Trusted Platform Module - TPM
Overview
OpenTitan can be used to implement the full Trusted Platform Module (TPM) 2.0 specification to meet client and server platform use cases. When used as a TPM, OpenTitan is provisioned with an endorsement seed and RSA and ECDSA endorsement certificates (EK). TPM commands are served over either SPI or I2C device peripherals.
Certification Requirements
Minimum Crypto Algorithm Requirements
- TRNG: At least one internal entropy source is required. The entropy source and collector should provide entropy to the state register in a manner that is not visible to an outside process. The entropy collector should regularly update the state register with additional, unbiased entropy.
- Hash Algorithms:
- An approved hash algorithm with approximately the same security strength as its strongest asymmetric algorithm. For OpenTitan the target is SHA2-256, SHA2-384.
- A TPM should support the extend function to make incremental updates to a digest value.
- Symmetric Key Algorithms:
- HMAC as described in ISO/IEC 9797-2. XOR obfuscation for use in a hash based stream cipher.
- A symmetric block cipher in CFB mode. For OpenTitan the target is AES-CFB 128/192/256-bit.
- Asymmetric key algorithm:
- At least one of:
- RSA:
- Sign and verify support for 3072-bit or larger key sizes.
- Verify support for 3072-bit key size as part of secure boot implementation.
- ECDSA
- For OpenTitan, the minimum requirement is to support signature and verification on NIST P-256 and P-384 curves.
- Key derivation function:
- Counter mode use of SP800-108, with HMAC as the PRF.
Provisioning Requirements
OpenTitan used as a TPM has the following provisioning requirements:
- Unique Global Identifier: Big integer value (up to 256b) used to facilitate tracking of the devices throughout their life cycle. The identifier is stored in One Time Programmable (OTP) storage during manufacturing.
- Endorsement Seed: Generation of endorsement seed for RSA and ECC asymmetric operations. The seed is stored in encrypted or masked form with a key bound to the device's key manager.
- EK Certificate: One EK Certificate for each asymmetric key type. Stored in the device. Additional requirements which may be fulfilled by an implementation relying on Ownership Transfer:
- The intermediate root certificate may be cross-signed by the Silicon Owner.
- The intermediate root certificate may only be used for a class of devices managed by the Silicon Owner.
- The intermediate root certificate must be chained to a well known root CA.
- Factory Firmware: Baseline image with support for firmware update via SPI or I2C, and TPM 2.0 full or subset of commands required by the target platform.
Packaging Constraints
- Non-HDI packaging is required.
- (Optional) TPM-spec compatible packaging.
Additional Requirements
The requirements listed below are extracted from the TPM Profile (PTP) Specification version 1.03 revision 22, referred to as the PTP spec in the following sections.
Storage Requirements
- Size requirements as specified in section 3.6.1 of the PTP spec:
- Minimum of 8KB bytes of NV storage.
- Follow the storage guidance for pre-provisioned EK Certificates if these are available.
External Peripherals
- SPI device with support for TPM flow control protocol as specified in section 6.4.5 of the PTP spec. It is preferred to implement flow control in hardware.
- I2C interface as specified in section 7.1 of the PTP doc.
- GPIO: Additional pins used to implement platform security flows for a set of integration use cases.
Relevant specs
Notes
[^1]: TCG requires membership in order to obtain TPM certification. There are additional compliance testing requirements. See TCG's certification portal for more details: https://trustedcomputinggroup.org/membership/certification/.