TPM 2.0 Software Stack: Usability, Privacy and Security
The Trusted Platform Module (TPM) has been the standard in software integrity measurement and reporting for over 15 years. TPM 2.0 became an ISO standard in 2015, a Windows 10 security requirement in 2018 and is integrated into platforms across the enterprise as a discrete part or as firmware in a TEE. Despite the pain and suffering associated with programming in past TCG APIs, TPM architecture has proven sound and useful.
This talk will cover Intel’s collaboration with partners in the TCG TPM2 Software Stack (TSS2) working group to create a set of usable APIs. Design and craftsmanship of APIs with intuitive, predictable behavior can increase developer adoption and the likelihood of critical infrastructure functioning as intended. We have made TPM2 programming architecture and APIs usable for multiple levels of abstraction and varying constraints. We’ll discuss recent successes, including open-source APIs for environments ranging from embedded firmware to desktops and servers.
The TSS2 APIs are however just a means to an end and so this talk will conclude with a discussion of projects that we aim to enable through these APIs. Specifically—richer functionality in the UEFI firmware environment, hybrid approaches for key management in hardware crypto accelerators, integration with distributed key management infrastructure, the impact of recent OSS work on user freedoms and emerging standards like the Device Identifier Composition Engine (DICE).
- Automatic LUKS volumes unlocking using a TPM2 chip (2017)
- Dell TPM 1.2 vs 2.0 Features
- Intel QuickAssist with Intel Key Protection Technology
- Microsoft TPM 2.0 Reference Implementation
- Microsoft Technical Report on ARM TZ + TPM2 (2015)
- TPM2 Software
- Community mailing list
- Tricca — Getting Started with the TPM2 Software Stack (Linux Security Summit 2018 video)
- Tricca — Securing Embedded Linux Systems with TPM 2.0 (Embedded Linux Conference 2017 video)