Secure Execution Environments

Trusted Platform identity credentials

TPM endorsement credential

  • Endorsement public key certificate

  • To attest that the TPM is genuine

Platform credential

  • Signed by a Platform Entity (e.g. manufacturer)

  • To attest that a given TPM has been integrated into a platform

Conformance credential

  • Signed by a Conformance Entity

  • To attest that the TPM & the platform designs conform with TCPA

Issuing protocol

TP generates a new identity key pair.

  • IdPriv, IdPub

TP sends a new identity request to a Privacy Certification Authority (PCA) including:

  • IdPub, EndCred, PlaCred, ConCred, Sign(BindData)

IdPriv is used to generate a signature on BindData, which encompasses the hash of the PCA’s public key and IdPriv.

  • The signature is attached to the request.

On receipt of the request, the Privacy CA(PCA) verifies the submitted credentials and the signature.

  • If the verification is successful, the PCA proceeds to create the identity credential (IdCred), essentially a certificate on IdPub signed by the Privacy CA.

PCA sends Identity Credentials to TP.

  • Encrypted with EndPub of the TPM

  • Enc( IdCred, EndPub )

PreviousTPM-based attestationNextUEFI (Unified Extensible Firmware Interface)

Last updated