| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Active |
| Sunset date | 7/24/2029 |
| Caveat | Interim validation, When operated in Approved mode |
| Vendor | STMicroelectronics |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2553 |
| AES-CFB128 | A2553 |
| AES-CTR | A2553 |
| AES-ECB | A2553 |
| AES-OFB | A2553 |
| ECDSA KeyGen (FIPS186-4) | A2555 |
| ECDSA KeyVer (FIPS186-4) | A2555 |
| ECDSA SigGen (FIPS186-4) | A2555 |
| ECDSA SigVer (FIPS186-4) | A2555 |
| Hash DRBG | A2547 |
| HMAC-SHA-1 | A2551 |
| HMAC-SHA-1 | A2552 |
| HMAC-SHA2-256 | A2551 |
| HMAC-SHA2-256 | A2552 |
| HMAC-SHA2-384 | A2551 |
| HMAC-SHA2-384 | A2552 |
| HMAC-SHA3-256 | A2551 |
| HMAC-SHA3-256 | A2552 |
| HMAC-SHA3-384 | A2551 |
| HMAC-SHA3-384 | A2552 |
| KAS-ECC Sp800-56Ar3 | A2555 |
| KDF SP800-108 | A2550 |
| KTS-IFC | A2554 |
| RSA Decryption Primitive | A2554 |
| RSA KeyGen (FIPS186-4) | A2554 |
| RSA SigGen (FIPS186-4) | A2554 |
| RSA SigVer (FIPS186-4) | A2554 |
| SHA-1 | A2548 |
| SHA-1 | A2549 |
| SHA2-256 | A2548 |
| SHA2-256 | A2549 |
| SHA2-384 | A2548 |
| SHA2-384 | A2549 |
| SHA3-256 | A2548 |
| SHA3-384 | A2548 |
flowchart LR
%% Deterministic review-risk graph for Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2X / ST33KTPM2A / ST33KTPM2I
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery<br/>upgrade<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2X / ST33KTPM2A / ST33KTPM2I
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery<br/>upgrade<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;STMICROELECTRONICS Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2X / ST33KTPM2A / ST33KTPM2I Level 1 Date: 2024-06-14 Document Version: 02-00 NON-PROPRIETARY DOCUMENT FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
| # | Section | Page |
|---|
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
This document is the non-proprietary FIPS 140-3 Security Policy for the STMicroelectronics Trusted Platform Module ST33KTPM2XSPI / ST33KTPM2X / ST33KTPM2A / ST33KTPM2I. It details how the module meets the requirements specified in [FIPS 140-3] for a Security Level1 module.
Next table indicates the security levels reached by the security module. ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
Overall level 1 Table 1 - Security Levels FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
ST33KTPM2XSPI / ST33KTPM2X / ST33KTPM2A / ST33KTPM2I is a fully integrated security module implementing the revision 1.59 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM) version 2.0. It is designed to be integrated into personal computers and any other embedded electronic systems. TPM is primarily used for cryptographic keys generation, keys storage, keys management and secure storage for digital certificates. The security module is a single chip cryptographic HW module as defined in [FIPS 140-3]. The single silicon chip is encapsulated in a hard, opaque, production grade integrated circuit (IC) package. The cryptographic boundary is defined as the perimeter of the IC package. The security module supports both SPI and I2C interfaces, compliant with the PC Client specification [PTP 1.05]. The HW and FW cryptographic boundaries are indicated in Figure 5 and Figure 9 of the current document.
The operating environments covered by the FIPS 140-3 evaluation are summarized in the table below: Model Hardware Firmware Version Distinguishing Features [Part Number and Version] ST33KTPM2XSPI ST33K1M5T revC / 9.257 (dec.) SPI ST33K1M5T revD ST33KTPM2X 0x00.09.01.01 (hex.) SPI or I2C 1 ST33KTPM2XSPI 9.258 (dec.) SPI 0x00.09.01.02 (hex.) ST33KTPM2A ST33K1M5A revB 10.257 (dec.) SPI or I2C 2 ST33KTPM2I 0x00.0A.01.01 (hex.) Table 2 - Cryptographic Module Tested Configuration Firmware is executed on an Arm Cortex-M35P 32-bit RISC cores. FW version can be read in the response to the command TPM2_GetCapability with property set to TPM_PT_FIRMWARE_VERSION_1. ST33KTPM2XSPI and ST33KTPM2X are manufactured in the UFQFPN32 package:
ST33KTPM2A and ST33KTPM2I are manufactured in the UFQFPN32 WF package:
The security module configurations indicated in Table 2 are defined into several manufactured products listed hereafter.
