| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Active |
| Sunset date | 6/3/2029 |
| Caveat | When operated in approved mode |
| Vendor | STMicroelectronics |
| Algorithm | ACVP Cert |
|---|---|
| KTS-IFC | A2554 |
| RSA Decryption Primitive | A2554 |
| SHA-1 | A2548 |
| SHA-1 | A2549 |
| SHA2-256 | A2548 |
| SHA2-256 | A2549 |
| SHA2-384 | A2548 |
| SHA2-384 | A2548 |
| SHA2-384 | A2549 |
| SHA3-256 | A2548 |
| SHA3-384 | A2548 |
flowchart LR
%% Deterministic review-risk graph for Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2XI2C
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery<br/>upgrade<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2XI2C
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery<br/>upgrade<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;STMICROELECTRONICS Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2XI2C Level 1 Date: 2024-03-06 Document Version: 01-02 NON-PROPRIETARY DOCUMENT FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
| # | Section | Page |
|---|
This document is the non-proprietary FIPS 140-3 Security Policy for the STMicroelectronics Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2XI2C. It details how the module meets the requirements specified in [FIPS 140-3] for a Security Level1 module.
Next table indicates the security levels reached by the security module. ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
Overall level 1 Table 1 - Security Levels FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
ST33KTPM2XSPI / ST33KTPM2XI2C is a fully integrated security module implementing the revision 1.59 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM) version 2.0. It is designed to be integrated into personal computers and any other embedded electronic systems. TPM is primarily used for cryptographic keys generation, keys storage, keys management and secure storage for digital certificates. The security module is a single chip cryptographic HW module as defined in [FIPS 140-3]. The single silicon chip is encapsulated in a hard, opaque, production grade integrated circuit (IC) package. The cryptographic boundary is defined as the perimeter of the IC package. The security module supports both SPI and I2C interfaces, compliant with the PC Client specification [PTP 1.05]. The HW and FW cryptographic boundaries are indicated in Figure 2 and Figure 4 of the current document.
The operating environments covered by the FIPS 140-3 evaluation are summarized in the table below: Hardware Distinguishing Model [Part Number and Firmware Version Features Version] ST33KTPM2XSPI 9.256 (dec.) SPI ST33K1M5T revC ST33KTPM2XI2C 0x00.09.01.00 (hex.) SPI or I2C1 Table 2 - Cryptographic Module Tested Configuration FW version can be read in the response to the command TPM2_GetCapability with property set to TPM_PT_FIRMWARE_VERSION_1. The product is manufactured in one single package:
The security module is available in the configurations listed hereafter.
The current FIPS 140-3 level 1 security policy always applies (no mode lock requested) to this security module configuration.
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Module configuration Module name / HW P/N ST33KTPM2XSPI Package UFQFPN32 Interface SPI Marking KE2 FW version 00.09.01.00 (9.256) TPM2.0 revision 1.59
Table 3 - KE2 security module configuration
The current FIPS 140-3 level 1 security policy always applies (no mode lock requested) to this security module configuration. SPI or I2C mode selection is done during the boot of the security module. Module configuration Module name / HW P/N ST33KTPM2XI2C Package UFQFPN 32 Interface SPI / I2C Marking KE3 FW version 00.09.01.00 (9.256) TPM2.0 revision 1.59
Table 4 - KE3 security module configuration
The security module supports the following cryptographic algorithms (both approved and nonapproved). Algorithm certificate numbers for each approved algorithm are listed below. All algorithms, keys size or curve lengths listed below are part of services offered by the module. Description / CAVP Algorithm and Mode / Method Key Size(s) / Key Use / Function Cert Standard Strength(s) A2553 AES ECB, CFB128, OFB, CBC, 128, 192, 256 Data CTR encryption/decryption [SP 800-38A] A2547 DRBG HASH_based SHA2-256 Deterministic random bit [SP 800-90A] generation A2555 ECDSA SHA2-256, SHA2-384, SHA3- P-256, P-384 Digital signature [FIPS 186-4] 256, SHA3-384 generation SHA-1, SHA2-256, SHA2-384, P-256, P-384 Digital signature SHA3-256, SHA3-384 verification ECDSA KeyVer (FIPS 186-4) P-256, P-384 Key verification Appendix B.4.1 P-256, P-384 Key generation FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Description / CAVP Algorithm and Mode / Method Key Size(s) / Key Use / Function Cert Standard Strength(s) - ENT (P) Entropy source1 [SP800-90B] A2551 HMAC SHA-1, SHA2-256, SHA2-384, 160, 256, 384 Message authentication SHA3-256, SHA3-384 A2552 [FIPS 198-1] A2555 KAS ECC (Full unified and One pass P-256, P-384 Key agreement scheme DH) [SP 800-56A Rev3]2 [SP 800-56C Rev1] A2550 KBKDF CTR Key derivation (based on HMAC) [SP 800-108] A2554 KTS-IFC KTS-OAEP-basic 2048, 3072, 4096 Key generation and key transport [SP800-56B Rev 2] RSADP Component (IG 2.4.B) 2048 Decryption primitive A2554 RSA SHA2-256, SHA2-384, 2048, 3072, 4096 Digital signature RSASSA-PKCS-v1.5, generation [FIPS 186-4] RSASSA-PSS SHA-13, SHA2-256, SHA2-384, 10244, 2048, Digital signature RSASSA-PKCS-v1.5, 3072, 4096 verification RSASSA-PSS Appendix C3.1 2048, 3072, 4096 Key generation A2548 SHA3-256, SHA3- SHA3-256, SHA3-384 Message digest [FIPS 202] A2548 SHS SHA-1, SHA2-256, SHA2-384 Message digest. SHA2-
A2549 [FIPS 180-4] SP800-90B vetted conditioner Table 5 - Approved Algorithms Algorithm Caveat Use / Function CKG Direct Generation of Symmetric Keys (Section 4 of Key generation5 [IG D.H] [SP800-133 Rev2]). RSA Use of SHA3-256 or SHA3-384 hashing algorithms. Digital signature generation [FIPS 186-4] Digital signature verification Table 6 - Vendor Affirmed Approved Algorithms
1 Seed or reseed SP800-90A approved DRBG with a minimum of 414 bits of entropy. Generate random
numbers not dedicated to being used as cryptographic material.
2 Per [IG] D.F Scenario 2 path (2), [56Ar3] compliant key agreement scheme where testing is performed end-to-end
for the shared secret computation and a KDF compliant with oneStepKdf [56Cr1] without key confirmation.
