TPM Nonvolatile storage

TPM There is a certain amount of nonvolatile storage space inside , It can be used to store the system data of the trusted platform itself . These data include authorization values , seeds , Credentials and TPM Secret data that will never be exposed outside the security boundary . besides , These data also include counters , The clock , And data that other users can read . Data can be divided into the following two types ：

TPM Data structure defined by architecture .

Non structural data defined by user or platform related specifications .

Nonvolatile storage index

The computer accesses the files stored on the hard disk through the file system address ,TPM adopt NV Index accesses data stored in nonvolatile storage .

File system can impose access control on file access , Settings of access permissions such as read and write .TPM By setting the attribute and state of the index, you can control the access ability to the data pointing to the region .

TPM The implementation of NV Access control of index , Such as HMAC,PCR,locality, And physical existence （physical presence） And other forms of access control , It can also provide the read-write locking mechanism of the index .

Uninitialized indexes cannot be accessed . The index has a state called “ Uninitialized , Not written ”. All read operations before the first write operation will fail . In common use TPM Indexes with this state cannot be used in access control policies , In this way, the user of the index can be assured that the value of the index must have been initialized by the party with authorization , Instead of simple default values or uninitialized values .

Indexes can have authorization values or policy

NV Index data type

TPM Support multiple data types NV Indexes .TPM1.2 Version only supports unstructured data （ It is now called general data ）.TPM2.0 Three other basic types have been added , So there are four basic types of indexes ：

• General index
• Counter index
• Bit field index
• Extended index

TPM2.0 It also supports the mixing of the above basic index types , Mixed index .

General index

One NV Ordinary indexes are used to store unstructured data of any length . And counter , The difference between bit fields and extended indexes is , Ordinary NV The index has no restrictions on the type of data written .

Case study 1： Store secret information
Suppose that a trusted platform needs a 20 Byte long secret information , Then this information can be stored in a NV In general index . The attribute of the index is set to TPMA_NV_PPREAD, This means that platform authorization is required to read this index . The platform software running at system startup knows the authorization information of the platform , So these software can read this secret information . This also ensures that once the startup software completes the startup task, this secret information will no longer be read . Because other software after the system starts does not know the platform authorization information , You can't read secret information .

Case study 2： Store a general password
A user creates a set of keys using a policy , The strategy stipulates that , These keys can only be used if a correct password is provided . under these circumstances , The password can be stored by ordinary index , In this way, the creator of the key can authorize the access of all keys by storing the password . And users only need to NV The password of all related keys can be modified by one write operation in the area .

Case study 3： Store certificates
A platform OEM The manufacturer will create a certificate , This certificate will state that the platform has a fixed endorsement key , And the platform has a certain degree of security guarantee .OEM The certificate will be stored in NV in . among , This NV The read operation of the region is unrestricted . But writing requires OEM Of policy, It is used for OEM Securely update certificates .

Case study 4： Store the public key of the root node of the key tree
IT The administrator can store the hash value of a public key in NV in , This NV Can be write locked , So as to prevent other users from modifying . This hash value is used to verify another public key , this “ Another public key ” It is further used to verify that some signatures do come from this IT organization . therefore , This NV What is stored in is the hash value of the public key of the root certificate in a certificate chain .

Case study 5： Store a HMAC secret key
stay Linux System integrity measurement architecture （Integrity Measurement Architecture） Extended verification module （Extended Verification Module） There is a HMAC secret key , This key is released to the kernel early in startup , Then the kernel uses it to verify the extended attributes of the file . The main purpose is to see whether these files are allowed to be loaded or used by the kernel .

NV Counter index

NV The counter index is only incremented 64 Digit value . On one NV Before the count value executes the increase command , This count value will be initialized to this TPM The largest ever appeared on NV Count value . This value includes both the current count value and the count value defined in the past but now deleted . In this way, the count value of a counter will never be rolled back , Even if it is deleted and recreated .

