Atmel Corporation 1150 E. Cheyenne Mountain Blvd. Colorado Springs, Colorado 80906 Atmel Trusted Platform Module AT97SC3204-X4 Firmware revision: 1.2.29.01 Security Policy FIPS 140-2, Level 1 Document Version 1.7 October 24, 2013 Revision History Version Date Description 1.0 July 25, 2012 First formal release 1.1 November 29, 2012 Corrections to Security Policy comments received from evaluator 1.2 February 5, 2013 Inserted algorithm certificate numbers 1.3 February 6, 2013 Separated AuthChangeKey from Storage Key. Removed Seal Keys. Added hmac keys. Removed tpmproof aes key. 1.4 February 12, 2013 Corrections to SP in response to internal quality review. 1.5 September 17, 2013 Corrections to Security Policy comments from CMVP evaluation 1.6 October 24, 2013 Correction of firmware revision nomenclature on cover page 1.7 October 24, 2013 Correction to Table 2 Operational Environment. Correct of broken links to other tables. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 2 Table of Contents Module Overview.................................................................................................6 AT97SC3204-X4 TPM Implementation ................................................................ 8 Security Level ....................................................................................................11 Modes of Operation ...........................................................................................12 AT97SC3204-X4 TPM Mode Indications ........................................................... 12 Ports and Interfaces ..........................................................................................13 Cryptographic Algorithms ..................................................................................14 Key Establishment .............................................................................................15 Security Rules ...................................................................................................15 FIPS 140-2 Imposed Security Rules .................................................................. 16 Atmel Corporation Imposed Security Rules ....................................................... 19 Identification and Authentication Policy..............................................................21 Roles and Services ............................................................................................ 21 AT97SC3204-X4 TPM Roles.......................................................................... 21 AT97SC3204-X4 TPM Services ..................................................................... 23 Authentication .................................................................................................... 37 Physical Presence .......................................................................................... 40 Strength ............................................................................................................. 41 Strength calculation for OSAP ........................................................................ 42 Strength calculation for OIAP ......................................................................... 42 Strength calculation for DSAP ........................................................................ 43 Failed Authentication Attempts Counter............................................................. 45 Identification ....................................................................................................... 47 Access Control Policy ........................................................................................48 Definition of Critical Security Parameters (CSPs) .............................................. 48 Definition of Public Keys .................................................................................... 51 CSP Access Type .............................................................................................. 52 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 3 Logical Access Policy ........................................................................................ 52 Physical Security Policy ..................................................................................... 58 Operational Environment ...................................................................................58 Operating ranges............................................................................................ 60 Mitigation of Other Attacks Policy ......................................................................60 Housing .......................................................................................................... 60 Internal Tamper Detection .............................................................................. 60 Environmental protection ................................................................................ 60 References ........................................................................................................61 Definitions and Acronyms ..................................................................................63 Tables: Table 1 Pin Definitions........................................................................................... 10 Table 2 – Module Security Level Specification ...................................................... 11 Table 3 – Physical Ports and Interfaces ................................................................ 13 Table 4 – Cryptographic Algorithms....................................................................... 14 Table 5 – Security strength .................................................................................... 15 Table 6 – TOE Authentication ................................................................................ 22 Table 7 – AT97SC3204-X4 TPM Services ............................................................ 23 Table 8 – AT97SC3204-X4 TPM Service Description ........................................... 28 Table 9 – Authentication Strength ......................................................................... 44 Table 10 – Failure Modulus ................................................................................... 45 Table 11 – Lockout delay vs. FAILMOD value ....................................................... 45 Table 12 – CSP Identification ................................................................................ 48 Table 13 – CSP Access Type ................................................................................ 52 Table 14 – Logical Access ..................................................................................... 52 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 4 Figures: Figure 1 AT97SC3204-X4 Block Diagram .............................................................. 7 Figure 2 Image of the Physical Cryptographic Module ............................................ 8 Figure 3 Pinout Diagrams ....................................................................................... 9 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 5 Module Overview Section 1. Definition of Cryptographic Module Security Policy Security Level 1 The AT97SC3204-X4 Trusted Platform Module is a fully integrated security module designed to be integrated into personal computers and other embedded systems. The security module is used primarily for cryptographic key generation, key storage and key management as well as generation and secure storage for digital certificates. The AT97SC3204-X4 implements version 1.2 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM). The TPM is a single chip cryptographic module as defined in FIPS 140-2. The single silicon chip is encapsulated in a hard, opaque, production grade integrated circuit (IC) package. The cryptographic boundary is defined as the perimeter of the IC package, including the I/O pins through which all communication to and from the module occurs. The cryptographic boundary includes the module’s internal 8-bit AVR microcontroller, 16KB of EEPROM, 128KB of ROM, multiple banks of SRAM, cryptographic acceleration hardware and an internal Random Number Generator. Protection circuitry is included that can detect and respond to environmental changes and to hardware tamper events. No hardware or firmware components of the module are excluded from the requirements of FIPS 140-2. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 6 Figure 1 AT97SC3204-X4 Block Diagram AT97SC3204 Block Diagram ROM Program Memory Cryptographic Boundary Contains: Timer Executable firmware 33 MHz LPC Interface SRAM1 TCG command support firmware Contains: Contains: Crypto library LAD0 – LAD3 Usage Timer TPM Interface Spec support SRAM2 Internal drivers LCLK Real Time Clock TIS Data FIFO EEPROM write & read drivers LFRAME TIS Status registers RNG driver LRESET TIS Access registers RTC driver DID/VID/RID registers LPCPD Tamper driver CLKRUN Legacy registers SERIRQ Trim driver XTAMPER Configuration registers Shield driver Interface capability register LPC Interface drivers AVR 8-bit Interrupt registers TIS driver TCG messaging driver RISC CPU SHA-1 driver GPIO GPIO driver GPIO6 Contains: Clock drivers GPIO6 RTC driver Physical Presence PP (Physical Presence) UsageTimer driver Test firmware (disabled) EEPROM Program Memory Physical Security Circuitry Contains: Contains: Executable firmware Temperature tamper detection circuit Crypto Engine TCG command support firmware Voltage tamper detection circuit Clock input filter Contains: Top metal active shield EEPROM Data Memory RSA hardware support Contains: SHA-1 engine Key cache Random Number Generator Platform Configuration Registers Contains: NVStore memory space Linear Feedback Shift Register TPM Permanent Flags register Tamper Residue register The basic tasks of the AT97SC3204-X4 TPM include the following: Measurement (through a SHA-1 hash mechanism), storage and reporting of the state of the computing platform bound physically and cryptographically to the platform. Execution of strong authentication mechanisms for identification of a computing platform identity. Provision of the following cryptographic services to the host platform: o Generation of RSA key pairs o RSA digital signature and verification o RSA key wrapping (encryption) o Random number generation The AT97SC3204-X4 TPM can be used by the host system to monitor the system boot process. The current system state may be compared to reference state values which were previously generated at a time when the system state was known to be trustworthy. The TPM can bind data or keys to a specific system status. The TPM can grant or deny access to keys and data if the current system state differs from the known trusted system state. AT97SC3204-X4 TPM Implementation The Hardware and Firmware versions implemented in the FIPS evaluated and certified version of the AT97SC3204-X4 TPM are: Hardware: AT97SC3204-X4 Firmware: 1.2.29.01 Figure 2 Image of the Physical Cryptographic Module Truncated part number Lot number Date code Country of Origin Firmware revision Philippines Pin 1 indicator The AT97SC3204-X4 TPM is manufactured in three packages: 4.4mm 28-pin TSSOP (Part number AT97SC3204-X4A1) 6.1mm 28-pin TSSOP (Part number AT97SC3204-X4A) 40-pin 6x6mm QFN (Part number AT97SC3204-X4M) The pin layout for the AT97SC3204-X4 TPM is shown in Figure 3. Figure 3 Pinout Diagrams 28-pin Thin TSSOP 4.4 mm x 9.7 mm Body 0.65 mm Pitch 28-pin TSSOP 40-pin QFN 6.1 mm x 9.7 mm Body 6.0 mm x 6.0 mm Body 0.65 mm Pitch 0.50 mm Pitch 38 LPCPD# 37 SERIRQ 40 ATest 39 ATest 36 NBO 35 NBO 34 NBO 33 NBO 32 NBO 31 NBO 1 28 LPCPD# ATest 2 27 SERIRQ ATest 1 30 LAD0 ATest 3 26 LAD0 ATest 2 29 GND GND 4 25 GND GND 3 28 VCC SB3V 5 24 VCC SB3V 4 27 LAD1 GPIO6 6 23 LAD1 GPIO6 5 26 LFRAME# NC 7 22 LFRAME# NC 6 25 LCLK TestI 8 21 LCLK TestI 7 24 LAD2 TestBI 9 20 LAD2 TestBI 8 23 VCC VCC VCC 10 19 VCC 9 22 GND GND GND 11 18 GND NBO 10 21 LAD3 NBO 12 17 LAD3 NBO 11 NBO 12 NBO 13 NBO 14 NBO 15 NBO 16 NBO 17 NBO 18 CLKRUN# 19 LRESET# 20 NBO 13 16 LRESET# NBO 14 15 CLKRUN# Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 9 The pin description for the AT97SC3204-X4 TPM is given in Table 1Error! Reference source not found.. Table 1 Pin Definitions Pin Name Pin type Description VCC I 3.3V Supply Voltage SB3V I Standby 3.3V Supply Voltage GND I Ground LRESET# I PCI Reset Input Active Low LAD0 I/O LPC Command, Address, Data Line Input/Output LAD1 I/O LPC Command, Address, Data Line Input/Output LAD2 I/O LPC Command, Address, Data Line Input/Output LAD3 I/O LPC Command, Address, Data Line Input/Output LCLK I 33 MHz PCI Clock Input LFRAME# I LPC FRAME Input CLKRUN# I PCI Clock Run Input/Output LPCPD# I LPC Power Down Input