Add info on TPM

1 files changed, 163 insertions, 2 deletions

diff --git a/xml/integrity/concepts.xml b/xml/integrity/concepts.xml
index c8859f9..c9f6313 100644
--- a/xml/integrity/concepts.xml
+++ b/xml/integrity/concepts.xml
@@ -20,8 +20,8 @@ more secure environment to work in.
 <!-- See http://creativecommons.org/licenses/by-sa/3.0 -->
 <license version="3.0" />
 
-<version>1</version>
-<date>2012-07-30</date>
+<version>2</version>
+<date>2012-08-14</date>
 
 <chapter>
 <title>It is about trust</title>
@@ -517,6 +517,167 @@ it took before.
 <title>Trusted Platform Module</title>
 <body>
 
+<p>
+Years ago, a non-profit organization called the <uri
+link="http://www.trustedcomputinggroup.org">Trusted Computing Group</uri> was
+formed to work on and promote open standards for hardware-enabled trusted
+computing and security technologies, including hardware blocks and software
+interfaces across multiple platforms.
+</p>
+
+<p>
+One of its deliverables is the <e>Trusted Platform Module</e>, abbreviated to
+TPM, to help achieve these goals. But what are these goals exactly (especially
+in light of our integrity project)?
+</p>
+
+<ul>
+  <li>
+    Support hardware-assisted record (measuring) of what software is (or was)
+    running on the system since it booted in a way that modifications to this
+    record (or the presentation of a different, fake record) can be easily
+    detected
+  </li>
+  <li>
+    Support the secure reporting to a third party of this state (measurement) so
+    that the third party can attest that the system is indeed in a sane state
+  </li>
+</ul>
+
+<p>
+The idea of providing a hardware-assisted method is to prevent software-based
+attacks or malpractices that would circumvent security measures. By running some
+basic (but important) functions in a protected, tamper-resistant hardware module
+(the TPM) even rooted devices cannot work around some of the measures taken to
+"trust" a system.
+</p>
+
+<p>
+The TPM chip itself does not influence the execution of a system. It is, in
+fact, a simple request/reply service and needs to be called by software
+functions. However, it provides a few services that make it a good candidate to
+set up a trusted platform (next to its hardware-based protection measures to
+prevent tampering of the TPM hardware itself):
+</p>
+
+<ul>
+  <li>
+    Asymmetric crypto engine, supporting the generation of asymmetric keys (RSA
+    with a keylength of 2048 bits) and standard operations with those keys
+  </li>
+  <li>
+    A random noise generator
+  </li>
+  <li>
+    A SHA-1 hashing engine
+  </li>
+  <li>
+    Protected (and encrypted) memory for user data and key storage
+  </li>
+  <li>
+    Specific registers (called PCRs) to which a system can "add" data to
+  </li>
+</ul>
+
+</body>
+</section>
+<section>
+<title>Platform Configuration Registers, Reporting and Storage</title>
+<body>
+
+<p>
+PCR registers are made available to support securely recording the state of 
+(specific parts of) the system. Unlike processor registers that software can
+reset as needed, PCR registers can only be "extended": the previous value in the
+register is taken together with the new provided value, hashed and
+stored again. This has the advantage that a value stores both the knowledge of
+the data presented to it as well as its order (providing values AAA and BBB
+gives a different end result than providing values BBB and AAA), and that the
+PCR can be extended an unlimited number of times.
+</p>
+
+<p>
+A system that wants to securely "record" each command executed can take the hash
+of each command (before it executes it), send that to the PCR, record the event
+and then execute the command. The system (kernel or program) is responsible for
+recording the values sent to the PCR, but at the end, the value inside
+the PCR has to be the same as the one calculated from the record. If it differs,
+then the list is incorrect and the "secure" state of the system cannot be proven.
+</p>
+
+<p>
+To support secure reporting of this value to a "third party" (be it a local
+software agent or a remote service) the TPM supports secure reporting of the PCR
+values: an RSA signature is made on the PCR value as well as on a random
+number (often called the "nonce") given by the third party (proving there is no
+man-in-the-middle or replay attack). Because the private key of this signature
+is securely stored on the TPM this signature cannot be forged.
+</p>
+
+<p>
+The TPM chip has (at least) 24 PCR registers available. These registers will
+contain the extended values for
+</p>
+
+<ul>
+  <li>
+    BIOS, ROM and memory block data (PCR 0-4)
+  </li>
+  <li>
+    OS loaders (PCR 5-7)
+  </li>
+  <li>
+    Operating System-provided data (PCR 8-15)
+  </li>
+  <li>
+    Debugging data (PCR 16)
+  </li>
+  <li>
+    Localities and Trusted Operating System data (PCR 17-22)
+  </li>
+  <li>
+    Application-specific data (PCR 23)
+  </li>
+</ul>
+
+<p>
+The idea of using PCRs is to first <e>measure</e> the data a component is about
+to execute (or transfer control to), then <e>extend</e> the appropriate PCR,
+then <e>log</e> this event in a measurement log and finally <e>transfer
+control</e> to the measured component. This provides a trust "chain".
+</p>
+
+</body>
+</section>
+<section>
+<title>Trusting the TPM</title>
+<body>
+
+<p>
+In order to trust the TPM, the TCG basis its model on asymmetric keys. Each TPM chip
+has a 2048-bit private RSA key securely stored in the chip. This key, called the
+<e>Endorsement Key</e>, is typically generated by the TPM manufacturer during
+the creation of the TPM chip, and is backed by an Endorsement Key certificate
+issued by the TPM manufacturer. This EK certificate guarantees that the EK is in
+fact an Endorsement Key for a given TPM (similar to how an SSL certificate is
+"signed" by a Root CA). The private key cannot leave the TPM chip.
+</p>
+
+<p>
+A second key, called the <e>Storage Root Key</e>, is generated by the TPM chip
+when someone takes "ownership" of the TPM. Although the key cannot leave the TPM
+chip, it can be removed (when someone else takes ownership). This key is used to
+encrypt data and other keys (user <e>Storage Keys</e> and <e>Signature
+Keys</e>).
+</p>
+
+<p>
+The other keys (storage and signature keys) can leave the TPM chip, but always
+in an encrypted state that only the TPM can decrypt. That way, the system can
+generate specific user storage keys securely and extract them, storing them on
+non-protected storage and reload them when needed in a secure manner).
+</p>
+
 </body>
 </section>
 </chapter>