5 Symmetric keys and seeds used for generating the asymmetric keys are either generated by using
KBKDF or DRBG methods. Methods are detailed per SSPs in Table 19 and Table 20. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Algorithm Caveat Use/Function AES CFB The AES CFB algorithm itself is Approved and awarded Obfuscation of internally stored CAVP Cert. #A2553, but this usage employs a key that data is non-compliant. The usage of AES CFB in this manner is entirely internal to the module and inaccessible to the operator. No security claimed per IG 2.4.A, Example Scenario #1. XOR No security claimed per IG 2.4.A, Example Scenario #1. Obfuscation of input or output data Table 7 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm/Function Use/Function ECC BN P-256 Key generation, digital signature generation based on BN P-256 elliptic curve ECC derived keys Secret exchange or digital signature generation/verification ECDAA Key generation, digital signature generation ECSchnorr Key generation, digital signature generation and verification HMAC Key length < 112 bits for message authentication RSA 1024-bit RSA digital signature generation RSA with no padding mode Key transport (null scheme) RSAES-PKCS1-v1_5 Key transport SHA-1 Digital signature generation Table 8 - Non-approved Algorithms not Allowed in the Approved Mode of Operation Algorithm Name Type Description SF Properties [O] Algorithms Properties SP 800-56A, Rev 3 P-256, P-384 KAS-ECC (Initiator, Key fullUnified, KAS KAS Key length 128 bits Responder), KPG, establishment onePassDH Full (Cert. #A2555) IG D.F oneStepKDF SP 800-38F KTS (AES Cert. AES CFB IG D.G KTS KTS Key Transport #A2553 + HMAC Key size 128 or SSP establishment methodology Cert. #2551) provides 128 or 256 bits of 256 bits. encryption strength SP 800-56B Rev 2 IG D.G KTS- KTS-OAEP-basic KTS-IFC (Cert. Key size 2048, KTS Key Transport RSA #A2554) 3072, or 4096 SSP establishment methodology provides between 112 and 150 bits of encryption strength Table 9 - Security Function Implementations FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
A block diagram of the security module with its associated cryptographic boundary is provided in Figure 2. RSA/ECC Flash HW accelerator memory CPU core CPU core Read RAM RAM ST ROM cache MPU MPU S bus C-AHB bus APB/AHB Cryptographic bridge boundary f APB Security Administrator EDES+ HW CRC HW accelerator SPI with RAM buffer I2C with RAM buffer Clock generator Reset manager ENT (P) accelerator Timers GPIOs module Power AES HW accelerator mngt SPI / I2C interface GPIO GND VC C LEGEND Instructions Input/output data/commands External control Internal data Cryptographic Internal control boundary Figure 2 - HW block diagram Module is composed of:
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The pin layouts for the ST33KTPM2XSPI / ST33KTPM2XI2C with the UFQFPN32 package in Figure 3. The security module supports both SPI and I2C physical interfaces but only one interface is configured during TPM boot. The interface configured remains active until the next module reset.
NC NC I2C SCL I2C SDA NC NC NC NC VCC 1 24 SPI MISO GND 2 23 NC NC 3 22 VCC NC 4 21 SPI MOSI NC 5 UFQFPN 20 SPI NSS GPI8 6 19 SPI CLK PP 7 18 PIRQ NC 8 17 RESET NC NC NC NC NC NC NC GND Figure 3 - UFQFPN32 Pinout Diagram Next table gives a description of the products pins. Signal Type Description Power supply. This pin must be connected to 1.8V or 3.3V DC power rail VCC Input supplied by the motherboard. GND Input GND has to be connected to the main motherboard ground. RESET Input Reset used to re-initialize the device I2C SCL / Input or I²C serial clock (Open drain with no weak pull-up resistor) or GPIO if SPI GPIO5 Input/Output interface is selected I2C SDA / I²C serial data (Open drain with no weak pull-up resistor) or GPIO if SPI Input/Output GPIO6 interface is selected PIRQ Output IRQ used by TPM to generate an interrupt SPI CLK / Input or SPI serial clock (output from master) or GPIO if I2C interface is selected GPIO1 Input/Output SPI NSS / Input or SPI slave select (active low; output from master) or GPIO if I2C interface is GPIO2 Input/Output selected SPI MISO Output or SPI Master Input, Slave Output (output from slave) or GPIO if I2C interface / GPIO0 Input/Output is selected SPI MOSI Input or SPI Master Output, Slave Input (output from master) or GPIO if I2C / GPIO3 Input/Output interface is selected GPI default to low. The level of this pin on the rising edge of the RESET GPI8 Input signal is used to determine the physical interface to use (high level corresponds to SPI configuration and low-level to I2C) Physical presence, active high, internal pull-down. Used to indicate PP Input Physical Presence to the TPM. Not Connected: connected to the die but not usable. May be left NC unconnected. Internal pull-down. Table 10 - UFQFPN32 pins definition FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The physical port of the security module is the SPI bus or I2C Bus. The logical interfaces and their mapping to physical ports of the module are described below: Physical port Logical interface Data that passes over the port/interface SPI_NSS / SPI_CLK / SPI_MOSI / Control parts of the TPM commands provided to RESET / PP Control input the security module. It concerns all bytes of a interface command except plaintext data, ciphertext data I2C_SCL / I2C_SDA / RESET / PP and SSPs (entered with the data input interface). SPI_NSS / SPI_CLK / SPI_MISO / Control parts of the TPM responses output by the PIRQ security module. It concerns all bytes of a Control output response except plaintext data, ciphertext data interface and SSPs (output with the data output interface) I2C_SCL / I2C_SDA / PIRQ and except the responseCode of a response (output with the status output interface) SPI_NSS / SPI_CLK / SPI_MISO / PIRQ Status output Status output by the security module interface (responseCode parameter of a response) I2C_SCL / I2C_SDA SPI_NSS / SPI_CLK / SPI_MOSI Data (plaintext data, ciphertext data and SSPs) Data input provided to the security module as part of an I2C_SCL / I2C_SDA interface input processing command. SPI_NSS / SPI_CLK / SPI_MISO Data (plaintext data, ciphertext data and SSPs) Data output output by the security module as part of the I2C_SCL / I2C_SDA interface response to a processing command. VCC / GND Power interface Power interface of the security module Table 11 - Ports and Interfaces Here are some details concerning the ports and interfaces of TPM:
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
This chapter gives details about the roles managed by TPM.
Services proposed by TPM are accessible under the roles defined in the table below. The list of services accessible by each role is indicated in Table 14. Role Service Input Output Crypto This role performs the cryptographic initialization of Any valid inputs and outputs officer (CO) the security module and executes the management for commands are usable functions. This role also covers the use of the (refer to [TPM2.0 Part3]). general security services provided by the cryptographic module. Table 12 - Roles, Service Commands, Input and Output The security module does not provide a maintenance role or maintenance interface and does not support concurrent operators. The CO role is implicitly selected by the TPM operator on service execution.
In the context of this FIPS 140-3 Level 1 evaluation, there is no authentication mechanism claimed to control access of the security module. The authorization mechanisms (password, HMAC and policy) provided by the TPM2.0 standard are available and protected as sensitive parameters but are not employed to satisfy FIPS 140-3 requirements. Crypto officer role is implicitly assumed by the operator when using services corresponding to that role.
All services are accessible under the roles defined in Table 12and no specific access rights are considered to operate with keys and SSPs. Full services inputs and outputs are defined in [TPM2.0 Part3]. Next table indicates how mandatory services required in §7.4.3.1 of [ISO/IEC 19790] are mapped to security module’s services: Mandatory service requested from Corresponding services from the security [ISO/IEC 19790] module Show module’s versioning information TPM2_GetCapability Show status TPM2_GetTestResult TPM2_SelfTest Perform self-tests TPM2_IncrementalSelfTest Perform approved security functions See approved services listed in Table 14 TPM2_Clear, TPM2_ChangePPS, Perform zeroization TPM2_ChangeEPS, TPM2_FlushContext, TPM2_EvictControl Table 13 - Mapping between services The security module does not implement any bypass capability, nor self-initiated cryptographic output capability.
