The Trusted Platform Module (TPM) found in most computers today is a device governed by the specifications of the Trusted Computing Group (TCG). Truly grokking how a TPM operates is a daunting task: the specification for the TPM, called the TPM Library Specification, currently comes in four parts, totaling 2237 pages. (!) However, even those 2237 pages aren't the whole story. This article provides a roadmap to the various specifications that define the TPM, in order to provide the reader with a comprehensive picture of what documentation is available, and what must be studied to acquire TPM mastery.

Foundational Specifications

TPM Library Specification

This is the "main" TPM specification. It is broken down into the following parts:
Part 1: Architecture
Part 2: Structures
Part 3: Commands
Part 4: Supporting Routines

PC Client Platform Firmware Profile

The PC Client Platform Firmware Profile specifies requirements for the TPM as it is practically implemented on a platform; i.e., not TPM in an abstract sense, but how you would actually implement a TPM on a real system. Issues covered include platform and firmware provisioning, usage of a TPM to record measurements of platform code, PCR mapping, and functional interfaces. The target audience for this document is platform manufacturers.

PC Client Specific Platform TPM Profile for TPM 2.0 (PTP)

The PC Client Specific Platform TPM Profile for TPM 2.0 (PTP) discusses the specifics regarding the requirements of the TPM for PC Client but only the requirements for the TPM itself, not the requirements for a platform integrating the TPM. The PTP discusses the details of what interfaces and protocols are used to communicate with the TPM and a platform-specific set of requirements. The PTP includes the definitions of items identified in the TPM Library specification as "Platform Specific", such as the minimum number of PCRs required and NV Storage available. The target audience for the PTP is TPM manufacturers, but platform manufacturers will also find value in it.

Supporting Specifications

The following supporting specifications are specific to niche TPM-related topics in which you may or may not find value.

TCG ACPI Specification

The TCG ACPI Specification covers interfaces for the OS to discover and interact with TPM devices according to the ACPI Standard. It covers implementation in both Client and Server machines. ACPI provides a standardized way to express the availability of TPM devices by using in-memory ACPI tables, methods, and namespace objects.

TCG Physical Presence Specification

Physical Presence is a form of authorization required in order to perform certain privileged TPM functions, such as clearing ownership. For obvious security reasons, a user is required to be physically present at the machine to make such changes in order to prevent network-based attacks on the TPM. This specification defines an interface between an operating system and the firmware to manage the privileged configuration of the TPM.

TCG Platform Reset Attack Mitigation Specification

When a platform reboots or shuts down, the contents of RAM are not immediately lost. Without an electric charge to maintain the data in memory, the data will begin to decay, but during this period there is a short timeframe during which an attacker can turn off or reboot the platform, quickly turn it back on, and boot into a program that dumps the contents of memory. Encryption keys and other secrets can be compromised through this method if the system does not implement a technology like total memory encryption. This specification defines a Memory Overwrite Request feature that zeros out memory to prevent such attacks.

TCG EFI Protocol Specification

The purpose of this document is to define a standard interface to the TPM on UEFI-based systems. It defines data structures and APIs that allow an OS to interact with a UEFI BIOS to query information important in early OS boot stages. Such information includes: is a TPM present, which PCR banks are active, change active PCR banks, obtain the TCG boot log, extend hashes to PCRs, and append events to the TCG boot log.


Wow, that's a lot of documentation. I hope this helps you get a handle on all the resources required to master TPM technology.

Post a Comment

Be sure to select an account profile (e.g. Google, OpenID, etc.) before typing your comment!