Case study 1： Revoke access to a key
When the owner of the key wants to revoke access to the key , The key is created using policy As a means of Authorization ,policy Can be set as a NV The value of the counter is the same as the current value （NV When there is no increase ） You can access the key . thus , Just add NV The value of the counter can revoke the access right of the key .

NV Bit field index

One NV The bit field contains 64 position , By default, all are initialized to 0, But you can also choose to set it to 1. A bit of the bit field can only be written 1 But not clear 0.

The application case ： Revoke the shared key of multiple users
The key holder wants up to 64 Users grant and revoke access to the key . The key is made up of up to 64 individual OR Conditional policy creation . Each condition will have some specific authorization （ For example, biometric or smart card digital signature ） Combine with each user , And clear the finger positioning . By setting non NV Bit in the bit field to revoke the user key . When setting NV A bit of the bit field can then revoke the permission of the corresponding user to use this key , Because he will never get the right policy 了 .

NV Extended index

The extended index is defined by a specific hash algorithm , And has a fixed index life . Index correspondence NV The size of the region corresponds to the output of the hash algorithm .NV The region will be initialized bit full 0. For this NV The region write operation is an extension operation , And PCR Similar to .

The most likely application case of extended index is to create flexible... In combination with hybrid index PCR, hinder “ Mixed index ” Will introduce . Another application case is security audit records , Because the extended operation can create a password protected history that cannot be tampered with .

An extended index is essentially a hash chain .

Case study ：CA Security audit log of key usage

• A certificate authority wants to record the use of the key used to sign the certificate every time , At the same time, we also hope to be able to detect whether the log recorded on the disk has been changed . It can create an exclusive write permission through policy NV Extended index .
• Every time CA When signing a new certificate , It records the certificate and extends the summary of the certificate to NV Index . To verify the final recorded results ,CA Will traverse the certificate and recreate the record with the extension operation , Then with NV Compare the values in the index . In order to achieve a more secure purpose ,CA You can also cross NV The index value gets the signature directly .

Mixed index

TPM2.0 stay NV Another new feature of this aspect is hybrid indexing .NV Index metadata （ Index handle , size 、 attribute 、 Policy and password ） Are nonvolatile , Mixed index data is created in volatile memory . Except for the mixing counter （ Later on ）, Index data can only be closed TPM Will be written NV In the region . Four index types （ Ordinary , Counter , Bit fields , Or expand ） Can become a hybrid index .

When the upper application wants to write frequently , Hybrid index may be applicable . Because nonvolatile storage technology often brings the loss of storage media （ Similar to solid state disk ）,TPM You can protect yourself by refusing frequent writes . There is no depletion problem in volatile memory , So you can write mixed indexes as needed .

** Hybrid index mainly emphasizes that index data is stored in volatile storage .** It's different from what I thought , I thought hybrid index is a comprehensive utilization of the previous several , The result is because it is stored in volatile storage .

Case study ： increase PCR Number
PC Client platform TPM Manufacturers usually only provide 24 individual PCR, You can use hybrid indexes to increase the platform PCR The number of . Because for TPM Built in PCR Come on ,PCR The index of remains unchanged between power cycles , however PCR The value of will be reset after power on again . This seems to be no essential difference from ordinary volatile memory , It means that the mixed index in volatile storage can be used to simulate the construction PCR.

Case study ： Construct different properties PCR
An application may want to use one PCR, But standard PCR There are fixed attributes set by the platform . for instance , The operating system may want to limit one PCR The interview of , Applications may want to limit PCR Authorization of , Applications may want to use current PCR Different hash algorithms , Or the application wants to limit what can only be extended locality To update PCR.

At this time , Applications can create a hybrid extended index using the attributes they want , Then treat it as PCR To use , The index can be deleted directly at the end of the application . It's important to note that , Because the index is a mixed index , So the expansion operation will not occupy NV Memory , This avoids performance and NV The problem of bad memory writing .