SERIQ I/O Serialized Interrupt Request Input/Output GPIO6 I/O GPIO assigned to TPM_NV_INDEX_GPIO_00 TestI I Test Input (disabled) TestBI I Test Input (disabled) ATest I Atmel Test Pin (disabled) NC I GPIO assigned to Hardware Physical Presence Not Bounded out – no connection to circuitry NBO N/A Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 10 Security Level Section 2. Security Level 1 The cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-2. Table 2 – Module Security Level Specification Level Security Requirements Section 1 Cryptographic Module Specification 1 Cryptographic Module Ports and Interfaces 1 Roles, Services and Authentication 1 Finite State Model 1 Physical Security 1 Operational Environment 1 Cryptographic Key Management 1 EMI/EMC 1 Self-Tests 1 Design Assurance 1 Mitigation of Other Attacks Overall 1 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 11 Modes of Operation Section 3. Modes of Operation Security Level 1 The Atmel AT97SC3204-X4 TPM supports only a FIPS Approved mode of operation. No non-approved mode of operation is supported in the AT97SC3204- X4. The mode of operation is established during the final stage of the TPM manufacturing process when critical firmware components are loaded and locked into the TPM internal EEPROM memory. Once the firmware is loaded and locked, the FIPS mode of operation may not be changed by execution of any capability. Since the firmware image specified by this Security Policy is the only AT97SC3204-X4 image undergoing FIPS evaluation, the firmware revision specified in the section entitled AT97SC3204-X4 TPM Implementation is the only firmware image that contains an asserted FIPS mode indicator bit. AT97SC3204-X4 TPM Mode Indications The state of FIPS mode operation is recorded in the TPM_PERMANENT_FLAGS structure, and will always read ―TRUE‖. Once set, FIPS mode cannot be disabled or altered for the lifetime of the TPM chip. A User can verify the state of the FIPS mode flag by issuing either the command TPM_getCapability with a capability name of TPM_CAP_FLAG (0x00000004) and a subcap of TPM_CAP_FLAG_PERMANENT (0x00000108). Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 12 Ports and Interfaces Section 4. Ports and Interfaces Security Level 1 The AT97SC3204-X4 provides the following physical ports and interface pins: Table 3 – Physical Ports and Interfaces Pin Pin Name typ VIL VIH Description VOL VOH e VCC I 3.3V (+/- 10%) Power Supply Voltage -0.5V 3.63V SB3V I Standby 3.3V (+/- 10%) Supply Voltage -0.5V 3.63V GND I 0V 0V System Ground Active Low PCI Reset Input. Driving this pin low resets the internal LRESET# I -0.5V 4.13V state of the TPM and is equivalent to removal of power from the chip. LAD0, LAD1 LPC Command, Address and Data Input/Output pins. The LPC bus I/O 0.4V 2.5V -0.5V 4.13V LAD2, LAD3 transmits 8 bits per transaction in two 4-bit packets. 33 MHz PCI Clock Input. The frequency and duty cycle of this clock LCLK I must be accurately maintained by the system to the parametric -0.5V 4.13V specifications listed in the T97SC3204 datasheet. LFRAME# I LPC FRAME indicator input pin -0.5V 4.13V PCI ClockRun Input/Output pin. Clock control handshake pin. When asserted by the system, indicates the intent to remove the 33MHz CLKRUN# I/O 0.4V 2.5V clock signal from the LCLK input pin. The TPM may hold off removal -0.5V 4.13V of the clock by holding the CLKRUN# pin low until it is prepared for removal of the clock signal. LPC Power Down Input. LPCPD# is intended to indicate that the LPC Bus peripheral device (TPM) should prepare for system power-down, or for power to be shut off to devices on the LPC interface. Since the LPCPD# I -0.5V 4.13V TPM automatically enters a low-power state after completion of every command, no special preparation is required by the TPM. No action is taken by the TPM when an active signal is received on this pin. Serialized Interrupt Request Input/Output. LPC Serialized IRQ. The Serial Interrupt Request pin is typically used to signal the system processor that the TPM has completed execution of a command and SERIQ I/O 0.4V 2.5V data is available to be read, when the TPM Locality has changed or -0.5V 4.13V when the TPM is ready to receive a new command. SERIRQ meets the Intel Low Pin Count (LPC) Interface Specification Revision 1.1 August 2002. This is an unused pin in general usage. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 13 Pin Pin Name typ VIL VIH Description VOL VOH e General Purpose Input/Output pin configured by internal firmware as an Output only. Serves as an indicator signal by the TPM to other GPIO6 I/O 0.4V 2.5V system components. The state of GPIO6 is determined by the data -0.5V 4.13V value written to the GPIO-Express-00 field by a TPM _NV_WriteValue or TPM_NV_WriteValueAuth command. TestI I Test Input (permanently disabled during TPM manufacturing) -0.5V 4.13V TestBI I Test Input (permanently disabled during TPM manufacturing) -0.5V 4.13V ATest I Atmel Test Pin (permanently disabled during TPM manufacturing) -0.5V 4.13V Cryptographic Algorithms The AT97SC3204-X4 supports the following cryptographic algorithms. Algorithm certificate numbers for each approved algorithm are listed. Table 4 – Cryptographic Algorithms Approved / Algorithm Certificate number non-approved SHA-1 Approved #2015 RSA Approved #1203 HMAC Approved #1445 AES Approved #2333 RNG Approved #1163 MGF1 non-approved N/A The non-approved algorithm MGF-1 is not used protect or encrypt CSPs. MGF-1 is used to obfuscate some input information passed to the module and some output information received from the module. The services that employ this non-approved algorithm are: Direct Anonymous Attestation commands o TPM_DAA_Join o TPM_DAA_Sign Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 14 Transport commands o TPM_EstablishTransport o TPM_ExecuteTransport o TPM_ReleaseTransportSigned Seal commands o TPM_Sealx o TPM_unSeal o (note: MGF1 is not used by the service TPM_Seal) Key Establishment Relative security strength has been calculated for each cryptographic algorithm supported by the module and used in key establishment. Table 5 – Security strength Comparable Algorithm number of bits of security RSA-1024 80 RSA-2048 112 AES-128 128 Security Rules Section 5. Security Rules Security Level 1 The following sub-sections describe the security rules implemented by the AT97SC3204-X4 TPM. The security rules are segregated into two categories: Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 15 Security rules derived from the requirements of FIPS 140-2, the TCG TPM specification and PC Client TPM specification. Security rules imposed by Atmel FIPS 140-2 Imposed Security Rules 1. The AT97SC3204-X4 TPM supports the following interfaces: Data input interface (reference table 1, TSSOP pins 17, 20, 23, 26) Data output interface (reference table 1, TSSOP pins 17, 20, 23, 26) Control input interface (reference table 1, TSSOP pins 7, 15, 16, , 17, 20, 21, 22, 23, 26, 27, 28) Status output interface (reference table 1, TSSOP pins 6, 15, 17, 20, 23, 26, 27, 28) Power input interface (reference table 1, TSSOP pins 4, 5, 10, 11, 18, 19, 24, 25) 2. The AT97SC3204-X4 TPM interfaces are logically distinct from each other based on the command structure. 3. The logical state machine and command structure of the AT97SC3204-X4 TPM inhibits all data output via the data output interface whenever an error state exists and while doing self tests. 4. Based on the structure of the commands, the AT97SC3204-X4 TPM logically disconnects the output data path from the circuitry and processes performing the following key functions: Key generation Key zeroization 5. The AT97SC3204-X4 TPM supports a Cryptographic Officer role and a User role. 6. When power is removed from the AT97SC3204-X4 TPM, all existing authentication sessions are destroyed. Therefore, the AT97SC3204-X4 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 16 TPM must re-authenticate every role or identity after each power-on sequence. 7. The AT97SC3204-X4 TPM utilizes a production quality integrated circuit with standard passivation. 8. The AT97SC3204-X4 TPM’s logical command structure, authentication mechanisms, memory management techniques, and physical implementation protect private and secret keys (Table 12 – CSP Identification) from unauthorized disclosure, modification and substitution. 9. The AT97SC3204-X4 TPM’s logical command structure and authentication mechanisms protect public keys against unauthorized modification and substitution. 10. The AT97SC3204-X4 TPM generates keys using a pseudo random number generator that is implemented in conformance to FIPS 186-2. National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, Appendix 3, Section 3.1 January 27, 2000. 11. The AT7SC3204 TPM’s authentication mechanisms associate private and secret keys entered, stored, or output with the correct entity. 12. The AT97SC3204-X4 TPM provides logical and/or physical mechanisms to zeroize all plaintext cryptographic keys and other unprotected critical security parameters within the AT97SC3204-X4 TPM. 13. The AT97SC3204-X4 TPM performs the following self tests: Power-up and on-demand tests: Cryptographic algorithm known-answer-tests (KAT). 1. SHA1 2. RSA a. Encrypt/decrypt b. Sign/Verify 3. RNG Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 17 4. HMAC 5. MGF1 6. AES (encryption and decryption) Firmware integrity test. Conditional tests: Continuous random number generator tests. 1. The deterministic RNG produces blocks of 160 bits. Each subsequent 160-bit block output from the RNG is compared to the previous block. The test fails if any two compared 160-bit sequences are equal. 2. The nondeterministic RNG that provides entropy input to the deterministic RNG produces blocks of 160 bits. Each subsequent 160-bit block output from the RNG is compared to the previous block. The test fails if any two compared 160-bit sequences are equal. Pair-wise consistency test for public and private keys 14. The power-on self-tests do not require operator intervention in order to run. Power-on self test execution always completes the full suite of self tests in its entirety. Input activity is ignored and output activity is inhibited until the self tests have successfully completed. 15. The AT97SC3204-X4 TPM provides a “success” Return Code via the "status output" interface if all of the power-on self-tests have passed successfully. 16. The AT97SC3204-X4 TPM outputs an “error” Return Code via the status interface when the error state is entered due to a failed self-test. 17. The AT97SC3204-X4 TPM does NOT perform any cryptographic functions while in the error state. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 18 Atmel Corporation Imposed Security Rules 1. The AT97SC3204-X4 TPM provides a No Auth Required role that allows specific services to be performed without an open authentication session. 2. The AT97SC3204-X4 TPM provides Role-based authentication. 3. The AT97SC3204-X4 TPM supports concurrent operators and internally maintains the separation of the roles assumed by each operator and corresponding services using authentication sessions. 4. The AT97SC3204-X4 TPM does NOT provide a Maintenance Role or Maintenance Interface. 5. Authentication mechanisms are required to support the following authorized roles: Crypto Officer User The authentication mechanisms that support these roles meet the strength requirements of FIPS 140-2, Level 2. The authorized role Physical Presence does not require authentication mechanisms to support or enforce the role. The authorized role No Authentication Required does not require authentication mechanisms to support or enforce the role. 6. The AT97SC3204-X4 TPM provides the following services: Reference Table 7 – AT97SC3204-X4 TPM Services 7. The AT97SC3204-X4 TPM does NOT provide a bypass capability. 8. The AT97SC3204-X4 TPM outputs plaintext key type data using the TMP_UnBind or TPM_UnSeal services. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 19 9. The AT97SC3204-X4 TPM’s logical command structure, authentication mechanisms, memory management techniques, and physical implementation protect authentication data stored within the AT97SC3204- X4 TPM against unauthorized disclosure, modification, and substitution. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 20 Identification and Authentication Policy Section 6. Identification and Authentication Policy Security Level 1 The following sub-sections describe the authentication and identification mechanisms employed by the AT97SC3204-X4 TPM. The AT97SC3204-X4 TPM provides Role-based authentication defined by FIPS 140-2. Note that authentication and identification mechanisms apply only to the CO and User roles. Roles and Services The following subsections describe the roles and services provided by the AT97SC3204- X4 TPM. AT97SC3204-X4 TPM Roles The AT97SC3204-X4 TPM provides the following four authorized roles: Crypto Officer (CO) – The services provided under the CO Role require the operator to authenticate to the AT97SC3204-X4 TPM as the ―owner‖. The CO services are used to initialize/configure the TPM and to install users. User – The services provided under the User Role require the operator to authenticate to the AT97SC3204-X4 TPM as an ―entity‖. The User services obtain cryptographic or protected capability functions from the TPM. Physical Presence (PP) – A limited number of TPM commands may be authorized by assertion of Physical Presence (PP), which serves as an indication to the TPM that the operator is physically present at the system, not communicating over a network from a remote location. Authorization for assumption of the Physical Presence role is implicit. Physical Presence may be asserted in either of two methods, both of which authorize use of the same set of capabilities. Physical Presence authorization may be accomplished by setting a logic high voltage on the hardware pin at the time a service request is sent to the module (assertion of tpmGo bit in the TIS register [5]). The method for setting the voltage on the Physical Presence pin (e.g. connection to a button or a maintenance cover) is outside the cryptographic boundary. Physical Presence may also be asserted by sending the software command TSC_PhysicalPresence [4]. The capability for asserting software Physical Presence exists when the TPM is initially powered up. Atmel User Guidance instructs system designers to systematically disable the capability for asserting software Physical Presence after completion of essential early boot operations (e.g. at the completion of BIOS execution). Once disabled, Physical Presence may not be re-asserted by the software command mechanism until after a power down or Reset event. The capability to assert Physical Presence by the hardware pin mechanism remains active at all times and cannot be disabled. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 21 No Authentication Required – The authorized services provided under this role do not require any authentication. Authorization for assuming this role is implicit. The No Auth Required services do not require the use of protected capability functions (i.e. functions that require the use of CSPs associated with the CO or User). The list of No Authentication Required services is included in the full list of TPM services in Table 7 – AT97SC3204-X4 TPM Services. No Authentication Required services are identified by the label: No Auth Required. Table 6 – TOE Authentication Role Type of Authentication Authentication Data Role based 160-bit auth data Crypto Officer Role based 160-bit auth data User Implicit (none) None Physical Presence Implicit (none) None No Authentication Required Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 22 AT97SC3204-X4 TPM Services The services and corresponding roles provided by the AT97SC3204-X4 TPM are shown in Table 7 Error! Reference source not found.for access control information. Table 7 – AT97SC3204-X4 TPM Services Services Roles NoAuth # Name CO User PP TPM_OIAP X 1. TPM_OSAP X 2. TPM_DSAP X 3. TPM_Terminate_Handle X 4. X TPM_ChangeAuth 5. TPM_ChangeAuthOwner X 6. TPM_TakeOwnership X 7. TPM_Extend X 8. TPM_PcrRead X 9. TPM_PCR_Reset X 10. TPM_Quote X 11. TPM_Quote2 X 12. TPM_DirWriteAuth X 13. TPM_DirRead X 14. TPM_Seal X 15. TPM_Sealx X 16. TPM_Unseal X 17. TPM_UnBind X 18. TPM_CreateWrapKey X 19. TPM_LoadKey X 20. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 23 Services Roles NoAuth # Name CO User PP TPM_LoadKey2 X 21. TPM_EvictKey X 22. TPM_GetPubKey X 23. TPM_OwnerReadPubek X 24. TPM_OwnerReadInternalPub X 25. TPM_CreateMigrationBlob X 26. TPM_ConvertMigrationBlob X 27. TPM_AuthorizeMigrationKey X 28. TPM_MigrateKey X 29. TPM_CMK_ApproveMA X 30. TPM_CMK_CreateBlob X 31. TPM_CMK_CreateKey X 32. TPM_CMK_CreateTicket X 33. TPM_CMK_SetRestrictions X 34. TPM_CMK_ConvertMigration X 35. TPM_SHA1Start X 36. TPM_ SHA1Update X 37. TPM_ SHA1Complete X 38. TPM_ SHA1CompleteExtend X 39. TPM_CertifyKey X 40. TPM_CertifyKey2 X 41. TPM_Sign X 42. TPM_GetRandom X 43. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 24 Services Roles NoAuth # Name CO User PP TPM_StirRandom X 44. TPM_SelfTestFull X 45. TPM_CertifySelfTest X 46. TPM_ContinueSelfTest X 47. TPM_GetTestResult X 48. TPM_Reset X 49. TPM_SaveState X 50. TPM_StartUp X 51. TPM_OwnerClear X 52. TPM_DisableOwnerClear X 53. TPM_DisableForceClear X 54. TPM_GetCapability X 55. TPM_ GetCapabilityOwner X 56. TPM_ DAA_JOIN X 57. TPM_DAA_SIGN X 58. X 59. TPM_SaveContext TPM_LoadContext X 60. X X 61. TPM_NV_DefineSpace X X 62. TPM_NV_ReadValue X X 63. TPM_NV_ReadValueAuth X X 64. TPM_NV_WriteValue X X 65. TPM_NV_WriteValueAuth TPM_OwnerSetDisable X 66. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 25 Services Roles NoAuth # Name CO User PP TPM_PhysicalDisable X 67. TPM_PhysicalEnable X 68. TPM_PhysicalSetDeactivated X 69. TPM_SetTempDeactivated X X 70. TPM_CreateEndorsementKeyPair X 71. TPM_CreateRevocableEK X 72. TPM_RevokeTrust X 73. TPM_CreateCounter X 74. TPM_ReadCounter X 75. TPM_ReleaseCounter X 76. TPM_ReleaseCounterOwner X 77. TPM_ReadPubek X 78. TPM_DisablePubekRead X 79. TPM_OwnerReadPubek X 80. TPM_MakeIdentity X X 81. TPM_ActivateIdentity X X 82. X TPM_Delegate_CreateKeyDelegation 83. X TPM_Delegate_CreateOwnerDelegation 84. X TPM_Delegate_LoadOwnerDelegation 85. X TPM_Delegate_Manage 86. X TPM_Delegate_ReadTable 87. X TPM_Delegate_UpdateVerification 88. X TPM_Delegate_VerifyDelegation 89. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 26 Services Roles NoAuth # Name CO User PP X TPM_EstablishTransport 90. X TPM_ExecuteTransport 91. X TPM_ReleaseTransportSigned 92. X TPM_FlushSpecific 93. X TPM_ForceClear 94. X TPM_GetTicks 95. X TPM_TickStampBlob 96. X TPM_IncrementCounter 97. X TPM_KeyControlOwner 98. X TPM_ResetLockValue 99. X TPM_SetCapability 100. X TPM_SetOperatorAuth 101. X TPM_SetOwnerInstall 102. X TPM_SetOwnerPointer 103. X TPM_changeAuthAsymStart 104. X TPM_changeAuthAsymFinish 105. Locality Controlled Services X TPM_HASH_START 106. X TPM_HASH_DATA 107. X TPM_HASH_END 108. TPM Connection Services X TSC_PhysicalPresence 109. X TSC_ResetEstablishmentBit 110. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 27 Services Roles NoAuth # Name CO User PP Atmel Specific Services TPM_SetState X 111. TPM_OwnerSetState X 112. TPM_GetState X 113. TPM_Identify X 114. TPM_VerifySignature X 115. TPM_BindV20 X 116. Table 8 describes the AT97SC3204-X4 TPM services. Table 8 – AT97SC3204-X4 TPM Service Description State Description # Service Name TPM_OIAP This service is used to create an OIAP authorization 1. session. OIAP authorization sessions are generally used when use of multiple TPM entities are desired. TPM_OSAP This service is used to create an OSAP authorization 2. session. OSAP authorization sessions are generally used when use of a single TPM entity is required. TPM_DSAP This User service creates an authorization session and a 3. handle from a delegated AuthData value. TPM_Terminate_Handle This User service is used to close an authorization session 4. and clear the data associated with the session. This User service is used to modify the User‟s authorization TPM_ChangeAuth 5. key. This CO service is used to modify the CO‟s authorization TPM_ChangeAuthOwner 6. data stored on the AT97SC3204-X4 TPM. TPM_TakeOwnership This CO service is used to create the Storage Root Key 7. (SRK) keypair and install the CO‟s identity/authorization data on the AT97SC3204-X4 TPM. TPM_Extend This service is used to update a Platform Configuration 8. Register (PCR). A PCR consists of a 160-bit field that holds a cumulatively updated hash value and 4-byte status field. TPM_PcrRead This service is used to read the contents of a specified PCR 9. using non-cryptographic reporting. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 28 State Description # Service Name TPM_PCR_Reset This User service is used to reset the contents of a specified 10. PCR to default conditions. TPM_Quote This User service is used to read the contents of a specified 11. PCR using cryptographic reporting (digital signature). TPM_Quote2 This User service is used to read the contents of a specified 12. PCR using cryptographic reporting (digital signature). Quote2 includes more detailed information about the platform configuration than TPM_Quote. TPM_DirWriteAuth This CO service is used to provide write access to a 13. specified Data Integrity Register (DIR). TPM_DirRead This service is used to read the contents of a specified Data 14. Integrity Register (DIR). TPM_Seal This User service is used to input key type data and export 15. it wrapped in a specified RSA public key. The Seal service outputs the wrapped key in an AT97SC3204-X4 TPM specific method such that only the same AT97SC3204-X4 TPM in the same state can perform a successful UnSeal service. TPM_Sealx This User service is used to input encrypted key type data 16. and export it wrapped in a specified RSA public key. The Seal service outputs the wrapped key in an AT97SC3204- X4 TPM specific method such that only the same AT97SC3204-X4 TPM in the same state can perform a successful UnSeal service. TPM_Unseal This User service is used to decrypt and output key type 17. data that was wrapped during a Seal service. TPM_UnBind This User service is used to unwrap and output key type 18. data that was wrapped using a BindV20 service or using an external process that execute RSA public key encryption. TPM_CreateWrapKey This User service is used to generate an RSA keypair, 19. encrypt the private portion with a specified RSA public key, and output the public portion, key parameters and the wrapped private portion of the generated keypair. TPM_LoadKey This User service is used to input, unwrap, and store an 20. RSA keypair that resulted from the CreateWrapKey service, in order to make that key available for use by other services. Keys loaded into the TPM are identified by a handle that is assigned and output during execution of the TPM_LoadKey service. Subsequent operations will identify and locate this key by the reference handle. The TPM_LoadKey service includes the fixed handle in the key authorization Message Authentication data. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 29 State Description # Service Name TPM_LoadKey2 This User service is used to input, unwrap, and store an 21. RSA keypair that resulted from the CreateWrapKey service, in order to make that key available for use by other services. Keys loaded into the TPM are identified by a handle that is assigned and output during execution of the TPM_LoadKey2 service. Subsequent operations will identify and locate this key by the reference handle. LoadKey2 does not include the handle in the key authorization Message Authentication data. TPM_EvictKey This service is used to zeroize the contents of a specified 22. key handle. TPM_GetPubKey This User service is used to retrieve the public portion of a 23. specified keypair. TPM_OwnerReadPubek This CO service is used to export the public portion of the 24. EK. TPM_OwnerReadInternalPub This CO service is used to export the public portion of the 25. EK or SRK. TPM_CreateMigrationBlob This User service is used to migrate a private key from one 26. AT97SC3204-X4 TPM to another AT97SC3204-X4 TPM. The migrated key is wrapped in a public key provided by the receiving AT97SC3204-X4 TPM. TPM_ConvertMigrationBlob This User service is used to store a migrated key resulting 27. from the CreateMigrationBlob service. TPM_AuthorizeMigrationKey This CO service is used to authorize a specific key for use 28. in migration. TPM_MigrateKey This User service serves as a migration authority. The 29. service unwraps a key migration blob and re-wraps it with a public key provided to the TPM as a command parameter. TPM_CMK_ApproveMA This CO service creates an authorization ticket that 30. specifies an approved migration authority. TPM_CMK_CreateBlob This User service is used to migrate a private key from one 31. AT97SC3204-X4 TPM to another AT97SC3204-X4 TPM. The migrated key is wrapped in a public key provided by the receiving AT97SC3204-X4 TPM. Similar to CreateMigrationBlob with more restrictions. This User service both generates an asymmetric key and TPM_CMK_CreateKey 32. creates a secure storage bundle for that key. Migration of the new key is controlled by a migration authority. TPM_CMK_CreateTicket This User service uses a public key to verify the signature 33. over a digest, and generate a ticket to prove the verification. TPM_CMK_SetRestrictions This CO service is used to restrict usage of a certified 34. migration key with delegated authorization. TPM_CMK_ConvertMigration This User service completes a migration sequence of a 35. certified migration blob to a new TPM. TPM_SHA1Start This service is used to start the process of calculating a 36. SHA-1 hash. TPM_ SHA1Update This service is used to continue the process of calculating a 37. SHA-1 hash. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 30 State Description # Service Name TPM_ SHA1Complete This service is used to finalize the process of calculating a 38. SHA-1 hash. TPM_ SHA1CompleteExtend This service is used to finalize the process of calculating a 39. SHA-1 hash and extend the result into a specified PCR. TPM_CertifyKey This User service is used to sign and output the public 40. portion of a specified key. TPM_CertifyKey2 This User service is used to sign and output the public 41. portion of a specified key when the certifying key requires usage authorization while the certified key does not. TPM_Sign This User service is used to perform an RSA sign operation 42. on the input data. TPM_GetRandom This service is used to return a random number to the caller. 43. The size of the random number is specified by the bytesRequested parameter. TPM_StirRandom This service is used to add entropy to the state of the RNG. 44. TPM_SelfTestFull This service is used to initiate an operator requested Power- 45. on Self Test (POST). TPM_CertifySelfTest causes the TPM to perform a full TPM_CertifySelfTest 46. self-test and return an authenticated value if the test passes. TPM_ContinueSelfTest In the FIPS mode (set during the manufacturing process), 47. this service just returns a „POST completed‟ response code. TPM_GetTestResult This service is used to retrieve POST test results. This 48. service is also allowable in the Error state. TPM_Reset This service is used to release all resources associated with 49. all existing authorization sessions. TPM_SaveState This service is used to save potentially volatile data into 50. non-volatile memory. TPM_StartUp This service is used to initiate a start-up of the 51. AT97SC3204-X4 TPM after a TPM_Init command. TPM_OwnerClear This CO service is used to zeroize an AT97SC3204-X4 52. TPM. TPM_DisableOwnerClear This CO service is used to disable the OwnerClear service. 53. TPM_DisableForceClear This service is used to disable the TPM_ForceClear service 54. until the next start-up session. After TPM_DisableForceClear is executed, Owner keys and CSPs can be zeroized by executing TPM_ForceClear with Physical Presence authorization. TPM_GetCapability This service is used to determine specific capabilities of an 55. AT97SC3204-X4 TPM based on the capArea and subCap parameters using non-cryptographic reporting. TPM_ GetCapabilityOwner This CO service is used to retrieve all of the non-volatile 56. and volatile flags in a single operation using non- cryptographic reporting. TPM_ DAA_JOIN This CO service establishes the parameters for a Direct 57. Anonymous Attestation procedure for a specific DAA issuing authority. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 31 State Description # Service Name This CO service responds to a DAA challenge and proves TPM_DAA_SIGN 58. the attestation held by a TPM without revealing the attestation held by that TPM. 59. This service saves a set of context parameters from a loaded TPM_SaveContext TPM outside the TPM, in order to reload the parameters at a later time. TPM_LoadContext This service loads a previously saved context blob into a 60. TPM. 61. TPM_NV_DefineSpace This CO service establishes space and access requirements for a nonvolatile storage space in a TPM. 62. This service is restricted to the CO if the NV area was set up to require Owner auth. If not, no auth is required. This TPM_NV_ReadValue service reads a value from a NV storage area and returns the value. 63. TPM_NV_ReadValueAuth This User service requires authorization, then reads a value from a NV storage area and returns the value. 64. TPM_NV_WriteValue This CO service writes a value to a predefined area in TPM nonvolatile memory. 65. TPM_NV_WriteValueAuth This CO service writes a value to a predefined area in TPM nonvolatile memory after completing authorization. TPM_OwnerSetDisable This CO service is used to enable or disable an 66. AT97SC3204-X4 TPM by setting the value of the Disable Flag. TPM_PhysicalDisable This service sets the permanent disable flag to TRUE. 67. Requires assertion of Physical Presence. TPM_PhysicalEnable This service sets the permanent disable flag to FALSE. 68. Requires assertion of Physical Presence. TPM_PhysicalSetDeactivated This CO service requires assertion of Physical Presence. 69. The service changes the state of the persistent TPM deactivated flag. TPM_SetTempDeactivated This service is used to make an AT97SC3204-X4 TPM 70. temporarily inactive without destroying the secrets protected by the AT97SC3204-X4 TPM. TPM_CreateEndorsementKeyPair This service is used to create a permanent internal 71. Endorsement Key (EK) (an RSA public/private keypair) which is used in establishing the CO (owner) of the AT97SC3204-X4 TPM. TPM_CreateRevocableEK This service is used to create a revokable internal 72. Endorsement Key (EK) (an RSA public/private keypair) which is used in establishing the CO (owner) of the AT97SC3204-X4 TPM. TPM_RevokeTrust This service clears the Endorsement Key from the TPM, 73. only if the EK were created using the service: TPM_CreateRevocableEK. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 32 State Description # Service Name TPM_CreateCounter This service creates an internal TPM counter, establishes an 74. initial counter value and establishes the access rules and AuthData for the counter. TPM_ReadCounter This No Authentication Required service returns the current 75. counter value. This service increments the indicated counter by one. TPM_IncrementCounter 76. TPM_ReleaseCounter This User service releases a counter such that no Read or 77. Increment commands will execute successfully. TPM_ReleaseCounterOwner This CO service releases a counter such that no Read or 78. Increment commands will execute successfully. TPM_ReadPubek This service is used to export the public portion of the EK 79. from the AT97SC3204-X4 TPM. TPM_DisablePubekRead This CO service is used to disable Users from exporting the 80. public portion of the EK. TPM_OwnerReadPubek This CO service is used to export the public portion of the 81. EK. TPM_MakeIdentity This CO service is used to create an identity within the 82. AT97SC3204-X4 TPM and output data necessary to complete attestation to that identity by a third party. A TPM identity is an alias to one and only one TPM Endorsement Key, which is cryptographically unique. A TPM identity key may sign status data generated internally by the TPM. The identity key may be certified by a third party process that takes place outside the TPM cryptographic boundary. TPM_ActivateIdentity This CO service is used to activate an identity created 83. within the AT97SC3204-X4 TPM. Activation of a TPM identity occurs outside the TPM cryptographic boundary. This service delegates the privilege to use a key to another TPM_Delegate_CreateKeyDelegation 84. authorized User by creating a blob that can be used by TPM_DSAP. This CO service delegates the CO‟s privilege to use a set of TPM_Delegate_CreateOwnerDelegation 85. command ordinals, by creating a blob. Such blobs can be used as input data for TPM_DSAP or TPM_Delegate_LoadOwnerDelegation. This CO service loads a delegate table row blob into an TPM_Delegate_LoadOwnerDelegation 86. internal TPM non-volatile delegate table row. This service establishes and/or manages the parameters and TPM_Delegate_Manage 87. access privileges of a Delegation table. This service loads a delegate table row blob into a non- TPM_Delegate_ReadTable 88. volatile delegate table row. The service enables verification of delegation tables. This service sets the verificationCount in an entity (a blob TPM_Delegate_UpdateVerification 89. or a delegation row) to the current family value, in order that the delegations represented by that entity will continue to be accepted by the TPM. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 33 State Description # Service Name This No Authentication Required service interprets a TPM_Delegate_VerifyDelegation 90. delegate blob and returns success or failure, depending on whether the blob is currently valid. The delegate blob is not loaded into the TPM. This User service establishes a Transport session. A TPM TPM_EstablishTransport 91. Transport session can provide a log of the commands within a session and can provide confidentiality of the commands within a session. Depending on the attributes specified for the session, this service may establish encryption keys and session logs. A shared secret may also be established that can be used to obfuscate either or both the input command data and the output Transport log. The session will be used by the service TPM_ExecuteTransport. This service delivers a wrapped TPM command to the TPM TPM_ExecuteTransport 92. where the TPM unwraps the command and then executes the command. This service completes a transport session. If logging for TPM_ReleaseTransportSigned 93. this session is turned on, then this command returns a digital signature of the hash of all operations performed during the session. TPM_FlushSpecific flushes from the TPM a specific handle TPM_FlushSpecific 94. (for a key, auth session, transport session or DAA session), and releases internal resources applied to that handle. This service is used to disable the ForceClear service until TPM_ForceClear 95. the next start-up session TPM_GetTicks This service returns the current tick count of the TPM 96. This service applies a time stamp to the Tick blob passed to TPM_TickStampBlob 97. the TPM. The TPM makes no representation regarding the blob, except that the blob was present at the TPM at the time indicated. This CO service controls some attributes of keys that are TPM_KeyControlOwner 98. loaded and stored within the TPM key cache, including enabling or disabling the ability to evict a loaded key. This CO service allows the TPM Owner exactly one TPM_ResetLockValue 99. opportunity to reset the TPM dictionary attack mitigation values while a timeout penalty is imposed. This CO service sets specific values in the TPM Capability TPM_SetCapability 100. register, which provide to outside entities various pieces of information regarding the design and current state of the TPM. This service allows the setting of the operator AuthData TPM_SetOperatorAuth 101. value. The operator AuthData value allows the execution of the TPM_SetTempDeactivated command. This Physical Presence service sets the PERMANENT flag TPM_SetOwnerInstall 102. that allows or disallows the capability to insert a TPM Owner. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 34 State Description # Service Name This service will establish a reference to a specific secret TPM_SetOwnerPointer 103. the TPM will use when executing an Owner-secret-related OIAP or OSAP session. This command is only used to provide an Owner Delegation function for legacy code written for older TPM revisions which does not itself support Delegation. This service starts the process of changing AuthData for an TPM_changeAuthAsymStart 104. entity. It sets up an OIAP session that must be retained for use by the TPM_ChangeAuthAsymFinish command. This service completes the process that allows the owner of TPM_changeAuthAsymFinish 105. an entity to change the AuthData for the entity. Locality Controlled Services This No Authentication Required service begins a SHA-1 TPM_HASH_START 106. hash sequence. Execution of this service is limited to processes that are capable of calling TPM services that are restricted to a specific address range assigned to Locality 4. Atmel User guidance instructs system designers to restrict the Locality 4 address range to the pre-boot code that comprises the implicitly trusted Root of Trust for Measurement. This No Authentication Required service continues a SHA- TPM_HASH_DATA 107. 1 hash sequence in Locality 4. This command (and optional subsequent HASH_DATA commands) contains the input data for the SHA-1 hash operation. This No Authentication Required service completes a SHA- TPM_HASH_END 108. 