Trusted Platform Module - TPM
OpenTitan can be used to implement the full Trusted Platform Module (TPM) 2.0 specification to meet client and server platform use cases. When used as a TPM, OpenTitan is provisioned with an endorsement seed and RSA and ECDSA endorsement certificates (EK). TPM commands are served over either SPI or I2C device peripherals.
- ALC_FLR.1: Basic flaw remediation. The developer provides flaw remediation procedures to the Target of Evaluation (TOE) developers.
- AVA_VAN.4: Methodical vulnerability analysis. Methodical vulnerability analysis is performed by the evaluator to identify the presence of potential vulnerabilities. Penetration testing is performed by the evaluator with a _moderate _attack potential.
- TRNG: At least one internal entropy source is required. The entropy source and collector should provide entropy to the state register in a manner that is not visible to an outside process. The entropy collector should regularly update the state register with additional, unbiased entropy.
- Hash Algorithms:
- An approved hash algorithm with approximately the same security strength as its strongest asymmetric algorithm. For OpenTitan the target is SHA2-256, SHA2-384.
- A TPM should support the extend function to make incremental updates to a digest value.
- Symmetric Key Algorithms:
- HMAC as described in ISO/IEC 9797-2. XOR obfuscation for use in a hash based stream cipher.
- A symmetric block cipher in CFB mode. For OpenTitan the target is AES-CFB 128/192/256-bit.
- Asymmetric key algorithm:
- At least one of:
- Sign and verify support for 3072-bit or larger key sizes.
- Verify support for 3072-bit key size as part of secure boot implementation.
- For OpenTitan, the minimum requirement is to support signature and verification on NIST P-256 and P-384 curves.
- At least one of:
- Key derivation function:
- Counter mode use of SP800-108, with HMAC as the PRF.
OpenTitan used as a TPM has the following provisioning requirements:
- Unique Global Identifier: Big integer value (up to 256b) used to facilitate tracking of the devices throughout their life cycle. The identifier is stored in One Time Programmable (OTP) storage during manufacturing.
- Endorsement Seed: Generation of endorsement seed for RSA and ECC asymmetric operations. The seed is stored in encrypted or masked form with a key bound to the device’s key manager.
- EK Certificate: One EK Certificate for each asymmetric key type. Stored
in the device. Additional requirements which may be fulfilled by an
implementation relying on Ownership Transfer:
- The intermediate root certificate may be cross-signed by the Silicon Owner.
- The intermediate root certificate may only be used for a class of devices managed by the Silicon Owner.
- The intermediate root certificate must be chained to a well known root CA.
- Factory Firmware: Baseline image with support for firmware update via SPI or I2C, and TPM 2.0 full or subset of commands required by the target platform.
- Non-HDI packaging is required.
- (Optional) TPM-spec compatible packaging.
The requirements listed below are extracted from the TPM Profile (PTP) Specification version 1.03 revision 22, referred to as the PTP spec in the following sections.
- Size requirements as specified in section 3.6.1 of the PTP spec:
- Minimum of 8KB bytes of NV storage.
- Follow the storage guidance for pre-provisioned EK Certificates if these are available.
- SPI device with support for TPM flow control protocol as specified in section 6.4.5 of the PTP spec. It is preferred to implement flow control in hardware.
- I2C interface as specified in section 7.1 of the PTP doc.
- GPIO: Additional pins used to implement platform security flows for a set of integration use cases.
TCG requires membership in order to obtain TPM certification. There are additional compliance testing requirements. See TCG’s certification portal for more details: https://trustedcomputinggroup.org/membership/certification/. ↩︎