Next table lists all approved services supported by the TPM. The indicator is accessible with the TPM2_GetCapability (capability = TPM_CAP_VENDOR_PROPERTIES) command by using the sub-capability TPM_SUBCAP_VENDOR_TPMA_MODES = 0x7. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Service Description Approved Security Functions Keys and/or SSPs Roles Access Indicator2 rights to Keys and/or SSPs1 TPM2_Startup Set-up the TPM after a power cycle. None ppSeed, epSeed, spSeed, CO G Approved phProof, ehProof, shProof, drbgState nullSeed, nullProof, G, Z contextKey, drbgSeed TPM2_Shutdown (I) Prepare the TPM for a power cycle. None None CO N/A Non-security relevant TPM2_SelfTest (I) Self-tests execution SHS, SHA3, ENT, HMAC, AES, None CO N/A Approved DRBG, KBKDF, KAS, RSA (signature generation, verification) ECC (signature generation, verification) TPM2_IncrementalSelfTest (I) Incremental self-tests execution SHS, SHA3, ENT, HMAC, AES, None CO N/A Approved DRBG, KBKDF, KAS, RSA (signature generation, verification), ECC (signature generation, verification) TPM2_GetTestResult (I) Get self-tests result None None CO N/A Non-security relevant TPM2_StartAuthSession (I/E/D) Session command SHS, SHA3, HMAC, AES, sesHmacKey, sesSymKey CO G, W Approved DRBG, KBKDF, KTS-RSA, KAS, KDA, CKG sesSalt E, Z objSens, objAuth, nvAuth, E platformAuth, endorsementAuth, ownerAuth, lockoutAuth, seqAuth TPM2_PolicyRestart (I) Policy session restart None None CO N/A Non-security relevant TPM2_Create (I/E/D) Object creation objSeed, objSens, objPub CO G, R, E Approved
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
SHS, SHA3, HMAC, AES, objSymKey, objHmacKey G, E DRBG, KBKDF, CKG, RSA (signature generation, drbgState W, E verification, key generation), ECC (signature generation, verification, key generation) objAuth W nullProof, phProof, ehProof, E shProof TPM2_Load (I/E/D) Object loading SHS, SHA3, HMAC, AES, objSens, objSeed CO W, E Approved KBKDF objPub, objAuth W objSymKey, objHmacKey G, W, E TPM2_LoadExternal (I/E/D) External object loading None objPub, objSens, objAuth CO W Approved TPM2_ReadPublic (I) Read public part of a loaded object None objPub CO R Approved TPM2_ActivateCredential (I/E/D) Enables the association of a SHS, SHA3, HMAC, AES, objSens CO E Approved credential with an object KBKDF, KTS-RSA, KAS, CKG creSeed E, Z creSymKey, creHmacKey G, E, Z TPM2_MakeCredential (I/E/D) Allows the TPM to perform the SHS, SHA3, HMAC, AES, objPub CO E Approved actions required of a Certificate KBKDF, KTS-RSA, KAS, CKG Authority creSeed G, R, E, Z creSymKey, creHmacKey G, E, Z TPM2_Unseal (I/E/D) Returns the data in a loaded Sealed None objSens CO R Approved Data Object TPM2_ObjectChangeAuth (I/E/D) Changes the authorization secret for SHS, SHA3, HMAC, AES, drbgState, objAuth CO W Approved a TPM-resident object KBKDF, CKG objSeed R, E objSymKey, objHmacKey E objSens R TPM2_CreateLoaded (I/E/D) Creates an object and loads it in the SHS, SHA3, HMAC, AES, objPub CO R, E Approved TPM DRBG, KBKDF, CKG, RSA (signature generation, nullSeed, ppSeed, epSeed, E verification, key generation), spSeed, nullProof, phProof, ECC (signature generation, ehProof, shProof, ekRsa, verification, key generation) ekEcc, shProofForReseed objSeed, objSymKey, G, E objHmacKey, tdrbgState FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
objSens G, R, E drbgState W, E TPM2_Duplicate (I/E/D) Duplicates a loaded object so that it SHS, SHA3, HMAC, AES, dupSeed, dupInSymKey, CO G, E, Z Approved may be used in a different hierarchy DRBG, KBKDF, KTS-RSA, dupOutSymKey, KAS, CKG dupOutHmacKey objSens, objAuth R drbgState W, E objPub E TPM2_Rewrap (I/E/D) Rewraps a duplicated object with a SHS, SHA3, HMAC, AES, objSens CO W, E Approved new parent key KBKDF, KTS-RSA, KAS, CKG dupOutSymKey, G, E, Z dupOutHmacKey dupInpSymKey W, Z drbgState, objPub E dupSeed W, E, Z TPM2_Import (I/E/D) Allows an object to be encrypted SHS, SHA3, HMAC, AES, drbgState CO E Approved using the symmetric encryption KBKDF, KTS-RSA, KAS, CKG values of a Storage Key objSens, objPub W, E objAuth W dupSeed, dupInSymKey E, Z dupOutSymKey, W, E, Z dupOutHmacKey TPM2_RSA_Encrypt (I/E/D) Performs RSA encryption KTS-RSA objPub CO E Approved TPM2_RSA_Decrypt (I/E/D) Performs RSA decryption KTS-RSA objSens CO E Approved TPM2_ECDH_KeyGen (I/E/D) Shared secret value computation KAS drbgState CO W, E Approved using KAS ephSensEccKey G, E, Z ephPubEccKey G, R, Z objPub E TPM2_ECDH_ZGen (I/E/D) Shared secret value recovery using KAS objSens CO E Approved KAS ephPubEccKey W, E, Z FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_ECC_Parameters (I) Returns the parameters of an ECC None None CO N/A Non-security curve identified by its TCG-assigned relevant curveID TPM2_EncryptDecrypt (I/E) Symmetric encryption or decryption AES objSens CO E Approved TPM2_EncryptDecrypt2 (I/E/D) Symmetric encryption or decryption AES objSens CO E Approved TPM2_Hash (I/E/D) Performs a hash operation on data SHS, SHA3 nullProof, phProof, ehProof, CO E Approved shProof TPM2_HMAC (I/E/D) Performs a HMAC operation on data HMAC objSens CO E Approved TPM2_GetRandom (I/E) Outputs random bytes from a DRBG DRBG drbgState CO W, E Approved TPM2_StirRandom (I/D) Reseed the state of a DRBG ENT(P), DRBG drbgSeed CO W, E, Z Approved drbgState W, E TPM2_HMAC_Start (I/D) Starts an HMAC sequence HMAC seqAuth CO W Approved objSens E TPM2_HashSequenceStart (I/D) Starts a hash or an event sequence SHS, SHA3 seqAuth CO W Approved TPM2_SequenceUpdate (I/D) Adds data to a hash or HMAC SHS, SHA3, HMAC objSens CO E Approved sequence TPM2_SequenceComplete (I/E/D) Adds last part of data to a hash or SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved HMAC sequence and returns the shProof, objSens result seqAuth Z TPM2_EventSequenceComplete (I/D) Adds last part of data to a hash or SHS, SHA3, HMAC objSens CO E Approved HMAC sequence and returns the result in a digest list seqAuth Z TPM2_Certify (I/E/D) Proves that an object with a specific SHS, SHA3, HMAC, DRBG, drbgState CO W, E Approved Name is loaded in the TPM KBKDF, CKG, RSA (signature generation), objSens, shProof E ECC (signature generation) TPM2_CertifyCreation (I/E/D) Proves the association between an SHS, SHA3, HMAC, drbgState CO W, E Approved object and its creation data DRBG, KBKDF, CKG, objSens, nullProof, phProof, E RSA (signature generation), ehProof, shProof ECC (signature generation) TPM2_Quote (I/E/D) Quotes PCR values SHS, SHA3, HMAC, drbgState CO W, E Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_GetSessionAuditDigest (I/E/D) Returns a digital signature of the SHS, SHA3, HMAC, drbgState CO W, E Approved audit session digest DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_GetCommandAuditDigest (I/E/D) Returns the current value of the SHS, SHA3, HMAC, drbgState CO W, E Approved command audit digest, a digest of DRBG, KBKDF, CKG, the commands being audited, and objSens, shProof E the audit hash algorithm RSA (signature generation), ECC (signature generation) TPM2_GetTime (I/E/D) Returns the current