Secure Execution Environments

Use cases

Host identification

To authorize its participation in protected environments.

Host data encryption

Files, file systems, and highly sensitive data (passwords).

Key storage

Encrypted with the TPM public key.

Encrypted keys can be stored anywhere.

Random number generation

Fundamental to generate their keys and nonces.

NVRAM for storing critical data.

Root keys of certification chains.

Endorsement keys (EKs).

State to be achieved during a controlled bootstrap.

  • Used by Intel Trusted Execution Technology.

PCRs (Platform Configuration Registers)

They keep hash extends.

That hash extends can report sequences of measurements.

They can be used as authentication signals.

  • Secrets can be unlocked only when they have a given value.

  • In 2.0 they can be unlocked if matching a value signed by a trusted party (to avoid PCR fragility).

    • Non-Brittle PCRs

Privacy enhancement

Storage of password-protected secrets with delay mechanisms to prevent guessing attacks.

Attestation Identity Keys (AIKs), or simply AKs.

  • It can identify the host (or owner) in different scenarios.

Direct anonymous attestation (DAA).

PreviousCryptographic ConceptsNextTPM Software Stack (TSS)

Last updated