NV Index access control

NV It may be a general index 、 Counter index , Bit field or extended index , also NV It can also be a mixed index . Every NV Index also has a unique control function , This control is different from others TPM Objects such as keys are controlled differently . The read and write control of each index can be configured independently , Control can be indexed policy, Password authorization , Or the owner's password and authorization .

TPM It also supports a set of read-write locking mechanisms . An index can be permanently write locked . It can also be read or write locked , until TPM restart . An index can also be locked once as a member of a group of indexes （ Global lock ）, Again, until TPM It can only be unlocked after restarting .

many TPM Entities are protected by dictionary attack protection mechanism . After a certain number of authorization attempts fail ,TPM Will refuse to execute the authorization , The authorization will not be unlocked until a certain time has elapsed . One NV Indexes can also be protected like this , You can also remove this protection by configuring the properties of the index .

NV Write operations

every last NV Indexes have an implicit attribute when they are created ： Not written . stay TPM1.2 in , When an index is created, the data is initialized to full 0. But from the reading value, it can't distinguish between all zero data and unwritten data . stay TPM2.0 in , The data that has not been written is an independent state . One policy It can be indexed and must or must not have been written .

Case study ： Write once NV Indexes
stay TPM Initial configuration ,NV The creator of the index may require that the index be written only once . Once written , Anyone who knows the correct password can read .

In order to achieve this function , You can create a with two conditions “ or ” Strategy , This strategy is implemented in two parts “ or ” Results of operation . The first part is guaranteed only in NV It can only be implemented without being written out NV Write command . The second part is used to allow reading operations when a password is provided .

NV Handle value of index

When the user creates a NV When indexing , An index value will be assigned to the index . stay TPM1.2 in , Some bits in this value have special properties , for instance D Bits are used to lock . stay TPM2.0 In the software specification ,NV The index value has no special meaning for specific bit fields except for an overall range .TPM The attribute of the index is not defined by the index value . however , Some platform related specifications or global TCG The registry can set special index values .

for instance ,TCG The registry will be TPM manufacturer （0-0x3fffff）, Platform vendors , And endorsement and platform certificate allocation handles . It also reserves the handle scope for platform related specifications , such as PC client , The server , Move , And embedded platforms . All these ranges are allocated according to convention ,TPM They cannot be forced in any form .

NV name

TPM The name of an entity determines the uniqueness of the entity , And can be used to authorize . about NV The index says , Its name is the hash of its public area , The public area contains index values （ Handle ）, attribute （ Include whether it has been written ）, Strategy and size .

TPM2_PolicyNV Allow the use of NV Index value . This strategy can be based on a series of logical and arithmetic operations on the index . If the strategy is based solely on NV The value of the index , It will provide very low security ： An attacker may delete this index , Replace it with other access control policies . For this reason ,TPM2_PolicyNV Will use the name of the index .

NV Index name action case
Suppose you create a NV The bit field index is used for key revocation . The key policy contains a TPM2_PolicyNV Conditions , Only when NV Of the 0 The policy is satisfied only when the bit is in the clear state .NV Index policy requirements ： Only the owner of the private key can write this index （TPM2_PolicySigned）. To revoke this key , The owner of the key needs to sign a random value to satisfy NV Index strategy , And then use it （TPM2_NV_SetBits） Will be the first 0 Bit is set to 1.\

Now suppose an attacker tries to recover access to the key . First , Attackers cannot clear NV Index number 0 position , because NV The characteristics of the index itself determine that these bits can only be set and cannot be cleared . Attackers may try other methods ： Delete this index and re create an index with the same name as before . This operation will be due to strategy TPM2_PolicySigned Limit and fail . At the same time, attackers cannot rewrite NV Indexes , Because they can't be satisfied NV Indexing Strategy .

“ Delete and recreate indexes ” The attack method of is infeasible because of the following two TPM Characteristics of ：

• If NV The index cannot be used for strategy without being written .
• In strategy NV The index uses the full name （ Public area ）, Not just index handles .