values of Time SHS, SHA3, HMAC, drbgState CO W, E Approved and Clock DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_CertifyX509 (I/E/D) X.509 certificate generation SHS, SHA3, drbgState CO W, E Approved RSA (signature generation), objSens E ECC (signature generation TPM2_VerifySignature (I/D) Validates a signature on a message HMAC, objPub, nullProof, phProof, CO E Approved with the message digest passed to RSA (signature generation), ehProof, shProof the TPM ECC (signature generation) TPM2_Sign (I/D) Signs an externally provided hash SHS, SHA3, HMAC, objSens, nullProof, phProof, CO E Approved with the specified symmetric or DRBG, ehProof, shProof asymmetric signing key RSA (signature generation), ECC (signature generation) TPM2_SetCommandCodeAuditStatus (I) Changes the audit status of a None None CO N/A Non-security command or to set the hash relevant algorithm used for the audit digest TPM2_PCR_Extend (I) Updates the indicated PCR SHS, SHA3 None CO N/A Approved TPM2_PCR_Event (I/D) Updates the indicated PCR and SHS, SHA3 None CO N/A Approved reports list of digests TPM2_PCR_Read (I) Returns the values of all PCR None None CO N/A Non-security specified in pcrSelectionIn relevant FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_PCR_Allocate (I) Sets the desired PCR allocation of None None CO N/A Non-security PCR and algorithms relevant TPM2_PCR_Reset (I) Sets the PCR in all banks to zero None None CO N/A Non-security relevant _TPM_Hash_Start Indicates to the TPM interface the SHS, SHA3 None CO N/A Approved start of an H-CRTM measurement sequence _TPM_Hash_Data Indicates to the TPM interface data SHS, SHA3 None CO N/A Approved to be included in the H-CRTM measurement sequence _TPM_Hash_End Indicates to the TPM interface the SHS, SHA3 None CO N/A Approved end of the H-CRTM measurement sequence TPM2_PolicySigned (I/E/D) Includes a signed authorization in a SHS, SHA3, HMAC, objPub, nullProof, phProof, CO E Approved policy RSA (signature verification), ehProof, shProof ECC (signature verification) TPM2_PolicySecret (I/E/D) Includes a secret-based SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved authorization to a policy shProof TPM2_PolicyTicket (I/D) Includes a ticket in a policy SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved shProof TPM2_PolicyOR (I) Allows options in authorizations SHS, SHA3 None CO N/A Approved without requiring that the TPM evaluate all the options TPM2_PolicyPCR (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on PCR TPM2_PolicyLocality (I) Indicates that the policy will be SHS, SHA3 None CO N/A Approved limited to a specific locality TPM2_PolicyNV (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on the contents of an NV Index TPM2_PolicyCounterTimer (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on the contents of the TPMS_TIME_INFO structure TPM2_PolicyCommandCode (I) Limits policy to a specific command SHS, SHA3 None CO N/A Approved code FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_PolicyPhysicalPresence (I) Physical presence will need to be SHS, SHA3 None CO N/A Approved asserted at the time the authorization is performed TPM2_PolicyCpHash (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific command and command parameters TPM2_PolicyNameHash (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific set of TPM entities without being bound to the parameters of the command TPM2_PolicyDuplicationSelect (I/D) Allows qualification of duplication to SHS, SHA3 None CO N/A Approved allow duplication to a selected new parent TPM2_PolicyAuthorize (I/D) Let a policy authority sign a new SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved policy so that it may be used in an shProof existing policy TPM2_PolicyAuthValue (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved authorization value of the authorized entity TPM2_PolicyPassword (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved authorization value of the authorized object TPM2_PolicyGetDigest (I/E) Returns the current policyDigest of a None None CO N/A Non-security policy session relevant TPM2_PolicyNvWritten (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved TPMA_NV_WRITTEN attributes TPM2_PolicyTemplate (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific creation template TPM2_PolicyAuthorizeNV (I) Provides a capability that is the SHS, SHA3 None CO N/A Approved equivalent of a revocable policy TPM2_CreatePrimary (I/E/D) Creates a Primary Object under one SHS, SHA3, HMAC, objPub CO R, E Approved of the Primary Seeds or a Temporary AES, DRBG, KBKDF, CKG, Object under TPM_RH_NULL nullSeed, ppSeed, epSeed, E RSA (signature generation, spSeed, nullProof, phProof, verification, key generation), ehProof, shProof, ekRsa, ECC (signature generation, ekEcc, shProofForReseed verification, key generation) objSeed, objSymKey, G, E objHmacKey, tdrbgState FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
objSens G, R, E drbgState W, E TPM2_HierarchyControl (I) Enables and disables use of a None None CO N/A Non-security hierarchy and its associated NV relevant storage TPM2_SetPrimaryPolicy (I/D) Sets the authorization policy for a None None CO N/A Non-security hierarchy relevant TPM2_ChangePPS (I) Replaces the current platform None drbgState CO W, E Approved primary seed (PPS) with a value from the DRBG and sets ppSeed, phProof, objSeed, Z platformPolicy to the default objSens, objPub initialization value TPM2_ChangeEPS (I) Replaces the current endorsement None drbgState CO W, E Approved primary seed (EPS) with a value from the DRBG and sets epSeed, ehProof, objSeed, Z endorsementPolicy to the default objSens, objPub, ekRsa, ekEcc initialization value TPM2_Clear (I) Removes all TPM context associated None drbgState CO W, E Approved with a specific Owner spSeed, ehProof, shProof, Z shProofForReseed, objSeed, objSens, objPub, objAuth TPM2_ClearControl (I) Disables and enables the execution None None CO N/A Non-security of TPM2_Clear() relevant TPM2_HierarchyChangeAuth (I/D) Changes the authValue of None None CO N/A Non-security hierarchies relevant TPM2_DictionaryAttackLockReset (I) Cancels the effect of a TPM lockout None None CO N/A Non-security due to several successive relevant authorization failures TPM2_DictionaryAttackParameters (I) Changes the lockout parameters None None CO N/A Non-security relevant TPM2_VendorCmdFieldUpgradeStart (I) Initiates a field upgrade session SHS, SHA3, KBKDF, CKG, fuSigKey CO E Approved ECC (signature verification) TPM2_VendorCmdFieldUpgradeData (I) Conveys firmware in a field upgrade SHS None CO N/A Approved session TPM2_ContextSave KBKDF, HMAC, AES, CKG contextEncKey CO G, E, Z Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Saves a session context, object objSeed, objSens, objPub, R context, or sequence object context objAuth outside the TPM nullProof, phProof, ehProof, E shProof, contextEncKey, contextKey TPM2_ContextLoad Reloads a context that has been KBKDF, HMAC, AES, CKG contextEncKey CO G, E, Z Approved saved by TPM2_ContextSave() objSeed, objSens, objPub, R