1 hash sequence in Locality 4. This command terminates the input data for the SHA-1 hash operation and Extends the resulting digest into specific Platform Configuration Registers. TPM Connection Services This service provides a capability to indicate a human‟s TSC_PhysicalPresence 109. physical presence at the platform containing the TPM module. The ability to execute the TSC_PhysicalPresence command is restricted by Owner-controlled capabilities, which includes the ability to temporarily or permanently disable the service. This No Authentication Required service provides a TSC_ResetEstablishmentBit 110. nonvolatile indication that a TPM_HASH_START has been executed, which may indicate to the system that a trusted operating system has been loaded and verified. Atmel Specific Services TPM_SetState This service is used to modify the state of the TPM State 111. Identifier register. The State Identifier register controls and reports status of specific TPM capabilities like power loss status, tamper status and failed auth timeouts. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 35 State Description # Service Name TPM_OwnerSetState This CO service is used to set specified internal latches of 112. the AT97SC3204-X4 TPM. TPM_GetState This service is used to retrieve state information from the 113. AT97SC3204-X4 TPM. TPM_Identify This service is used to associate an AT97SC3204-X4 TPM 114. with an external host. TPM_VerifySignature This service is used to verify a digital signature. 115. TPM_BindV20 This RSA public key encryption service is used to wrap key 116. type data with a public key provided to the TPM, and output the wrapped key blob. This is a public key operation and is therefore not a protected capability. TPM_BindV20 is provided as service for platforms or applications where RSA public key encryption capability does not exist outside the TPM cryptographic boundary. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 36 Authentication The AT97SC3204 supports role based authentication mechanisms for the roles defined above (see Roles and Services). Access to execute a TPM service that acts on a Critical Security Parameter requires that the operator assume a specific role. Assumption of the roles Crypto Officer and User is accomplished by completing one of the three TPM authentication processes described below. For the roles Physical Presence and No Auth Required authentication is implicit. Selection of the role takes place at the same time as authentication of the operator to the target TPM entity and assumption of the selected role. Authorization data are held in protected storage within the AT97SC3204-X4. The auth data are protected from unauthorized disclosure, modification or substitution. The AT97SC3204-X4 TPM invokes a two-step process for services requiring role/entity authentication. The first step is to open an authorization session. The second step is to authenticate to the entity that is to be used. The AT97SC3204-X4 TPM provides two protocols for opening an authorization session to authenticate to entities without revealing the entity authorization data over the AT97SC3204-X4 TPM’s interface. A third protocol is supported which enables authentication by the TPM of a subject who has been delegated specific access privileges by the TPM Owner. The delegated subject may be given privileges to execute specific TPM Owner authorized commands. The AT97SC3204-X4 TPM supports multiple sessions (concurrent operators) and uses these sessions plus individual service authentication to internally maintain the separation of the roles assumed by each operator and corresponding services. In all cases, the protocol exchanges nonce-data so that both sides of the transaction can compute a hash using shared secrets and nonce-data. Nonce-data are random numbers generated by the host and the AT97SC3204-X4 TPM to prevent replay and man-in-the-middle attacks. The nonce-data values from the Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 37 AT97SC3204-X4 TPM are generated using the AT97SC3204-X4 TPM’s internal RNG. For convention, “odd” nonce-data values come from the Host and “even” nonce-data values come from the TPM (0 is an even number for this definition). The AT97SC3204-X4 TPM enforces that the odd nonce-data value changes for each request. The AT97SC3204-X4 TPM changes the value of the even nonce- data on each reply. Each side generates the HMAC value and compares the internally generated HMAC value to the value received. The entity authorization data is protected from exposure on the communication bus using hashed objects sent over the interface. The TPM authorization protocols are the following: Object-Independent Authorization Protocol (OIAP) Object-Specific Authorization Protocol (OSAP). Delegation-Specific Authorization Protocol (DSAP). All authorization session protocols use a “rolling nonce-data” paradigm. This means that the AT97SC3204-X4 TPM creates a new nonce-data value (i.e. random number) each time the AT97SC3204-X4 TPM uses the session for an HMAC calculation. This “rolling nonce-data” paradigm ensures that the service requests are genuine and are not “replayed”. The first authorization session protocol is the OIAP, which enables the exchange of nonce-data with a specific AT97SC3204-X4 TPM. Once an OIAP authorization session is established, its nonce-data can be included with the entity shared secret known by the operator as input to an HMAC computation. The authorization session can live indefinitely until either party requests the session termination. The OIAP protocol requires that re-authorization is completed before allowing Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 38 execution of each requested service. The TPM_OIAP service starts the OIAP session. The second protocol is the “Object Specific Authorization Protocol (OSAP)”. The OSAP allows establishment of an authentication session for a single entity. Once authorization has been completed successfully, multiple service requests for the authorized entity can be executed without re-execution of the authorization protocol. OSAP creates nonce-data that can authorize multiple commands without additional session-establishment overhead, but is bound to a specific entity by the secret auth value tied to the entity. The OSAP protocol verifies proof of knowledge of the entity secret through the HMAC protocol. The TPM_OSAP service starts the OSAP session. Once established, an OSAP session will remain open and valid until the either party terminates the session by resetting the parameter continueAuthSession in the service request command. The TPM_OSAP specifies the entity to which the authorization session is bound. In general, the calculated authentication HMAC value is in the following forms: OIAP Session HMAC (Entity Authorization Data; SHA1 (inParams); inAuthSetupParams) where inParams = (ordinal, Input Arguments) where inAuthSetupParams = (Authorization Handle; authLastNonceEven; nonceOdd; continueAuthSession) OSAP Session HMAC (Shared Secret; SHA1 (inParams); inAuthSetupParams) where Shared Secret = HMAC (Entity Authorization Data; nonceEvenOSAP; nonceOddOSAP) where inParams = (ordinal, Input Arguments) Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 39 where inAuthSetupParams = (authLastNonceEven; nonceOdd; continueAuthSession) The HMAC value is a 20-byte number that includes multiple 20-byte random number components (2 random number components are used during the OIAP Session; 4 random number components are used during the OSAP Session). In this manner, the plaintext value of the actual Entity Authentication Data (20-byte number) is not revealed over the AT97SC3204-X4 TPM interface. The DSAP protocol allows the TPM Owner to create a new AuthData value and to delegate some selected TPM Owner privileges to that new AuthData value. As with OIAP and OSAP, the DSAP protocol requires an exchange of nonces to set up the authorization session. The TPM then uses the delegated AuthData value for all HMAC calculations. Once authorization of the delegated subject is completed by the TPM using the new AuthData value, usage of delegated privileges occurs using the same auth session protocols established for all authorized TPM commands. Physical Presence OIAP, OSAP and DSAP authorization protocols provide the authentication mechanism for assuming the roles of Crypto Officer or User. A subset of the TPM capabilities may be executed after assuming the role of Physical Presence (PP). See Table 7 – AT97SC3204-X4 TPM Services. While authorization is implicit for services requiring the Physical Presence role, the TPM requires assertion of the Physical Presence flag before allowing execution of these services. The capability for asserting the Physical Presence flag should exist only after the TPM is initially powered up or following a Reset event. Atmel User Guidance instructs system designers to systematically disable the capability for asserting the Physical Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 40 Presence flag after completion of essential early boot operations. Once disabled, Physical Presence may not be re-asserted until after a power down or Reset event. The list of AT97SC3204-X4 commands that can be authorized by assertion of Physical Presence: TPM_SetOwnerInstall TPM_PhysicalEnable TPM_PhysicalDisable TPM_PhysicalSetDeactivated TPM_SetTempDeactivated TPM_SetOperatorAuth TPM_ForceClear TPM_RevokeTrust TPM_NV_DefineSpace TPM_NV_WriteValue TPM_NV_WriteValueAuth TPM_NV_ReadValue TPM_NV_ReadValueAuth Strength The Entity Authentication Data is always a 20-byte number (160 bits), in which all bits are equally probable. Therefore, the “random attempt” probability of guessing the Authentication Data is 1 in 2160. This probability applies to all TPM authorization protocols, OIAP, OSAP and DSAP. The AT97SC3204-X4 communicates over a PCI bus [18] using an LPC protocol [19]. Each byte of command or data information transmitted to the TPM requires 15 LPC clock cycles. Each LPC clock cycle requires a minimum of 29.5 nsec for guaranteed operation within the Atmel AT97SC3204 datasheet limits. For the purposes of calculating data transmission rates for brute force authorization attempts at the highest frequency the internal circuitry is capable of supporting, a maximum frequency has been established by characterization of the product. While operation is not guaranteed at this frequency, some TPM chips are able to respond to data transmissions as high as 41 MHz, which corresponds to a Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 41 minimum clock cycle time of 24.39 nsec. This value can serve as the minimum possible cycle time for calculation of success probability during brute force repeated authorization attempts. Strength calculation for OSAP The shortest TPM command that requires authorization (TPM_OwnerClear) comprises 55 bytes of command and data input, including the Owner authorization value. If the authorization protocol is OSAP and the Failed Authentication Attempts Counter has been disabled by the TPM Owner, repeated authentication attempts are allowed without re-initiating a new auth session. Receiving the return code from the TPM will always require a minimum of 10 bytes. The minimum time required to input one attempted guess of a TPM OSAP authorization value is therefore: 15 cycles/byte * 24.39 nsec * (55 + 10 bytes) = 23.7802 µsec The maximum number of attempts per minute is: 60 sec/23.7802 µsec = 2,523,102 maximum attempts per minute The probability that multiple attempts to use the OSAP authentication mechanism during a one-minute period will succeed is: 2,523,102 / 2160 = 1.726376 x 10-42 Strength calculation for OIAP If the authorization session is an OIAP session, the TPM will require re- initiation of a new authorization session for every service request. This requires a minimum of 10 input bytes followed by 38 bytes of output data. To determine whether an authorization attempt has succeeded or failed, the OIAP session must be followed by execution of an authorized command. The shortest TPM command that requires authorization (TPM_OwnerClear) comprises 55 bytes of command and data input, including the Owner Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 42 authorization value. Receiving the return code from the TPM will always require a minimum of 10 bytes. Execution of multiple failed authorization attempts will require that the TPM Failed Authentication Attempts Counter be disabled. The minimum time required to input one attempted guess of a TPM OIAP authorization value is therefore: 15 cycles/byte * 24.39 nsec * (55 + 10 + 10 + 38 bytes) = 41.341 µsec The maximum number of attempts per minute is: 60 sec/41.341 µsec = 1,451,344 The probability that multiple attempts to use the OIAP authentication mechanism during a one-minute period will succeed is: 1,451,344 / 2160 = 9.930498 x 10-43 Strength calculation for DSAP The DSAP protocol behaves like OSAP, in that an authorization session targets a single TPM entity or service. However a DSAP authorization session will be automatically terminated at the conclusion of every failed attempt at authorization of a delegated service request. Setup of delegation tables and creation of delegation data blobs occurs before any attempted authorization of a delegated command, and therefore the time required for Delegation setup does not affect the probability that multiple authorization attempts executed during a one minute period would succeed. However, an authorization attempt executed using a DSAP can only be confirmed (pass or fail) by attempting execution of a delegated command. Failure of the delegated command terminates the DSAP session, so subsequent authorization attempts must re-execute a DSAP command to initiate a new session for each attempt. