This chapter discussed the concepts and functionality of trusted platform modules. TPMs are designed to have an owner: a single party, which could be a person for a consumer TPM or an entire IT department for an enterprise machine, who is responsible for configuring the TPM appropriately. The TPM owner is not equivalent to a root or administrator account in an OS; the owner cannot read secrets belonging to other TPM users, or use the owner password to bypass other access controls. The owner does, however, have a few useful unique powers compared to other users.

Chapter Contents:

• 3.1 Ownership and authority
• 3.2 Root keys and primary seeds
• 3.2.1 TPM 1.2 root keys
• 3.2.2 TPM 2.0 primary seeds and hierarchies
• 3.2.2.1 The platform hierarchy
• 3.2.2.2 The storage hierarchy
• 3.2.2.3 The endorsement hierarchy
• 3.2.2.4 Which hierarchy to use
• 3.3 Non-root keys
• 3.3.1 Root and non-root key relationships
• 3.3.2 Externally created keys and the TPM
• 3.4 Key certification
• 3.5 Roots of trust for measurement
• 3.6 Platform configuration registers
• 3.7 Quotes
• 3.8 NVRAM and key storage
• 3.9 Utility functions
• 3.10 Access control mechanisms
• 3.11 Cryptographic algorithms
• 3.12 Communicating securely with the TPM
• 3.13 The TPM in action
• 3.13.1 Possible TPM states
• 3.13.2 Reboots, and why they matter
• 3.13.3 Clearing: erasing your TPM

Inspec keywords: trusted computing

Other keywords: owner password; trusted platform modules; TPM; access controls

Subjects: Data security