": {
103                      "scheme":"TPM2_ALG_ECDSA",
104                      "details":{
105                          "hashAlg":"TPM2_ALG_SHA256"
106                      },
107                  },
108                  "sym_mode":"TPM2_ALG_CFB",
109                  "sym_parameters": {
110                      "algorithm":"TPM2_ALG_AES",
111                      "keyBits":"128",
112                      "mode":"TPM2_ALG_CFB"
113                  },
114                  "sym_block_size": 16,
115                  "pcr_selection": [
116                     { "hash": "TPM2_ALG_SHA1",
117                       "pcrSelect": [ ],
118                     },
119                     { "hash": "TPM2_ALG_SHA256",
120                       "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
121                     }
122                  ],
123                  "curveID": "TPM2_ECC_NIST_P256",
124                  "ek_policy": {
125                      "description": "Endorsement hierarchy used for policy secret.",
126                      "policy":[
127                          {
128                              "type":"POLICYSECRET",
129                              "objectName": "4000000b",
130                          }
131                      ]
132                  }
133              }
134
135       Beside the cryptographic parameters descriptions for the  storage  root
136       key  and the endorsement key can be set.  For the endorsement hierarchy
137       the policy "ek_policy" is set according to the TCG  Credential  profile
138       EK  2.0.  The values of the constants are the same as the constants de‐
139       fined in the TSS header files, where the prefix TPM2_ can be omitted.
140
141       The key type of the storage root key and the endorsement key is defined
142       by  the JSON fields srk_template and ek_template.  The type consists of
143       a list of comma and/or space separated keywords.  If a keyword  is  not
144       present the inverse of the reference TPM attribute bits SHALL be set or
145       cleared.  The keywords are:
146
147       • sign: Sets the sign attribute of a key.
148
149       • decrypt: Sets the decrypt attribute of a key.
150
151       • If neither sign nor decrypt are provided, both  attributes  SHALL  be
152         set.
153
154       • restricted: Sets the restricted attribute of a key.
155
156       • If  restricted is set, either sign or decrypt (but not both) SHALL be
157         set.
158
159       • noda: Sets the noda attribute of a key or NV index.
160
161       • A hexadecimal number: Marks a key object to be  made  persistent  and
162         sets the persistent object handle to this value.
163
164       The  RSA profile has specific values for the signing scheme and the de‐
165       crypt scheme:
166
167                    "rsa_signing_scheme": {
168                      "scheme":"TPM2_ALG_RSAPSS",
169                      "details":{
170                          "hashAlg":"TPM2_ALG_SHA256"
171                      }
172
173
174                  "rsa_decrypt_scheme": {
175                      "scheme":"TPM2_ALG_OAEP",
176                      "details":{
177                          "hashAlg":"TPM2_ALG_SHA256"
178                      }
179                  },
180
181       Possible values for the signing schemes are:
182
183       • RSA: RSASSA, RSAPSS
184
185       • ECC: ECDSA, ECDAA
186
187       Possible modes for symmetric encryption are:
188
189       • CTR, OFB, CBC, CFB, ECB, NULL
190
191       Possible modes for the RSA decrypt scheme are:
192
193       • RSAES, OAEP
194
195       The following curve ids can be used:
196
197       • ECC_NIST_P192,    ECC_NIST_P224,    ECC_NIST_P256,     ECC_NIST_P384,
198         ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, ECC_SM2_P256
199

COLOPHON

201       This page is part of release 3.2.1 of Open Source implementation of the
202       TCG TPM2 Software Stack (TSS2). A description of the project,  informa‐
203       tion  about  reporting bugs, and the latest version of this page can be
204       found at https://github.com/tpm2-software/tpm2-tss/.
205
206
207
208TPM2 Software Stack                JULI 2020                   fapi-profile(5)
Impressum