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 43 The DSAP command requires a minimum of 145 input bytes, including the delegation key blob or owner blob. The output of DSAP is 58 bytes. The shortest TPM command that requires authorization (TPM_OwnerClear) and can be delegated by the TPM owner comprises 55 bytes of command and data input, including the Owner authorization value. If the authorization protocol is DSAP and the delegation data blobs have been properly created (using either TPM_CreateKeyDelegation or TPM_CreateOwnerDelegation) then repeated DSAP authentication sessions are allowed without recreating the delegation data. Receiving the return code from the TPM will always require a minimum of 10 bytes. The minimum time required to input one attempted guess of a TPM OSAP authorization value is therefore: 15 cycles/byte * 24.39 nsec * (145 + 58 + 55 + 10 bytes) = 98.0478 µsec The maximum number of attempts per minute is: 60 sec/98.0478 µsec = 611947 The probability that multiple attempt to use the OSAP authentication mechanism during a one-minute period will succeed is: 611,947 / 2160 = 4.187111 x 10-43 Table 9 – Authentication Strength Attempts per minute Authentication Type Single Attempt Strength strength (calculations shown in text above) OIAP 1/2160 9.930498 x 10-43 OSAP 1/2160 1.726376 x 10-42 DSAP 1/2160 4.187111 x 10-43 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 44 Failed Authentication Attempts Counter The AT97SC3204-X4 TPM accumulates the total number of failed authorization attempts on any entity in the FAILCOUNT register. A temporary lockout will occur if the number of attempts (A) is such that: A mod = 0. The size of the is set by specifying the FAILMOD parameter in the TPM_OwnerSetState service. The default value for FAILMOD is 3 (which allows 8 failed auth attempts before imposing a lockout penalty). FAILMOD may be modified using an Owner authorized command. Values greater than 10 are not permitted. Table 10 specifies the relationship between the FAILMOD parameter and the . Table 10 – Failure Modulus FAILMOD 0 Disabled 1 2 2 4 3 8 4 16 5 32 6 64 7 128 8 256 9 512 10 1024 The length of a lockout increases geometrically beginning with an initial lockout time equal to approximately 1.1 minutes. Table 10 shows the approximate lockout time given a specific FAILMOD and number of failed attempts. Table 11 – Lockout delay vs. FAILMOD value FAILMOD Lockout Delay # 1 2 3 4 5 6 7 8 9 10 1 2 4 8 16 32 64 128 256 512 1024 1.1 min 2 4 8 16 32 64 128 256 512 1024 2048 2.2 min 3 6 12 24 48 96 192 384 768 1536 3072 4.4 min 4 8 16 32 64 128 256 512 1024 2048 4096 8.8 min Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 45 FAILMOD Lockout Delay # 1 2 3 4 5 6 7 8 9 10 5 10 20 40 80 160 320 640 1280 2560 5120 17.6 min 6 12 24 48 96 192 384 768 1536 3072 6144 35.2 min 7 14 28 56 112 224 448 896 1791 3584 7168 1.2 hr 8 16 32 64 128 256 512 1024 2048 4096 8192 2.3 hr 9+ 18 36 72 144 288 576 1152 2304 4608 9216 4.7 hr If the AT97SC3204-X4 TPM is in a locked-out condition, the TPM Owner is allowed exactly one attempt to reset the lockout, using the Owner-authorized command TPM_ResetLockValue. It is understood that this command allows the TPM owner to perform a dictionary attack on other authorization values by alternating a trial and this command. Similarly, delegating this command allows the owner’s delegate to perform a dictionary attack. When the chip is in a lockout condition, all commands other those in the following list will return the error code TPM_DEFEND_LOCK_RUNNING. If an unsuccessful TPM_OwnerSetState has occurred, then the TPM_OwnerSetState command will also return TPM_DEFEND_LOCK_RUNNING for the remainder of the lockout interval. List of commands that may execute successfully while the TPM is in lockout condition: TPM_ContinueSelfTest TPM_FlushSpecific TPM_Identify TSC_PhysicalPresence TSC_ResetEstablishmentBit TPM_SHA1Complete TPM_DirRead TPM_GetCapability TPM_OIAP TPM_PCR_Reset Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 46 TPM_ResetLockValue TPM_SHA1CompleteExtend TPM_DSAP TPM_GetState TPM_OSAP TPM_ReadCounter TPM_SHA1Start TPM_Startup TPM_Extend TPM_GetTestResult TPM_OwnerSetState TPM_Reset TPM_SHA1Update TPM_Terminate_Handle Identification To install TCG identities into the AT97SC3204-X4 TPM, the CO performs the TPM_MakeIdentity and TPM_ActivateIdentity services. The concept of a TCG Identity in a TPM does not correspond to the definition of Identity in FIPS 140-2. A TPM Identity is an alias to one and only one TPM Endorsement Key, which is cryptographically unique. Creation of a TPM identity (TPM_MakeIdentity) invokes creation of a corresponding Identity key. A TPM Identity key may sign status data generated internally by the TPM. The identity key may be certified by a third party process that takes place outside the TPM cryptographic boundary. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 47 Access Control Policy Section 7. Access Control Policy Security Level 1 The following sub-sections describe the identification and usage of Critical Security Parameters (CSPs). Definition of Critical Security Parameters (CSPs) Table 12 – CSP Identification describes the CSPs that may reside in the module. Services that create, modify or make use of CSPs are listed in the Services column, which references services listed in Table 14 Logical Access Policy. Table 12 – CSP Identification Algorithm Size CSP Description Services (bits) (listed in Table 14) RSA 2048 Endorsement Internally generated 2048-bit RSA key pair. 7, 24, 71, 72, 73, 78, Key (EK) Used to decrypt Owner auth value and 79, 80, 82, Identity certificates. Can be zeroized only if it is generated using the service TPM_createRevokableEK. RSA 2048 6, 7, 25, 81 Storage root Key-encrypting key. Root key for the TPM Key (SRK) storage hierarchy. Internally generated by the service TPM_takeOwnership. Child keys of the SRK may be created in the TPM Storage hierarchy using the service createWrapKey. RSA 2048 Private Storage RSA private keys used in unwrapping 7, 15, 16, 17, 18, 19, Keys operations. Usage properties are determined 20, 21, 22, 29, 31, by the Key property values stored and 32, 35, 82, 88, 89, 91 protected with the key data. Key data determines key usage properties that may restrict key usage for Encryption or Signature services. Key Migration capability. Seal Keys RSA 2048 15, 16, 19, 20, 21 RSA private Storage Keys used to unwrap Sealed data blobs. Unwrapping operations require verification of TPM state in addition to standard user authentication. RSA 104, 105 AuthChange 1024 An ephemeral key whose use is restricted to Keys 2048 providing confidentiality for new authentication data in the process of changing authentication values. RSA 1024 Private RSA private keys used in digital signature 11, 12, 15, 16, 19, Signature Keys. operations. Usage properties are determined 22, 40, 41, 42, 46, 2048 Private Identity by the Key property values stored and 81, 82, 92 Keys protected with the key data. RSA 1024 Private RSA private keys used to encrypt key type 15, 16, 17, 18, 19, Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 48 Encryption 2048 data for storage outside the cryptographic 20, 21 Keys. Bind boundary. Created by the service Keys TPM_createWrapKey. Not allowed to perform Signature operations. Migrate Keys RSA 1024 TPM_MigrateKey decrypts an input packet 26, 27, 28, 29, 30, 2048 (coming from TPM_CreateMigrationBlob or 31, 32, 33, 34, 35 TPM_CMK_CreateBlob) and then re- encrypts it with a public key that was input with the command. Internally generated secret value used to tpmProof N/A 160 3, 7, 15, 17, 19, 20, verify proof of origin for encrypted objects 21, 16, 26, 28, 30, created by the TPM and stored outside the 32, 33, 31, 35, 41, module. 51, 58, 59, 80, 82, 83, 84, 87, 88 contextKey AES 128 59, 60 Symmetric key used to provide internal encryption and decryption of Context blobs. delegateKey AES 128 Symmetric key used to encrypt and decrypt 83, 84, 85, 86, 87, sensitive data passed to the module with 88, 89 Delegation service requests. daaBlobKey AES 128 57, 58 Symmetric key used to encrypt sensitive data used to build a TPM_DAA_TPM structure that is exported from the module transportKey AES 128 90, 91, 92 Symmetric key used to encrypt parameters from TPM commands that are passed to the module within a Transport session AES 128 81 Activate Symmetric session key created by a Identity Key Certification authority, passed to the module as an encrypted parameter of TPM_activateIdentity and used to decrypt the TPM_IDENTITY_CREDENTIAL. SHA-1 HMAC keys used in authorization HMAC Keys HMAC 160 5, 6, 11, 12, 13, 15, protocols. The HMAC key is specified by the 16, 17, 18, 19, 20, TPM_AUTHDATA description in an OIAP 21, 23, 24, 25, 26, or Transport session. For an OSAP or DSAP 27, 28, 29, 30, 31, session, the HMAC key is the shared secret 32, 33, 34, 35, 40, that was calculated during the session setup. 41, 42, 46, 52, 53, 56, 57, 58, 61, 62, 63, 64, 65, 66, 77, 79, 80, 81, 82, 83, 84, 85, 86, 88, 89, 90, 91, 92, 96, 97, 98, 99, 100, 110 SHA-1 160 Platform An array of 160-bit registers held in 7, 8, 10, 11, 12, 15, Configuration EEPROM or RAM memory as specified in 16, 17, 19, 21, 31, Registers the TCG TPM PC Client TPM specification 32, 39, 40, 41, 51, (PCRs) [5]. A PCR will contain SHA-1 hash results 62, 63, 64, 81, 82, from measurements of the internal TPM state 87, and the external system state. HMAC 160 Authentication Auth data held in protected EEPROM storage 5, 6, 11, 12, 13, 15, data for permanent TPM entities (Owner and 16, 17, 18, 19, 20, Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 49 SRK) and for TPM entities that are not 21, 23, 24, 25, 26, cryptographic keys, such as counters, 27, 28, 29, 30, 31, NVStorage indices, Transport sessions, 32, 33, 34, 35, 40, Delegations sessions. 41, 42, 46, 52, 53, 56, 57, 58, 61, 62, 63, 64, 65, 66, 77, 79, 80, 81, 82, 83, 84, 85, 86, 88, 89, 90, 91, 92, 96, 97, 98, 99, 100, 110 N/A N/A 52, 74, 76, 77, 97 Monotonic Continuously increasing counter. Always readable, but can‟t be modified, reset or Counters deleted by any external or internal process. Tick Counter N/A N/A 90, 91, 92, 95, 96, Internal counter, reset on power-up. Records the number of clocks since the start of a Tick session. N/A N/A 61, 64, 65, NonVolatile Protected nonvolatile EEPROM memory Storage reserved for user data. RNG Seed SHA-1 160 Input to RNG. Replaced by the new RNG 1, 2, 3, 4, 5, 6, 7, 8, output value each time the RNG is called. 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, RNG Seed Key SHA-1 160 Input to RNG. Receives input from 65, 66, 67, 68, 69, nondeterministic entropy generator. 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115 N/A N/A Permanent Data, symmetric keys, secrets and state flags 1, 2, 3, 4, 5, 6, 7, 8, Data, state held in TPM protected EEPROM memory. 9, 10, 11, 12, 13, 14, flags, tamper These include: revMajor, revMinor, ekReset, 15, 16, 17, 18, 19, registers and operatorAuth, authDIR, SRKauth, 20, 21, 22, 23, 24, critical data ownerAuth, contextKey, pcrAttrib, 25, 26, 27, 28, 29, delegateKey, tpmProof, FIPS indicator, 30, 31, 32, 33, 34, rngState, familyTable, delegateTable, 35, 36, 37, 38, 39, lastFamilyID, noOwnerNVWrite, 40, 41, 42, 43, 44, restrictDelegate, tpmDAAseed, daaProof, 45, 46, 47, 48, 49, daaBlobKey, deactivated, disableForceClear, 50, 51, 52, 53, 54, PhysicalPresence, physicalPresenceLock, 55, 56, 57, 58, 59, Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 50 bGlobalLock. The Tamper registers store a 60, 61, 62, 63, 64, record of tamper events recorded if operation 65, 66, 67, 68, 69, outside the specified environmental 70, 71, 72, 73, 74, conditions is detected (voltage, temperature, 75, 76, 77, 78, 79, frequency, hardware shield). 