NV password

TPM The subtlety of is that users can't really change a TPM The password of the object .TPM2_ObjectChangeAuth The command can create a with a new password TPM object , But the original object still exists . Users can delete all copies of objects , however TPM This is not mandatory .

however NV Indexes don't have these strange properties . The index only exists in TPM in , Their context cannot be saved or stored in any form TPM outside . therefore ,TPM2_NV_ChangeAuth You can change NV The password of the object .

NV Index summary

TPM2.0 There are four types of NV Indexes ： Ordinary （ Unstructured data ）, Bit field , Counter , And extended data index . You can use standard TPM Password or policy control to read or write index . Hybrid indexes usually exist only in volatile memory , But normal TPM Close to store the data in nonvolatile memory . This feature can avoid performance and NV The problem of space being written bad . When an index is created , It has a state that has not been written . If not written ,NV Data cannot be read or used policy in ,“ Not written ” This state itself can be used in policy .

to TPM The initial configuration certificate or public key of the device is NV Basic application of index . A more advanced application is to NV Authorization information is applied to a policy , Then let multiple TPM Entities share this strategy . A policy using bit field index or counter index can be used to revoke key access . An extended index is provided with PCR The same characteristics , It can support different algorithms , Support Authorization , And have the same life cycle characteristics .

NV The index has separate sets of commands and attributes for controlling authorization , Read write lock , And dictionary attack protection .

PCR

The platform configuration register is TPM One of the required features . Their initial application was to provide a cryptographic way of recording （ measurement ） Software status ： Including the software running on the platform and the configuration data used by the software .PCR The update method of is called extension , Extension is a one-way hash operation , So as to ensure that the measured value is not tampered . These are used for measurement PCR Can be read to report the status of these software . these PCR The value of can be signed and then used for more secure reporting , This is called certification （ Or quote ）.PCR It can also be used for extended authorization policy Thus limiting others TPM Use of objects .

TPM Never make any judgment on the measurement results . Based solely on TPM From the internal information , It is not certain whether the measurement result is good or bad , Or whether the result is safe and credible . When measuring software ,TPM Just use PCR To record the measured value . As for safety , This is until the application really uses PCR be used for policy When authorizing , Or the remote requestor requests a signature authentication （quote, quote ） Then determine the credibility .

TPM2.0 Newly added about PCR Its characteristic is ,TPM No longer PCR The hash algorithm of is fixed as SHA-1. The hash algorithm can now be modified . Somewhat TPM The implementation of bank The concept of , every last bank Implement a different algorithm .

One TPM A certain number of PCR： for instance ,PC The use of TPM Realized 24 individual . these PCR By convention, it is allocated to various software layers , Software types range from early startup code to operating systems and Applications . these PCR The distribution of can also be divided into the following two categories ： Software that needs to be run （ Usually even numbered PCR）, And a configuration file for customizing the startup process （ It is usually odd numbered PCR）.

PCR The initial application scenario is used to represent the status of the platform software , Historical information when important software runs to the current stage （ Including configuration information ）.TPM All... Will be initialized when powered on PCR, The initial value is determined by TPM Platform related specification definitions , Usually all 0 Or all 1. The command caller cannot directly report to PCR Write value . contrary ,PCR The value is updated by being called “ Expand ” To complete , This is a linked hash operation . From the perspective of cryptography , The process is as follows ：
PCR new value = Digest of (PCR old value || data to extend)

TPM The data that needs to be added will be connected to the old PCR In the value . To be extended to PCR The data in is almost always Hashi value , Even though TPM There is no limit, it must be Hashimoto . then TPM The newly connected value will be hashed , Then store the new hash value in PCR in .

After the system restarts , The whole platform is operated by CRTM（Core Root of Trust Measurement） Start .CRTM It will measure the software to be run next and expand the measured value to an even index PCR in . then CRTM The configuration information of the software will also be extended to an odd index PCR in . This measured software , May be BIOS, In turn, it will measure and expand its next level software , Maybe this is MBR. This measurement chain continues until the measurement completes the early system kernel code . In the process , Important security profiles will also be measured .