objAuth nullProof, phProof, ehProof, E shProof, contextEncKey, contextKey TPM2_FlushContext Causes all context associated with a None objSeed, objSens, objPub, CO Z Approved loaded object, sequence object, or sesHmacKey, sesSymKey session to be removed from TPM memory TPM2_EvictControl (I) Allows certain Transient Objects to None objSeed, objSens, objPub, CO R, W, Z Approved be made persistent or a persistent objAuth object to be evicted sesHmacKey, sesSymKey R, W TPM2_ReadClock (I) Reads the current None None CO N/A Non-security TPMS_TIME_INFO structure relevant TPM2_ClockSet (I) Advances the value of the TPM’s None None CO N/A Non-security clock relevant TPM2_ClockRateAdjust (I) Adjusts the rate of advance of Clock None None CO N/A Non-security and Time relevant TPM2_GetCapability (I) Returns various information None None CO N/A Non-security regarding the TPM and its current relevant state TPM2_TestParms (I) Checks if specific combinations of None None CO N/A Non-security algorithm parameters are supported relevant TPM2_NV_DefineSpace (I/D) Defines the attributes of an NV Index None nvAuth CO W Approved and causes the TPM to reserve space to hold the data associated with the NV Index TPM2_NV_UndefineSpace (I) Removes an Index from the TPM None nvAuth CO Z Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_NV_UndefineSpaceSpecial (I) Removal of a platform-created NV None nvAuth CO Z Approved Index that has TPMA_NV_POLICY_DELETE SET TPM2_NV_ReadPublic (I/E) Reads the public area and Name of SHS, SHA3 None CO N/A Approved an NV Index TPM2_NV_Write (I/D) Writes a value to an area in NV None None CO N/A Non-security memory that was previously defined relevant by TPM2_NV_DefineSpace() TPM2_NV_Increment (I) Increments the value in an NV Index None None CO N/A Non-security that has the TPM_NT_COUNTER relevant attribute TPM2_NV_Extend (I/D) Extends a value to an area in NV SHS, SHA3 None CO N/A Approved memory that was previously defined by TPM2_NV_DefineSpace() TPM2_NV_SetBits (I) Sets bits in an NV Index that was None None CO N/A Non-security created as a bit field relevant TPM2_NV_WriteLock (I) Inhibits further writes of the NV Index None None CO N/A Non-security if the TPMA_NV_WRITEDEFINE or relevant TPMA_NV_WRITE_STCLEAR attributes of an NV location are SET TPM2_NV_GlobalWriteLock (I) Sets TPMA_NV_WRITELOCKED for None None CO N/A Non-security all indexes that have their relevant TPMA_NV_GLOBALLOCK attribute SET TPM2_NV_Read (I/E) Reads a value from an area in NV None None CO N/A Non-security memory previously defined by relevant TPM2_NV_DefineSpace() TPM2_NV_ReadLock (I) Prevents further reads of the NV None None CO N/A Non-security Index until the next TPM2_Startup relevant (TPM_SU_CLEAR) if TPMA_NV_READ_STCLEAR is SET TPM2_NV_ChangeAuth (I/D) Allows the authValue of an NV Index None nvAuth CO W Approved to be changed TPM2_NV_Certify (I/E/D) Certifies the contents of an NV Index SHS, SHA3, HMAC, objSens CO E Approved or portion of an NV Index ECC (signature generation), RSA (signature generation) TPM2_VendorCmdSetMode (I) Sets the low power mode None None CO N/A Non-security relevant FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_VendorCmdSetCommandSet (I) Activates and locks commands None None CO N/A Non-security relevant TPM2_VendorCmdSetCommandSetLock (I) Prevents locking commands None None CO N/A Non-security relevant TPM2_VendorCmdGetRandom2 (I/E) Get random value from DRBG DRBG drbgState CO W, E Approved TPM2_VendorCmdGPIOConfig (I) Configures GPIO None None CO N/A Non-security relevant TPM2_VendorCmdGetRandom800_90B (I/E) Get random value from ENT (P) ENT None CO N/A Approved TPM2_VendorCmdChangeObjectDeletionAuth Modifies deletion authorization for an None None CO N/A Non-security (I) object relevant TPM2_VendorCmdRestoreEK (I) Restore EK RSA or EK ECC in case None ekRsa, ekEcc CO W Approved of deletion by TPM2_ChangeEPS TPM2_VendorCmdZeroizeEK (I) Zeroize EK RSA and EK ECC None ekRsa, ekEcc CO Z Approved TPM2_PP_Commands Determines which commands require None None CO N/A Non-security assertion of Physical Presence relevant Integrity mechanism provided by sessions1 This service is not callable from TPM SHS, SHA3, DRBG, KBKDF, sesHmacKey CO E, Z Approved interface but is only used internally HMAC, CKG by any command and response with an authorization area. It consists in computing the integrity of the received command or transmitted response. Encryption mechanism provided by sessions2 This service is not callable from TPM SHS, SHA3, DRBG, KBKDF, sesSymKey CO G, E, Z Approved interface but is only used internally CKG, AES, XOR by any command and response with an encryption or decryption session. It consists in decrypting the first parameter of a received command or encrypting the first parameter of a transmitted response. Table 14 - Approved Services
1 The internal security function is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service
is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Name Description Algorithms Accessed Role Indicator TPM2_Create Creation or loading of an ECC key with a non-approved elliptic curve: ECC BN P-256 CO Not approved TPM2_CreateLoaded
TPM2_HMAC_Start HMAC generation with a key length < 112 bits HMAC CO Not approved TPM2_SequenceUpdate TPM2_SequenceComplete TPM2_Certify Digital signature with a non-approved signature scheme: ECDAA, CO Not approved TPM2_CertifyCreation
Digital signature with an ECC or RSA key loaded in the NULL hierarchy RSA, ECDSA TPM2_PolicySigned Digital signature verification with a non-approved signature scheme or a non- ECDAA, CO Not approved approved curve: ECSchnorr,
A block diagram of the FW is provided in Figure 4. Core Memory Loader Sequencer Sequencer HWINTF HWINTF library TPM2.0 commands library TPM2.0 commands TPM2.0 core TPM2.0 core Memory Memory management and management and low-level services low-level services Cryptographic Cryptographic library library TPM instance #1 TPM instance #2 Figure 4 - FW block diagram FW integrity is verified by computing an EDC (CRC-16 ISO 13239) over the active FW and comparing it to a reference value. FW integrity is verified during boot sequence before execution of one of the code blocks (CML and TPM) and can be triggered on demand by the operator with the execution of the service TPM2_SelfTest (full parameter must be set to YES) or TPM2_IncrementalSelfTest. If failure is detected during boot sequence, TPM enters an infinite reset loop that can be exit only by a power-off/power-on sequence. If failure is detected during self-tests, the security module enters failure mode. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Module operational environment is “limited” because it allows loading authenticated firmware that meets all applicable requirements of [FIPS 140-3] standard. Loading of FW on the security module can be achieved by using two services:
The security module meets the Physical Security protection requirements for single-chip module at FIPS 140-3 Level 1. The module is production grade.
