ISO/IEC INTERNATIONAL STANDARD 11889-1 Second edition 2015-12-15 Information technology Trusted Platform Module Library - Part 1: Architecture Technologies de I'information Bibliotheque de module de plate-forme de confiance - Partie 1: Architecture Reference number IS0/IEC 11889-1:2015(E) TEC ISo International Organization for Standardization icial Academy of Standardization 5944055 @ IS0/IEC 2015 vided by IHS underI Not for Resale, ted without license from IHS IS0/IEC 11889-1:2015(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISOcopyrightoffice Ch. de Blandonnet 8 . CP 401 CH-1214 Vernier, Geneva, Switzerland Tel.+41 22 749 0111 Fax +41 22 749 09 47 [email protected] www.iso.org Internatinair PrganizationforStandardization icensee-Guangdong Provinicial Acad ISSta/JFdzan0 J.4as:All rights reserved Not for Resale, 2016/3/4 03:27:18 etworking permitted without license from IHS ISO/IEC 11889-1:2015(E) CONTENTS Foreword.. ..xiv Introduction Scope. 2 Normative references . 3 Terms and definitions. 3 4 Symbols and Abbreviated Terms 12 4.1 Symbols 4.2 Abbreviations 13 5 Conventions 15 5.1 Bit and Octet Numbering and Order. 5.2 Sized Buffer References. 5.3 Numbers. 16 5.4 KDF Label Parameters . 16 6 ISO/IEC 11889 Organization... 17 7 Compliance .... 8 Changes from Previous Versions. 9 Trusted Platforms .... 9.1 Trust... 21 9.2 Trust Concepts 21 9.2.1 Trusted Building Block 21 9.2.2 Trusted Computing Base. 21 9.2.3 Trust Boundaries. 9.2.4 Transitive Trust... 22 9.2.5 Trust Authority .. .22 9.3 Trusted Platform Module 23 9.4 Roots of Trust ... 9.4.1 Introduction..... .23 9.4.2 Root of Trust for Measurement (RTM) ..24 9.4.3 Root of Trust for Storage (RTS). 9.4.4 Root of Trust for Reporting (RTR) ..24 9.5 Basic Trusted Platform Features .. 25 9.5.1 Introduction.... .25 9.5.2 Certification. .26 9.5.3 Attestation and Authentication . 9.5.4 Protected Location ... ..29 9.5.5 Integrity Measurement and Reporting. 10 TPM Protections.. .31 10.1 Introduction. 10.2 Protection of Protected Capabilities 10.3 Protection of Shielded Locations.. 10.4 Exceptions and Clarifications.. 11TPMArchitecture ..33 11.1 Introduction 33 NoanEG2nAl1 rights reserved No reprodu ed without license from IHS ISO/IEC11889-1:2015(E) 11.2 TPM Command Processing Overview.... ...33 11.3 11.4 Cryptography Subsystem . .37 11.4.1 In.troduction..... 11.4.2 Hash Functions .37 11.4.3 HMAC Algorithm... 11.4.4 AsymmetricOperations 11.4.5 Signature Operations .. .39 11.4.6 Symmetric Encryption.. 11.4.7 11.4.8 Key Generation . .43 11.4.9 KeyDerivationFunction ..43 11.4.10 Random Number Generator (RNG) Module ... 11.4.11 Algorithms .. .49 11.5 Authorization Subsystem... 11.6 Random Access Memory... ..51 11.6.1 In.trodu.ction........ 11.6.2 Platform Configuration Registers (PCR) 11.6.3 Object Store .... ...52 11.6.4 Session Store ... 11.6.5 Size Requirements ... 11.7 Non-Volatile (NV) Memory. 11.8 Power Detection Module... ..53 12 TPM Operational States.. 12.1 Introduction. 12.2 12.2.1 Power-off State.. ...54 12.2.2 Initialization State 12.2.3 StartupState ..55 12.2.4 Shutdown State. ..58 12.2.5 Startup Alternatives.... 12.3 Self-Test Modes.. ...59 12.4 Failure Mode.... 12.5 Field Upgrade .... ....61 12.5.1 Introduction... 12.5.2 Field Upgrade Mode.. ...61 12.5.3 Preserved TPM State. ....64 12.5.4 Field Upgrade Implementation Options.. 13 TPM Control Domains . 13.1 Introduction.... 13.2 Controls.... 13.3 Platform Controls .... 13.4 Owner Controls... ..68 13.5 Privacy Administrator Controls .. ..68 13.6 13.7 Lockout Control... ..69 Internatinal Organization @std@EC 2015 - All rights reserved ili Besald No reproduction or networking permitted withoutlicense from IHS ISO/IEC 11889-1:2015(E) 13.8TPM Ow