The final measurement result is PCR Value , It represents all extensions to PCR Measurement history in . Because of the one-way property of the security summarization mechanism , These values cannot be tampered with .

PCR The number of

In practical application , One TPM There will be multiple devices PCR.PC Client platform requirements TPM Achieve at least 24 individual PCR, This is also PC The actual number of platforms . Automation equipment TPM There may be more PCR. Platform related TPM The specification specifies PCR Properties of , The software specifications related to the platform stipulate each PCR Which software is used to measure .

Platform related specifications may assign several to user software PCR. One more PCR（16）, It's called debugging PCR, For software testing . Because of debugging , This PCR The value of can not be TPM Reset when power is on again .

PCR command

TPM2_PCR_Extend： Almost PCR The most common command , Users can extend a summary value to （extend） To PCR in .
TPM2_PCR_Event： Give Way TPM To hash and expand the hash value to PCR in . This command requires that the maximum length of the input message be 1024 byte , Compared with the previous command , There is an additional hash value calculation .
TPM_PCR_Read： Read a PCR Value , This is very useful in the verification event record we will introduce later .
TPM2_PCR_Reset： Reset one PCR, It is mainly used to allocate for user layer software PCR（ For example, just introduced debug use PCR）. Most of the PCR stay TPM It is not allowed to be reset in a power on cycle .
TPM_PCR_Allocate： by PCR Set the hash algorithm . If you need to modify the default hash algorithm , This command is required , And in most cases, only one execution is enough .
TPM2_PCR_SetAuthPolicy： For one PCR Set an authorization for the Group policy. stay PC This command is not required on the client .
TPM2_PCR_SetAuthValue： For one PCR Set an authorization password for the Group . stay PC This command is not required on the client .

PCR Main application — to grant authorization

PCR A common function of is authorization .

One TPM An entity can be set as follows policy： Only when a particular PCR This is allowed only when the value of is a specific value TPM Entity . This policy You can choose a group of PCR, Every PCR Set different values . If PCR The value of is different from the set value ,policy Will not be satisfied , So related TPM Entities cannot be accessed .

Case study ： Seal the key according to the platform status

Store the key of the full disk encryption software in TPM It is much safer than storing on disk and using password protection only . First ,TPM Can prevent violent attacks , This makes violent attacks against passwords unsuccessful . If the software uses a weak password to protect the key , Then this key will be vulnerable .

Storing the key on disk is easy to steal . Getting the hard disk means getting the key . And if you use TPM Storage key , If you want to steal the key, you need to steal the contents TPM The entire platform , Or at least steal the hard disk and motherboard first .

seal up （sealing） Operation allows the key to be protected not only by a password , It can also be protected by a policy . A typical policy would lock the key in one of the sealing operations PCR Value up （ Represents the state of the software ）. This scheme also assumes that the state of system startup does not change . Any pre embedded malware will be measured during startup PCR in , The key will continue to be sealed in an insecure state .

A company with low credibility may have its own disk image , It can seal the key to the PCR in （ It can be understood as after the image is started PCR Value ）. these PCR The value of can be calculated in advance on a safer platform .

A more complex solution is for companies to use TPM2_PolicyAuthorize command , And provide a set of trusted for authorization PCR Credentials for value （Tickets）.

Although ordinary passwords can also protect keys , But even if not TPM Key password , such TPM The protection of can also increase the security of the system . Attackers can provide TPM Start the platform with password , But he can't log in without a user name and login password .