Zeroization, performed for physical security purposes by some services (refer to detailed services in Table 15), occurs in a sufficiently small time-period to prevent the recovery of the sensitive data between the time of detection and the actual zeroization. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The security module does not claim support of non-invasive security attack mitigation techniques referenced in [NIST SP800-140F]. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Next table lists the SSP storage methods. Name Description Persistence Type Dynamic RAM Volatile memory used to store SSPs between two consecutive resets or power-on/power-off sequence of the security module. Dynamic SSPs doesn’t persist after command execution. Static RAM Volatile memory used to store SSPs between two consecutive resets or power-on/power-off sequence of the security module. Static SSPs persist after command execution. NVRAM Non-volatile memory (flash-based) used to store SSPs and make them persistent to a reset or a power-off/power-on sequence of the security module Static Table 16 - Storage Areas
Next table lists the SSP input and output methods. Name From To Format type Distribution type Entry type SFI or Algorithm [O] Input plaintext to NVRAM Outside of cryptographic NVRAM Plaintext Manual or Automated Electronic None boundary Input protected to NVRAM Outside of cryptographic NVRAM Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Input plaintext to RAM Outside of cryptographic Static RAM Plaintext Manual or Automated Electronic None boundary Input protected to RAM Outside of cryptographic Static RAM Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Output plaintext from NVRAM NVRAM Outside of cryptographic Plaintext Manual or Automated Electronic None boundary Output protected from NVRAM NVRAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Output plaintext from RAM Static RAM Outside of cryptographic Plaintext Manual or Automated Electronic None boundary Output protected from RAM Static RAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Input asym. encrypted to RAM Outside of cryptographic Static RAM Encrypted Manual or Automated Electronic KTS-RSA (A2554) boundary KAS (A2555) Output asym. encrypted to Static RAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS-RSA (A2554) RAM boundary KAS (A2555) Input during manufacturing Outside of cryptographic NVRAM Obfuscated Automated Electronic None boundary Table 17 - SSP Input-Output Methods
Next table lists the SSP zeroization methods. Method Description Rationale Operator Initiation Capability Reset Zeroization of all volatile SSPs - Activation of reset signal TPM2_Clear Zeroization of all contexts associated with an Owner SSPs linked to an Owner must not persist if the Owner changes Send TPM2_Clear command TPM2_Startup Zeroization of platformAuth Zeroize platformAuth before its first use after a reset Send TPM2_Startup command TPM2_ChangePPS Zeroize the platform primary seed and flush all transient Platform hierarchy renewal Send TPM2_ChangePPS command and persistent objects in the Platform hierarchy FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_ChangeEPS Zeroize the endorsement primary seed and flush all Endorsement hierarchy renewal Send TPM2_ChangeEPS command transient and persistent objects in the Endorsement hierarchy TPM2_EvictControl Zeroize an object from NVRAM Method required to zeroize a dedicated object in NVRAM Send TPM2_EvictControl command TPM2_FlushContext Zeroize an object from RAM Method required to zeroize a dedicated object in RAM Send TPM2_FlushContext command Automatic Zeroize SSPs at the end of a command processing Method for limited life-cycle SSPs No, zeroization is automatic. TPM2_NV_UndefineSpace Zeroize a NV index Method required to flush NV indices from NVRAM Send TPM2_NV_UndefineSpace command. TPM2_NV_UndefineSpaceSpecial Send TPM2_NV_UndefineSpaceSpecial command TPM2_VendorCmdZeroizeEK Zeroize the endorsement key provisioned Mandatory zeroization method for EK SSPs Send TPM2_ZeroizeEK command TPM2_SequenceComplete Zeroize a hash or HMAC sequence Method required to flush sequences from RAM Send TPM2_SequenceComplete command. TPM2_EventSequenceComplete Send TPM2_EventSequenceComplete command Table 18 - SSP Zeroization Methods
Next tables list all the SSPs in the security module. Name1 Description Size Strength Type Generated Established Inputs / Outputs Storage Zeroization Used by3 Category Related SSPs (bits) by2 by nullProof Proof (secret 512 256 Symmetric key DRBG Internal - Obfuscated in Reset
1 Temporary storage duration column was removed for readability purpose because when temporary storage is indicated, duration corresponds to the duration of a command execution.