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115 KAT values N/A N/A 45, 46 Protected stored values used by power-up Known Answer Tests. Includes fixed results for RNG, RSA, AES, HMAC, SHA-1, ROM integrity test, EEPROM integrity test. N/A N/A Executable Executable software stored in protected TPM 1, 2, 3, 4, 5, 6, 7, 8, firmware memory (both ROM and EEPROM). 9, 10, 11, 12, 13, 14, Contains support for execution of all TPM 15, 16, 17, 18, 19, services including cryptographic operations. 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115 Definition of Public Keys The following Public Keys may be contained within the module Public Key Description Signature verification RSA public/private key pairs may be loaded into the TPM and made available for use Key (public portion of by other TPM capabilities. Usage is gated by TPM access control mechanisms specified Endorsement Key, by parameters included with each loaded key pair. Reading the Public portion of a Signing Key, Identity loaded key may or may not require authorization of the key Owner. Loaded public keys Key) may be used to verify digital signatures. The public Endorsement Key is held within TPM protected memory space. RSA encryption key Loaded RSA public Storage keys may be used as Parent keys to encrypt data blobs to be Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 51 (public portion of exported for storage of Child keys and key data outside the cryptographic boundary. Storage Key, Seal Key, Loaded and authorized public Storage keys may be used to create encrypted Migration AuthChange Key, blobs that are exported from the TPM and may be subsequently imported by a different Migrate Key) TPM containing the corresponding private key. A loaded public key may be used to certify that another key residing in the TPM is protected by the TPM and will never be revealed. BindV20 public key This RSA public key is used to wrap arbitrary unprotected data with a public key provided to the TPM, and output the wrapped data blob. This is a public key operation and is therefore not a protected capability. The BindV20 public key is entered into the TPM as a plaintext parameter of the TPM_BindV20 service. The private key associated public key is not loaded into the TPM at the time the public key encryption operation takes place. TPM_BindV20 is provided as an unprotected service for platforms or applications where RSA public key encryption capability does not exist outside the TPM cryptographic boundary. CSP Access Type Table 13 describes the CSP access types. Table 13 – CSP Access Type Access Type Description “Generate Private” is defined as the creation of an RSA key pair. Generate Private (Gp) “Generate Secret” is defined as the creation of a Secret. Generate Secret (Gs) “Sign” is defined as the process in which an RSA private key is employed to generate a Sign (S) digital signature. “Key Unwrap” is defined as the process in which an RSA private key is employed to Key Unwrap (Ku) decrypt a Secret. “Key Wrap” is defined as the process in which an RSA public key is employed to Key Wrap (Kw) encrypt a Secret or RSA private key. “Use” is defined as a process that uses a Secret. Use (U) “Delete” is defined as the zeroization of an RSA private key. Delete (D) Logical Access Policy Table 14 describes the Logical Access policy. Table 14 – Logical Access Services Roles CSPs Private User PP NoAuth Secret CO # Name TPM_OIAP 1. X - - TPM_OSAP 2. X - - TPM_DSAP 3. X - - TPM_Terminate_Handle 4. X - - Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 52 Services Roles CSPs Private User PP NoAuth Secret CO # Name X TPM_ChangeAuth 5. - U ; Gs TPM_ChangeAuthOwner 6. X - U ; Gs TPM_TakeOwnership Ku ; Gp 7. X U ; Gs TPM_Extend 8. X - - TPM_PcrRead 9. X - - TPM_PCR_Reset 10. X - - TPM_Quote 11. X S U TPM_Quote2 12. X S U TPM_DirWriteAuth 13. X - U TPM_DirRead 14. X - - TPM_Seal 15. X S U ; Kw TPM_Sealx 16. X S U;Kw;Ku TPM_Unseal 17. X Ku U TPM_UnBind 18. X Ku U TPM_CreateWrapKey 19. X Gp U ; Kw TPM_LoadKey 20. X Ku U TPM_LoadKey2 21. X Ku U TPM_EvictKey 22. X D - TPM_GetPubKey 23. X - U TPM_OwnerReadPubek 24. X - U TPM_OwnerReadInternalPub 25. X - U TPM_CreateMigrationBlob 26. X Kw U TPM_ConvertMigrationBlob 27. X Kw U Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 53 Services Roles CSPs Private User PP NoAuth Secret CO # Name TPM_AuthorizeMigrationKey 28. X - U TPM_MigrateKey 29. X Ku U; Kw TPM_CMK_ApproveMA 30. X - U TPM_CMK_CreateBlob 31. X Kw U TPM_CMK_CreateKey 32. X Gp U; Kw TPM_CMK_CreateTicket 33. X - U TPM_CMK_SetRestrictions 34. X - U TPM_CMK_ConvertMigration 35. X - U; Kw TPM_SHA1Start 36. X - - TPM_ SHA1Update 37. X - - TPM_ SHA1Complete 38. X - - TPM_ SHA1CompleteExtend 39. X - - TPM_CertifyKey 40. X S U TPM_CertifyKey2 41. X S U TPM_Sign 42. X S U TPM_GetRandom 43. X - - TPM_StirRandom 44. X - - TPM_SelfTestFull 45. X - - TPM_CertifySelfTest 46. X S U TPM_ContinueSelfTest 47. X - - TPM_GetTestResult 48. X - - TPM_Reset 49. X - - TPM_SaveState 50. X - - Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 54 Services Roles CSPs Private User PP NoAuth Secret CO # Name TPM_StartUp 51. X - - TPM_OwnerClear 52. X D U TPM_DisableOwnerClear 53. X - U TPM_DisableForceClear 54. X - - TPM_GetCapability 55. X - - TPM_ GetCapabilityOwner 56. X - U TPM_ DAA_JOIN 57. X - U TPM_DAA_SIGN 58. X - U 59. X - - TPM_SaveContext TPM_LoadContext 60. X - - 61. X X - U TPM_NV_DefineSpace 62. X X - U TPM_NV_ReadValue 63. X X - U TPM_NV_ReadValueAuth 64. X X - U TPM_NV_WriteValue 65. X X - U TPM_NV_WriteValueAuth TPM_OwnerSetDisable 66. X - U TPM_PhysicalDisable 67. X - - TPM_PhysicalEnable 68. X - - TPM_PhysicalSetDeactivated 69. X - - TPM_SetTempDeactivated 70. X X - U TPM_CreateEndorsementKeyPair 71. X Gp - TPM_CreateRevocableEK 72. X Gp - TPM_RevokeTrust 73. X - - Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 55 Services Roles CSPs Private User PP NoAuth Secret CO # Name TPM_CreateCounter 74. X - U TPM_ReadCounter 75. X - - TPM_ReleaseCounter 76. X - U TPM_ReleaseCounterOwner 77. X - U TPM_ReadPubek 78. X - - TPM_DisablePubekRead 79. X - U TPM_OwnerReadPubek 80. X - U TPM_MakeIdentity Gp; Kw; 81. X U S TPM_ActivateIdentity 82. X Ku U TPM_Delegate_CreateKeyDelegation 83. X - U; Kw TPM_Delegate_CreateOwnerDelegatio 84. X - U; Kw n TPM_Delegate_LoadOwnerDelegation 85. X - U TPM_Delegate_Manage 86. X - U TPM_Delegate_ReadTable 87. X - - TPM_Delegate_UpdateVerification 88. X Ku U TPM_Delegate_VerifyDelegation 89. X Ku U TPM_EstablishTransport 90. X - U TPM_ExecuteTransport 91. X Ku U TPM_ReleaseTransportSigned 92. X S U TPM_FlushSpecific 93. X - - TPM_ForceClear 94. X - - TPM_GetTicks 95. X - - Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 56 Services Roles CSPs Private User PP NoAuth Secret CO # Name TPM_TickStampBlob 96. X - U TPM_IncrementCounter 97. X - U TPM_KeyControlOwner 98. X - U TPM_ResetLockValue 99. X - U TPM_SetCapability 100. X - U TPM_SetOperatorAuth 101. X - - TPM_SetOwnerInstall 102. X - - TPM_SetOwnerPointer 103. X - - TPM_changeAuthAsymStart 104. X TPM_changeAuthAsymStart 105. X Locality Controlled Functions TPM_HASH_START 106. X - - TPM_HASH_DATA 107. X - - TPM_HASH_END 108. X - - TPM Connection Services TSC_PhysicalPresence 109. X - - TSC_ResetEstablishmentBit 110. X - - Atmel Specific Services TPM_SetState 111. X - - TPM_OwnerSetState 112. X - U TPM_GetState 113. X - - TPM_Identify 114. X - - TPM_VerifySignature 115. X - - TPM_BindV20 116. X Kw Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 57 Physical Security Policy Section 4. Physical Security Policy Security Level 1 The AT97SC3204-X4 meets Physical Security protection requirements for FIPS level 1. Physical security at level 1 assumes no physical protection of CSPs. No actions are required by the operator(s) to ensure that physical security is maintained. Some physical security protection mechanisms beyond the requirements for level 1 have been implemented and are described in the section titled Mitigation of Other Attacks Policy. Operational Environment The AT97SC3204-X4 operational environment meets the FIPS 140-2 requirements for level 1. The AT97SC3204-X4 Operational Environment is non-modifiable. No mechanism exists to upgrade, read, modify or delete the module firmware or hardware. No general purpose operating system is supported or used by the module. Execution of module services is restricted to a single user operating on a single service at any time. The AT97SC3204 executable firmware is split into two portions within the AT97SC3204. All executable firmware is stored in protected nonvolatile memory – either ROM or EEPROM. The portion of executable firmware stored in ROM is established in the chip metal layers during the wafer fabrication process. The portion of executable code stored in EEPROM is written and locked into TPM protected EEPROM during the chip production test process. EEPROM executable code cannot be read by any process except through internal execution mechanisms performing explicit execution of valid service requests during the lifetime of the module. EEPROM executable code is stored in memory locations that are protected from modification during the lifetime of the module. Integrity Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 58 verification of executable firmware is performed separately for ROM and EEPROM code. Integrity of executable firmware stored in ROM and EEPROM is verified through a SHA-1 hash of the code which is executed during the power on self tests and compared to a value stored in nonvolatile memory when the EEPROM image is loaded and locked into the module. The stored value stored in EEPROM is protected from exposure, modification or deletion. The value cannot be changed for the lifetime of the module. The AT97SC3204 does not implement an operating system as defined by FIPS 140-2. Entry of data into the module is controlled by mechanisms for command, status and data communication specified in the TPM Interface Specification (TCG PC Client Specific TPM Interface Specification (TIS); Specification Version 1.21; Revision 1.00; 11 April, 2011; Trusted Computing Group. The set of possible functions is limited to the services listed in Table 7 – AT97SC3204-X4 TPM Services and specified in the TCG TPM Main Specification [2, 3, 4]. Any input data or service requests outside those listed in Table 7 will result in failure of the requested service, transmission of a failure code by the TPM and a return to the Idle state. Execution is restricted to a single service at any one time. Initiation of any service will cause the module state machine to transition to the service execution state. While the module is in the execution state, requests for new services will be ignored. The module will continue execution until completion, either passing or failing, at which time the module will return a status code and transition to the Idle state. AT97SC3204 hardware is built using a proprietary wafer fabrication process and cannot be modified during the lifetime of the module. Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 59 Operating ranges Normal operating ranges are defined in the AT97SC3204-X4 datasheet [8]. Operation outside these ranges is not guaranteed, but physical security mechanisms are implemented to assure that CSPs remain protected from unauthorized disclosure, usage, modification or deletion. Temperature: The normal operating temperature range of the AT97SC3204- X4 is -40°C to +85°C. Voltage: The normal operating voltage range of the AT97SC3204-X4 is 3.0V to 3.6V. Frequency: The normal operating frequency for the LCLK input pin is 32.25 MHz to 33.90 MHz. The minimum clock period is 29.5 nsec. The maximum clock period is 31.0 nsec. Mitigation of Other Attacks Policy Section 5. Mitigation of Other Attacks Policy Security Level 1 The AT97SC3204-X4 meets Physical Security protection requirements for FIPS level 1. Physical security at level 1 assumes no physical protection of CSPs. Physical security protection mechanisms beyond the level 1 requirements have been implemented and are described in this section. Housing The AT97SC3204-X4 TPM is housed in an opaque, non-removable, tamper evident, 28 pin TSSOP package. Attempts to access the internal IC are detectable by visual inspection of the package. Internal Tamper Detection The AT97SC3204-X4 TPM contains an active metal shield that covers the internal TPM circuitry and memory components. Cutting, removing or modifying the shield layer will cause the TPM to Reset and enter a FAIL mode. Environmental protection The AT97SC3204-X4 contains circuitry which will detect environmental conditions outside the range described in the product datasheet. Temperature, power supply voltage and the clock pulse width are continuously monitored. If conditions exist outside the range determined by the TPM tamper detection circuitry, the chip will Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 60 Reset and will enter a FAILURE mode. The chip will remain Reset and in FAIL mode as long as the environmental condition causing the tamper event persists. References Reference Reference Title Number FIPS PUB 140-2, Security Requirements for Cryptographic Modules / 1 National Institute of Standards and Technology (NIST), CHANGE NOTICES (12-03-2002) 2 TPM Main; Part 1 Design Principles; Specification Version 1.2; Level 2; Revision 116; 1 March, 2011; Trusted Computing Group 3 TPM Main; Part 2 Structures; Specification Version 1.2; Level 2; Revision 116; 11 April, 2011; Trusted Computing Group 4 TPM Main; Part 3 Commands; Specification Version 1.2; Level 2; Revision 116; 1 March, 2011; Trusted Computing Group 5 TCG PC Client Specific TPM Interface Specification (TIS); Specification Version 1.21; Revision 1.00; 11 April, 2011; Trusted Computing Group 6 TCG PC Client Specific Implementation Specification for Conventional BIOS; Specification Version 1.21; Revision 1.00; 24 February, 2012 for TPM Family 1.2; Level 2. 