OS The security features of can be used to protect data . But an attacker can start another OS, Such as through DVD perhaps USB The device starts instead of the hard disk , In this way, you can cross OS Login security .
In the use of TPM Under the circumstances , This different boot configuration （ Do not boot from the hard disk ） And different OS Software will change PCR Value . These have been changed PCR The value cannot be the same as the previous correct PCR Values match , therefore TPM The key to decrypt the disk will not be released , Then the data files on the hard disk will not be decrypted .

seal up ：

1. Construct a Policy, Use TPM2_PolicyPCR, Choose to unseal in the future （Unseal） When using the key PCR Value as input .
2. Do the following （ And TPM1.2 similar ）
   Use TPM2_GetRandom stay TPM Create a symmetric key externally .
   Use TPM2_Create command , Create a sealed object according to the specified symmetric key and policy . stay 2.0 in ,TPM2_Create Just specify the policy .

Unseal ：
TPM2_Load load TPM2_Create Objects created .
TPM2_PolicyPCR To satisfy Policy.
TPM2_Unseal Return the sealed symmetric key .

PCR The typical application of is to put a TPM The use authorization of entities is bound to the status of platform software , however PCR There are other possible applications . for instance , You can extend a password to PCR in , So as to unlock the access of an entity . When access is not required , Just put PCR Reset （ If reset operation is allowed ） Or extend other values .

PCR For authentication

PCR For authentication is an advanced application case . In the absence of TPM On the platform , Remote application software usually cannot determine the status of platform software . If the platform software status is reported through software , Once this software is attacked , It can cheat remote applications .

TPM The authentication function provides cryptographic evidence for software status . Think about it , We have introduced , Most of PCR（ remove debug PCR） The measurement status in cannot be revoked . To be specific PCR It cannot be withdrawn to a certain value . The process of certification is a TPM Quotation confirms （Quote） operation ： A set of PCR Hash the value of , And then use TPM The key signs the hash . If the remote party can verify that the key used for signing is indeed from a real TPM, Then we can confirm the report of the platform PCR The abstract has not been tampered with . In the process , It is not enough just to verify the certificate of the signature and the signing key . The remote party needs to verify PCR The summary value of can be compared with that of the report PCR matching .

The remote party also needs to read an event record , The record contains a lot of measured software and other information , And all measurements . Then it will execute something like PCR Extend The operation of gets the final hash value , Then come with the report PCR Value comparison . These operations are still not difficult , It only contains some mathematical calculations .

Remote software through a TPM The signed hash value knows the software status of the platform . Now it needs to decide whether the state of the software is safe . At this time, it needs to compare the measured hash value with a white list , This potentially requires cooperation with third-party software providers .PCR Only provide a credible method to represent the status of platform software . But they themselves do not make decisions about whether the software is safe .

quote （Quote） application

A network device wants to decide whether to allow the client platform to connect to a network . It needs to know whether the software running on the client platform has installed a complete software patch （patch）. At this point, the network device can reference TPM Of PCR, Then with a patched software module （ Hash ） White list comparison . If the platform is normal , It allows you to connect to the network . If not , The network connection of the platform will be routed to a special patch The server , But you can't access the network .

Open source VPN Solution StrongSwan have access to TCG TNC standard , To combine TPM The reference and a strategy are VPN The connection of implements access control .

It can be seen from the above method that , Quote as TPM A security feature provided , It can be combined with other security means , Realize more perfect and secure network access .

PCR Quote details

Referenced data structure

magic number –TPM_GENERATED： This can prevent attackers from signing arbitrary data with restrictive signing keys , Then claim that this is a TPM Reference operation .

The identification name of the signing key ： Although the strength of the key may be great , But it may be protected by the parent key with weak Algorithm . The identity name represents the entire parent key of the key .

Data provided by the caller ： This data is usually a random number resistant to replay attacks . This random number proves that the quotation is up-to-date .

TPM Firmware version ： Included in the structure , So that the verifier can decide whether to trust a particular TPM Code version .

TPM Clock status ：resetCount It is important for the next application case . When signing with a key outside the endorsement organization , Clock information will be confused . Based on the consideration of privacy protection , When the clock information is signed by the key under the non endorsement organization structure , Confusion is needed . Because certification applicants only need to know resetCount Has it changed , Instead of reading specific values .