2 The algorithms indicated in this column correspond to the certified algorithms listed in Table 5.
3 The algorithms indicated in this column correspond to the certified algorithms listed in Table 5.
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
endorsementAuth Authentication 512 Authentication Set to 0 by Internal / Obfuscated in TPM2_Clear
4096 private key Input plaintext to RAM NVRAM TPM2_ChangeEPS
(RSA) (AES all modes) protect objSens 128, 192,
256 (AES)
256, 384 (RSA all modes) primary objects, from (ECC)
1 to 1024 ECDSA, HMAC all modes) objects and derived from
(HMAC)
4096 RSA key NVRAM TPM2_ChangeEPS 384, RSASSA-PKCS-v1.5,
(RSA) generation / RSASSA-PSS) 512,768 -
SHA2-256, SHA2-384, SHA3256, SHA3-384) nvAuth Authorization of 1 to 384 1 to 256 Authentication User External Input protected to RAM Obfuscated in TPM2_NV_UndefineSpace HMAC SHS/SHA3 and/or KBKDF CTR CSP sesHmacKey can be NV index value / Input plaintext to RAM NVRAM TPM2_NV_UndefineSpaceSpecial keys or part of keys in session based derived from nvAuth Symmetric key Changed with command on HMAC or password (usage is the TPM2_NV_ChangeAuth. same than for endorsementAuth, New input nvAuth value ownerAuth, platformAuth and can be wrapped by lockoutAuth) sesSymKey and integrity protected by sesHmacKey sesSalt Salt for keys 160, 256, 128 to 256 Symmetric key User External Input protected to RAM Obfuscated in Automatic Part of KBKDF CTR key to generate the CSP sesHmacKey is derived diversification 384 Dynamic RAM sesHmacKey CSP (cf. [TPM2.0 Part1 from sesSalt sesHmacKey HMAC session 160, 256, 128 to 256 Symmetric key KBKDF Internal / Input protected to RAM Obfuscated in Automatic
ekRsa Provisioned RSA 2048 112 RSA private RSA key External Input during manufacturing Obfuscated in TPM2_ZeroizeEK KTS-RSA KTS-OAEP basic CSP ekRsa is copied in endorsement key key generation NVRAM objSens ekEcc Provisioned ECC 256, 384 128 to 192 ECC private ECDSA key External Input during manufacturing Obfuscated in TPM2_ZeroizeEK KAS ECC one pass DH service CSP ekEcc is copied in objSens endorsement key key generation NVRAM fuSigKey Field upgrade 384 192 ECC public ECDSA key External Input during manufacturing Obfuscated in - ECDSA SHA2-384 signature PSP signature key generation NVRAM verification on a FW upgrade start verification key command seqAuth Authorization 1 to 384 1 to 256 Authentication User External Input plaintext to RAM Obfuscated in TPM2_SequenceComplete HMAC SHS/SHA3 and/or KBKDF CTR CSP sesSymKey and value for hash or value / Input protected to RAM NVRAM TPM2_EventSequenceComplete keys or part of keys in session based sesHmacKey are derived HMAC sequence Symmetric key on on HMAC or password for from seqAuth TPM2_HashSequenceStart or TPM2_SequenceUpdate, TPM2_HMAC_Start TPM2_SequenceComplete or commands TPM2_EventSequenceComplete commands authorizations Table 19 - SSPs (list of keys) Name1 Description Size (bits) Strength Type Generated Established Inputs / Storage Zeroization Used by3 Category Related SSPs by2 by Outputs nullSeed Seed of the null hierarchy 512 256 Seed ENT(P) Internal - Obfuscated in Static RAM Reset DRBG HASH_based SHA2-256 to generate CSP tdrbgState is random used for sensitive part creation of instantiated by primary keys (prime numbers for RSA and nullSeed / phSeed / phSeed Seed of the platform hierarchy 512 256 Seed ENT(P) Internal - Obfuscated in NVRAM TPM2_ChangePPS private key for ECC / KEYEDHASH / CSP ehSeed / shSeed SYMCIPHER objects) and objSeed CSP ehSeed Seed of the endorsement hierarchy 512 256 Seed ENT(P) Internal - Obfuscated in NVRAM TPM2_ChangeEPS creation for all types of primary keys. CSP shSeed Seed of the storage hierarchy 512 256 Seed ENT(P) Internal - Obfuscated in NVRAM TPM2_Clear CSP drbgState Internal state (V and C secret values) 256 256 State DRBG Internal - Obfuscated in Static RAM TPM2_Clear Random numbers and seeds CSP drbgState is seeded of the DRBG (based on SHA256) by drbgSeed drbgSeed Seed value for the DRBG 512 256 Seed ENT(P) Internal - Obfuscated in Dynamic RAM Automatic drbgState CSP drbgSeed seeds drbgState tdrbgState Internal state (V and C secret values) 256 256 State DRBG Internal - Obfuscated in Dynamic RAM Automatic Prime numbers generation for primary RSA CSP tdrbgState is of the transient DRBG (based on keys instantiated by SHA256) used to generate prime nullSeed / phSeed / numbers for primary RSA keys. ehSeed / shSeed Table 20 - SSPs (not used as keys) Next table gives the security strength of a key depending on the underlying algorithm used and its size. Algorithm Underlying algorithm Key size (bits) Security strength (bits) KBKDF SHA-1 size ≥ 128 128 size < 128 Key size SHA2-256 size ≥ 192 192 size < 192 Key size SHA2-384 size ≥ 256 256 size < 256 Key size HMAC SHA-1 size ≥ 128 128 size < 128 Key size SHA2-256 size ≥ 192 192
1 Temporary storage duration column was removed for readability purpose because when temporary storage is indicated, duration corresponds to the duration of a command execution.
2 The algorithms indicated in this column correspond to the certified algorithms listed in Table 5.
3 The algorithms indicated in this column correspond to the certified algorithms listed in Table 5.
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
size < 192 Key size SHA2-384 size ≥ 256 256 size < 256 Key size DRBG SHA2-256 - 256 AES - 128 128 - 192 192 - 256 256 RSA - 2048 112 - 3072 128 - 4096 142 ECC - 256 128 - 384 192 Table 21 - Security strength of a key depending on the underlying algorithm used and its size FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The security module implements:
Self-tests run by the cryptographic module are split into two categories:
In case of self-test failure, the security module outputs the return code TPM_RC_FAILURE as defined in [TPM2.0 Part2] via the status interface and the module enters the failure state. In failure state, the module does not perform any cryptographic functions and all data output via the data output interface are inhibited. The only usable services in failure state are TPM2_GetTestResult and TPM2_GetCapability to get a status on the functionality whose selftest failed. Failure can be exit by resetting the security module. If pre-operational self-tests passed successfully, no success status is indicated but commands that require self-tests to be completed can be successfully executed.
The module performs the following pre-operational self-tests: Test Algorithm Implementation Test properties Type Indicator Details Method Firmware NA CRC-16 EDC Integrity FW integrity is verified by integrity Test computing an EDC (CRC-16 ISO 13239) and comparing it to reference values. HW integrity NA HW registers Critical HW integrity is guaranteed via verification Function Processing of check of HW sensors. If failure TPM2_Startup is detected during boot command sequence, status is set to indicates tests FAIL, and error is returned. have been run ENT(P) NA RCT and APT SP 800- Critical TPM performs AIS31 and 90B Health- Function SP800-90B (RCT and APT) Tests start-up health tests on ENT(P) output sequence. If test fails, test status is set to FAIL, and an error is returned. Table 23 - Pre-Operational Self-Tests
The Module performs the following conditional self-tests: Test Test Algorithm Implementation Type Indicator1 Details Condition properties Method Firmware NA CRC-16 EDC Integrity FW integrity is verified by integrity Test computing an EDC (CRC-16 ISO 13239) and comparing it to reference values. TPM2_SelfTest HW integrity NA NA Flags Critical Bit #1 clear HW integrity is guaranteed via (full = YES) verification Function check of HW sensors. If failure is detected during boot sequence, status is set to FAIL, and error is returned.