7 Trusted Platform Module Atmel-Specific Commands Reference User Guide; AT97SC3204-X4; Atmel Corporation; 300B—TPM—02/08 8 Trusted Platform Module; AT97SC3204-X4; LPC Interface Datasheet 808-5294C; 12-04-09 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 61 9 Trusted Computing Group Physical Presence Interface Specification; Specification version 1.2; Version 1.20; Revision 1.00; February 10, 2011 10 TCG 1.2 TPM Physical Presence Management; Atmel Corporation National Institute of Standards and Technology and Communications Security Establishment, Derived Test Requirements(DTR) for FIPS 11 PUB 140-2, Security Requirements for Cryptographic Modules National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code, NIST Computer Security Division 12 Page 3 07/26/2011, (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008. National Institute of Standards and Technology, Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for 13 Cryptographic Modules National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180- 14 4, March, 2012. National Institute of Standards and Technology, Annex C: Approved Random Number Generators for FIPS 140-2, Security Requirements 15 for Cryptographic Modules. Intel Low Pin Count (LPC) Interface Specification; Revision 1.1; 16 August, 2002 17 PCI Local Bus Specification; Revision 2.2; December 18, 1998 Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 62 Definitions and Acronyms Term Description AES Symmetric cryptographic algorithm. Reference: http://csrc.nist.gov/CryptoToolkit/aes/ AIK Attestation Identity Key: a special purpose signature key created by the TPM; an asymmetric key, the private portion of which is non-migratable and protected by the TPM. The public portion of an AIK is part of the AIK Credential, issued using either the Privacy CA or DAA protocol. An AIK can only be created by the TPM Owner or a delegate authorized by the TPM Owner. The AIK can be used for platform authentication, platform attestation and certification of keys. AIK Credential A credential issued by a Privacy CA that contains the public portion of an AIK key signed by a Privacy CA. The meaning and significance of the fields and the Privacy CA signature is a matter of policy. Typically it states that the public key is associated with a valid TPM. Attestation The process of vouching for the accuracy of information. External entities can attest to shielded locations, protected capabilities, and Roots of Trust. A platform can attest to its description of platform characteristics that affect the integrity (trustworthiness) of a platform. Both forms of attestation require reliable evidence of the attesting entity. Attestation by the An operation that provides proof of data known to the TPM. This is done by TPM digitally signing specific internal TPM data using an AIK. The acceptance and validity of both the integrity measurements and the AIK itself are determined by the Verifier. The AIK is obtained using either the Privacy CA or DAA protocol. An operation that provides proof of a set of the platform’s integrity Attestation of the Platform measurements. This is done by digitally signing a set of PCRs using an AIK in the TPM. Attestation to the An operation that provides proof that a platform can be trusted to report Platform integrity measurements; performed using the set or subset of the credentials associated with the platform; used to create an AIK credential. Authentication of the Provides proof of a claimed platform identity. The claimed identity may or may platform not be related to the user or any actions performed by the user. Platform Authentication is performed using any non-migratable key (e.g., an AIK). Since there are an unlimited number of non-migratable keys associated with the TPM there are an unlimited number of identities that can be authenticated. Blob Generally meaning encrypted data that is generated by a TPM (for use in Protected Storage, or for saving context outside the TPM) CMK Certified Migration Key: a key whose migration from a TPM requires an authorization token created with private keys. The corresponding public keys are incorporated in the CMK and referenced when a TPM produces a credential describing the CMK. If a CMK credential is signed by an AIK, an external entity has evidence that a particular key (1) is protected by a valid TPM and (2) requires permission from a specific authority before it can be copied. CRTM Core RTM: the instructions executed by the platform when it acts as the RTM (Root of Trust for Measurement) (Properly ―Identity Challenger‖) An entity that requests and has the ability to Challenger interpret integrity metrics. A credential that vouches for the conformance of the TPM and the TBB to the Conformance Credential TCG specifications Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 63 DAA Direct Anonymous Attestation: a protocol for vouching for an AIK using zero- knowledge-proof technology. DAA Issuer A known and recognized entity that interacts with the TPM to install a set of DAA-credentials in the TPM. The DAA issuer provides certification that the holder of such DAA-credentials meets some criteria defined by the Issuer. In many cases the Issuer will be the platform manufacturer, but other entities can become issuers. A process that allows the Owner to delegate a subset of the Owner’s Delegation privileges (to perform specific TPM operations). Denial-of-Service An attack which has no affect on information except to prevent its use (attack) Digest The resulting output of a SHA-1 hash operation Endorsement Key EK; an RSA Key pair composed of a public key (EKpu) and private (EKpr). The EK is used to recognize a genuine TPM. The EK is used to decrypt information sent to a TPM in the Privacy CA and DAA protocols, and during the installation of an Owner in the TPM. Endorsement Key A credential containing the EKpu that asserts that the holder of the EKpr is a Credential TPM conforming to TCG specifications. Most TPMs are implemented in hardware, but this is not mandatory. Integrity challenge A process used to send accurate integrity measurements and PCR values to a challenger. Integrity Measurement The process of obtaining metrics of platform characteristics that affect the (Metrics) integrity (trustworthiness) of a platform; storing those metrics; and putting digests of those metrics in shielded locations (called Platform Configuration Registers: PCRs) Integrity Storage Storage of integrity metrics in a log and storage of a digest of those metrics in PCRs. Integrity Reporting The process of attesting to the contents of integrity storage. Locality A mechanism for supporting a privilege hierarchy in the platform A key which is not bound to a specific TPM and with suitable authorization can Migratable (key) be used outside a TPM or moved to another TPM. A key which is bound to a single TPM; a key that is (statistically) unique to a Non-migratable (key) single TPM but may be moved between TPMs using the maintenance process A shielded storage location whose contents are guaranteed to persist between Non-volatile (shielded uses by Protected Capabilities. location) Operator Anyone who has physical access to a platform The entity responsible for the platform’s security and privacy policies, that is Owner distinguished by knowledge of the Owner authorization data. PCR Platform Configuration Register: a shielded location containing a digest of integrity digests. Platform Credential A credential, typically a digital certificate, attesting that a specific platform contains a unique TPM and TBB. Protected Capabilities The set of commands with exclusive permission to access shielded locations Privacy CA An entity, typically a Trusted Third Party (TTP), that blinds a verifier to a platform’s EK. An entity (typically well known and recognized) trusted by both the Owner and the Verifier, that will issue AIK Credentials. A Verifier may also adopt the role of a Privacy CA. In that case the roles are co-located but are logically distinct. Root of Trust A component that must always behave in the expected manner, because its (component) misbehavior cannot be detected. The complete set of Roots of Trust has at least the minimum set of functions to enable a description of the platform Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 64 characteristics that affect the trustworthiness of the platform. RSA Reference: http://www.rsa.com ―Root of Trust for Measurement‖: a computing engine capable of making RTM inherently reliable integrity measurements. Typically the normal platform computing engine, controlled by the CRTM. This is the root of the chain of transitive trust. ―Root of Trust for Storage‖: a computing engine capable of maintaining an RTS accurate summary of values of integrity digests and the sequence of digests. ―Root of Trust for Reporting‖: a computing engine capable of reliably reporting RTR information held by the RTS. SHA-1 Reference: http://csrc.ncsl.nist.gov/cryptval/shs.html Shielded Location A place (memory, register, etc.) where it is safe to operate on sensitive data; data locations that can be accessed only by ―protected capabilities‖. Storage Root Key: the root key of a hierarchy of keys associated with a TPM’s SRK Protected Storage function; a non-migratable key generated within a TPM. Trusted Computing Group TCG Trusted Software Stack:software services that facilitate the use of the TPM but TSS do not require the protections afforded to the TPM. TBB Trusted Building Block: the parts of the Root of Trust that do not have shielded locations or protected capabilities. Normally includes just the instructions for the RTM and the TPM initialization functions (reset, etc.). Typically platform- specific. One example of a TBB is the combination of the CRTM, connection of the CRTM storage to a motherboard, the connection of the TPM to a motherboard, and mechanisms for determining Physical Presence. Also known as ―Inductive Trust‖, in this process the Root of Trust gives a Transitive Trust trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the Root of Trust to include the second group of functions. In this case, the process can be iterated. The second group of functions can give a trustworthy description of the third group of functions, etc. Transitive trust is used to provide a trustworthy description of platform characteristics, and also to prove that non-migratable keys are non-migratable Trust Trust is the expectation that a device will behave in a particular manner for a specific purpose. TPM Trusted Platform Module: an implementation of the functions defined in the TCG Trusted Platform Module Specification; the set of Roots of Trust with shielded locations and protected capabilities. Normally includes just the RTS and the RTR. User An entity that is making use of the TPM capabilities A credential that states values of measurements that should be obtained when Validation Credential measuring a particular part of the platform when the part is functioning as expected. Verifier In the DAA model: the entity that interacts with the TPM using the DAA protocol to verify that the TPM has a valid set of DAA-credentials. The verifier may then produce an AIK credential, without reference to the platform EK. In the ―Trusted Third Party‖ model: the entity that requests, receives, and evaluates attestation information based on the EK. The TTP (Privacy CA) may Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 65 then produce an AIK credential, after verifying the platform EK Atmel Corporation AT97SC3204-X4 Trusted Platform Module FIPS Security Policy Version 1.7 October 24, 2013 66