Case study ： Detect restart during transaction
A platform for ongoing financial transactions , Monitoring equipment every 15 Execute the reference operation every minutes , To detect the change of platform software status . Then the attacker lurks in the execution of the reference operation , Restart the platform to the damaged software , Execute unauthorized transactions , Then restart the platform again to return it to the trusted state , The next normal reference operation will show the same trusted PCR value . however ,resetCount The restart can be detected , And will （ adopt Quote） Report to the monitoring software .

PCR attribute

Every PCR All have some properties .TPM The software library specification defines these attributes , But the platform related specifications ultimately determine which PCR What attributes do you have . Generally speaking , Most of PCR Are assigned to different specific software according to convention , But there is also a small part that has not been allocated , They are reserved for application software .

PCR Of Reset Property is used to represent PCR Whether the value of can pass TPM2_PCR_Reset Command reset . Generally speaking, the reset value is all 0. Most of the PCR It cannot be reset , Because allowing reset may cause malware to PCR Reset to a known normal state . Somewhat PCR It can only be reset in a specific position .

PCR Of Extend Attribute is used to represent a PCR Is it ok to pass TPM2_PCR_Extend perhaps TPM2_PCR_Event Command to expand its value . Obviously , If one PCR Cannot be extended , So this one PCR It's useless , Just some PCR Only in certain specific Locality Next is expanded .

adopt DRTM To reset PCR Properties of . It shows a PCR Whether it is possible to directly report to TPM Interface to write data to extend its value , Not through normal TPM Command format . This attribute is platform related , And specific TPM Hardware interface related . This attribute is usually in different Locality There are different settings under .

Use after the system restarts CLEAR Parameter execution TPM2_Startup On command , be-all PCR Will be reset . Most of the PCR The value will be reset to 0, But some are different values , For example, all 1 Or with execution startup At the time of the order Locality It matters .

No Increment Attributes are related to TPM2_PolicyPCR The binding of . Will a Policy And PCR Binding is an immediate assertion .

perform TPM2_PolicyPCR On command ,PCR The current value will be increased to Policy In the summary of the conversation . however , One PCR In this immediate assertion （PolicyPCR command ） It may be changed later ,“ normal ” Under the circumstances , This will lead to this policy Invalid session .“ Invalid ” Is through a for recording PCR Value change counter .Policy The session will record the execution TPM2_PolicyPCR The count value at the time of command , Then use this policy Check it during the session . If the count values are not equal ,TPM You know PCR The value of has changed ,Policy The session will fail .

If No Increment When set to true , With this attribute PCR When the change , The count value will not be increased , Therefore, the policy session in use will not be invalidated .

PCR Algorithm

Facilitate TPM2.0 The first requirement is to get rid of TPM1.2 Fixed in SHA-1 The hash algorithm . because PCR It is closely related to hash algorithm ,TPM2.0 adopt TPM2_PCR_Allocate The command is theoretically PCR Provides many algorithmic possibilities .

The key word here is “ Theoretically ”.PCR May, in accordance with the bank To allocate , every last bank Corresponding to a hash algorithm . This command allows PCR Allocate according to any combination , One PCR Can be assigned to multiple bank in , And there can be a variety of hash algorithms . If there are multiple algorithms , remove PCR Beyond index and summary values ,TPM2_Extend The command also provides hash algorithm parameters . If the input algorithm is similar to PCR All configured algorithms do not match , This command will be ignored .

summary

PCR There are two basic applications . Through a signed authentication reference, you can put PCR Pass the value of . Based on this, we can judge whether the software state of the platform is credible .PCR It can also be used for strategies , be based on PCR To authorize others TPM Use of objects . be relative to TPM1.2,PCR The algorithm of is fixed to SHA-1,TPM2.0 Improvements have been made. , Other hash algorithms are allowed .