1 Bit index indicated corresponds to the index in the algo_status field in the TPM2_GetTestResult
response FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
ENT(P) NA RCT and APT SP 800- Critical AIS31 and SP800-90B (RCT 90B Function and APT) start-up health tests Health- on ENT(P) output sequence. If Tests test fails, test status is set to FAIL, and error is returned. Hash-DRBG NA Seed (64 KAT CAST Instantiate then Reseed are bytes) seeded with a known seed value. Random is then generated with Generate API to output a 32-bytes value compared to a reference value (single test sequence done in accordance with §11.3 of [SP800-90A]). SHA1 Known data Bit #1 clear Hash of known data and (16 bytes) comparison of output to an expected digest (20 bytes). SHA256 Certs #A2548 Bit #2 clear Hash of known data and and #A2549 comparison of output to an implementations expected digest (32 bytes). SHA384 Bit #3 clear Hash of known data and comparison of output to an expected digest (48 bytes). SHA3_256 NA Bit #4 clear Hash of known data and comparison of output to an expected digest (32 bytes). HMAC SHA1 Certs #A2551 known data Bit #5 clear HMAC on known data and and #A2552 (16 bytes) known key. Comparison of implementations known key (16 output to an expected MAC bytes value (20 bytes). KDF SP800- NA known data Bit #6 clear KDF on known data and known
108 (16 bytes) label. Comparison of output to
known label an expected derivation value (“TEST”) (32 bytes). TPM2_SelfTest (full = YES) AES NA known data Bit #7 clear AES CBC 128 encryption of (32 bytes) known data compared to a or known key (16 reference value. AES CBC 128 TPM2_SelfTest bytes) known decryption of encrypted data (full = NO) IV (16 bytes). and comparison to the initial plaintext data. or TPM2_Increme KAS NA known private Bit #8 clear Primitive “Z” Computation and ntalSelfTest key d (32 key derivation are or bytes) known implemented: a known private point P (2*32 key d is used with a known Execution of bytes) point P of NIST P-256 curve to command NIST P-256 compute Q = dP. Key requiring curve derivation of Q performed with algorithm SHA-1 underlying algorithm to output a key of 20 bytes that is or compared to a refence value. Automatic execution ECDSA NA Known key Bit #9 clear ECDSA signature generation (256 bits) on known data with known key known data and k. Output of signature is (20 bytes) compared to a reference signature. Signature verification fixed k (20 performed on the generated bytes) signature. NIST P-256 curve FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
RSA NA Known key Bit #10 clear RSA signature generation on (2048 bits) known data with a known key. known data Output of signature is (20 bytes) compared to a reference signature. Signature verification RSASSA- performed on the generated PKCS1-v1_5 signature (covers also KTSRSA functionality). FW load NA ECDSA NIST Firmware Bit #1 clear Verification of chained digest P-384) load and signature (ECDSA NIST PSHA384 384) to ensure authentication of the FW RSA key NA known data PCT PCT Key creation Depending on the key purpose RSA key generation (16 bytes) failure (signing or encrypting) generation indicated in sign attribute of the key, en/decryption or signing/verification is done on known data. ECC key NA fixed k (20 PCT PCT Key creation Depending on the key purpose ECC key generation bytes) failure (signing or key establishment) generation NIST P-256 an ECDSA signature is generated (k fixed and the or message varies) and verified NIST P-384 with pairwise consistency test as defined by SP800-56Ar3. Table 24 - Conditional Self-Tests
Successful completion of self-tests can be verified through use of TPM2_GetTestResult command. The first 4 bytes of response indicate self-tests status. If they are equal to 0, selftests completed successfully. If not, the subsequent 4 bytes indicate the list of algorithms not fully self-tested. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
During installation of the module:
No initialization procedures are required.
TPM is operated in an approved mode of operation as long as no non-approved service using a non-approved algorithm (listed resp. in Table 15 and Table 14), is used. No specific rules of operation are required to operate this module at FIPS 140-3 Level 1.
TPM is in normal operation mode when all pre-operational and conditional self-tests (apart from FW load and PCT tests) are complete. All approved and non-approved services are listed resp. in Table 14 and Table 15 with the corresponding indicator reporting if the service uses an approved cryptographic algorithm or security function.
TPM may reach specific states depending on the sequence of operations that occurred.
The shutdown mode is an infinite HW reset loop that may be exit only by a power-off/poweron sequence. This state is entered when TPM detects a failure of the FW integrity verification during the TPM boot sequence. No output control or data is available in this mode.
Failure state is a state of the TPM that restricts the executable commands to TPM2_GetCapability and TPM2_GetTestResult (status services). TPM answers to all other commands with the error code TPM_RC_FAILURE (0x101) and doesn’t process the requested service. This state is entered when a self-test fails (except FW integrity test during the boot sequence). This state can be exit with a reset of the TPM.
The module enters a non-approved mode if one of the non-approved services listed in Table
15 is used by the operator. To check if the TPM is in a non-approved mode of operation,
TPM2_GetCapability (capability = TPM_CAP_VENDOR_PROPERTIES) with the subcapability TPM_SUBCAP_VENDOR_TPMA_MODES = 0x7 shall be used. It outputs a 2-bit indicator equals to 0x2 or 0x3 if the module is in a non-approved mode of operation.
End-of-life of the product requires the following zeroization commands to be executed:
The security module does not claim mitigation of other attacks. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Reference Document TPM2.0 standard [TPM2.0 Part1] TPM2.0 Main, Part 1, Architecture, rev 1.59, TCG [TPM2.0 Part2] TPM2.0 Main, Part 2, Structures, rev 1.59, TCG [TPM2.0 Part3] TPM2.0 Main, Part 3, Commands, rev 1.59, TCG [TPM2.0 Part4] TPM2.0 Main, Part 4, Supporting routines, rev 1.59, TCG [TPM2.0 PTP] TCG PC Client Platform TPM Profile (PTP) Specification, rev. 1.05 [TPM2.0 FIPS 140-3] TCG FIPS 140-3 Guidance for TPM2.0, v1.0, TCG FIPS 140-3 standard [ISO/IEC 19790] Information technology
Reference Document [FIPS 140-3 IG] National Institute of Standards and Technology and Canadian Centre for Cyber Security, Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program NIST approved security functions [SP800-131Ar2] National Institute of Standards and Technology, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019. [FIPS 197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 2001 [SP800-38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Methods and Techniques, December 2001. [SP800-38F] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012. [FIPS 186-4] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July 2013 [FIPS 180-4] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August 2015 [FIPS 202] National Institute of Standards and Technology, SHA3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015 [FIPS 198-1] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code, NIST Computer Security Division Page 3 07/26/2011, (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [SP800-135] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, December 2011. [SP800-108] National Institute of Standards and Technology, Recommendation for Key Derivation Using Pseudorandom Functions, October 2009. [SP800-90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015. [SP800-56A] Rev 3 National Institute of Standards and Technology, Recommendation for PairWise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018. [SP800-56B] Rev 2 National Institute of Standards and Technology, Recommendation for PairWise Key-Establishment Using Integer Factorization Cryptography, March 2019 [SP800-56C] Rev 1 National Institute of Standards and Technology, Recommendation for KeyDerivation Methods in Key-Establishment Schemes, April 2018 [SP800-133] Rev 2 National Institute of Standards and Technology, Recommendation for Cryptographic Key Generation, June 2020 FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Term Definition AES Advanced Encryption Standard CO Crypto Officer DES Data Encryption Standard DSAP Delegate Specific Authorization Protocol EK Endorsement Key FIPS Federal Information Processing Standard FUM Field Upgrade Mode GPIO General Purpose I/O HMAC Keyed-Hashing for Message Authentication HW Hardware KDF Key derivation function NIST National Institute of Standards and Technology NV Non-volatile (memory) OIAP Object-Independent Authorization Protocol OSAP Object Specific Authorization Protocol PCR Platform Configuration Register RSA Rivest Shamir Adelman RTM Root of Trust for Measurement RTR Root of Trust for Reporting SHA Secure Hash Algorithm SPI Serial Peripheral Interface SRK Storage Root Key TCG Trusted Computed Group TPM Trusted Platform Module TSS TPM Software Stack FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
IMPORTANT NOTICE