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. Module Configuration Module name / HW ST33KTPM2XSPI P/N Package UFQFPN32 Interface SPI Marking KTPM KE2 FW version 00.09.01.01 (9.257) 1 00.09.01.02 (9.258) 2 TPM2.0 revision 1.59 Table 3 - KE2 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. SPI or I2C mode selection is done during the boot of the security module. Module Configuration Module name / HW ST33KTPM2X P/N Package UFQFPN32 Interface SPI / I2C Marking KTPM KE3 FW version 00.09.01.01 (9.257)1 TPM2.0 revision 1.59 Table 4 - KE3 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. Module Configuration Module name / HW ST33KTPM2XSPI P/N Package UFQFPN32 Interface SPI Marking KTPM KG8 The default version of this configuration is 9.256. To operate with FW version 9.257, module must be first field upgraded from 9.256 to 9.257. The default version of this configuration is 9.256. To operate with FW version 9.258, module must be first field upgraded from 9.256 to 9.258 or from 9.257 to 9.258. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
FW version 00.09.01.01 (9.257) 00.09.01.02 (9.258) 1 TPM2.0 revision 1.59 Table 5 - KG8 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. SPI or I2C mode selection is done during the boot of the security module. Module Configuration Module Name / HW ST33KTPM2X P/N Package UFQFPN32 Interface SPI / I2C Marking KTPM KG9 FW Version 00.09.01.01 (9.257) TPM2.0 Revision 1.59 Table 6 - KG9 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. SPI or I2C mode selection is done during the boot of the security module. Module Configuration Module Name / HW ST33KTPM2I P/N Package UFQFPN32 WF WLCSP24 Interface SPI / I2C Marking KTPMI ZA9 FW Version 00.0A.01.01 (10.257) TPM2.0 Revision 1.59 Table 7 - ZA9 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. SPI or I2C mode selection is done during the boot of the security module. Module Configuration Module Name / HW ST33KTPM2A P/N Package UFQFPN32 WF TSSOP20 Interface SPI / I2C Marking KTPMA AC5 The default version of this configuration is 9.256. To operate with FW version 9.258, module must be first field upgraded from 9.256 to 9.258 or from 9.257 to 9.258. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
FW Version 00.0A.01.01 (10.257) TPM2.0 Revision 1.59 Table 8 - AC5 Security Module Configuration
The current FIPS 140-3 level 1 Security Policy always applies (no mode lock requested) to this security module configuration. Module Configuration Module Name / HW ST33KTPM2XSPI P/N Package UFQFPN32 Interface SPI Marking KTPM KJ5 FW Version 00.09.01.02 (9.258) TPM2.0 Revision 1.59 Table 9 - KJ5 Security Module Configuration
The security module supports the following cryptographic algorithms (both approved and nonapproved). Algorithm certificate numbers for each approved algorithm are listed below. All algorithms, keys size or curve lengths listed below are part of services offered by the module. Description / CAVP Algorithm and Mode / Method Key Size(s) / Use / Function Cert Standard Key Strength(s) A2553 AES ECB, CFB128, OFB, CBC, 128, 192, 256 Data CTR encryption/decryption [SP 800-38A] A2547 DRBG HASH_based SHA2-256 Deterministic random bit [SP 800-90A] generation A2555 ECDSA SHA2-256, SHA2-384, SHA3- P-256, P-384 Digital signature [FIPS 186-4] 256, SHA3-384 generation SHA-1, SHA2-256, SHA2- P-256, P-384 Digital signature 384, SHA3-256, SHA3-384 verification ECDSA KeyVer (FIPS 186-4) P-256, P-384 Key verification Appendix B.4.1 P-256, P-384 Key generation A2551 HMAC SHA-1, SHA2-256, SHA2- 160, 256, 384 Message authentication 384, SHA3-256, SHA3-384 A2552 [FIPS 198-1] A2555 KAS ECC (Full unified and One P-256, P-384 Key agreement scheme pass DH) [SP 800-56A Rev3] 1 [SP 800-56C Rev1] A2550 KBKDF CTR Key derivation (based on HMAC) [SP 800-108] A2554 KTS-IFC KTS-OAEP-basic 2048, 3072, 4096 Key generation and key transport Per [IG] D.F Scenario 2 path (2), [56Ar3] compliant key agreement scheme where testing is performed end-to-end for the shared secret computation and a KDF compliant with oneStepKdf [56Cr1] without key confirmation. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Description / CAVP Algorithm and Mode / Method Key Size(s) / Use / Function Cert Standard Key Strength(s) [SP800-56B Rev 2] RSADP 2048 Decryption primitive A2554 RSA SHA2-256, SHA2-384, 2048, 3072, 4096 Digital signature RSASSA-PKCS-v1.5, generation [FIPS 186-4] RSASSA-PSS SHA-1 1, SHA2-256, SHA2- 1024 2, 2048, Digital signature 384, RSASSA-PKCS-v1.5, 3072, 4096 verification RSASSA-PSS Appendix C3.1 2048, 3072, 4096 Key generation A2548 SHA3-256, SHA3- SHA3-256, SHA3-384 Message digest [FIPS 202] A2548 SHS SHA-1, SHA2-256, SHA2-384 Message digest. SHA2-
A2549 [FIPS 180-4] SP800-90B vetted conditioner Table 10 - Approved Algorithms Algorithm Caveat Use / Function CKG Direct Generation of Symmetric Keys (Section 4 of Key generation 3 [SP800-133 Rev2]). [IG D.H] RSA Use of SHA3-256 or SHA3-384 hashing algorithms. Digital signature generation [FIPS 186-4] Digital signature verification Table 11 - Vendor Affirmed Approved Algorithms Algorithm Caveat Use/Function AES CFB The AES CFB algorithm itself is Approved and awarded Obfuscation of internally stored CAVP Cert. #A2553, but this usage employs a key that data is non-compliant. The usage of AES CFB in this manner is entirely internal to the module and inaccessible to the operator. No security claimed per IG 2.4.A, Example Scenario #1. XOR No security claimed per IG 2.4.A, Example Scenario #1. Obfuscation of input or output data Table 12 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm/Function Use/Function ECC BN P-256 Key generation, digital signature generation based on BN P-256 elliptic curve ECC derived keys Secret exchange or digital signature generation/verification ECDAA Key generation, digital signature generation Legacy use only Legacy use only Symmetric keys and seeds used for generating the asymmetric keys are either generated by using KBKDF or DRBG methods. Methods are detailed per SSPs in Table 34 and Table 35. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
ECSchnorr Key generation, digital signature generation and verification HMAC Key length < 112 bits for message authentication RSA 1024-bit RSA digital signature generation RSA with no padding mode Key transport (null scheme) RSAES-PKCS1-v1_5 Key transport SHA-1 Digital signature generation Table 13 - Non-Approved Algorithms not Allowed in the Approved Mode of Operation Algorithm Name Type Description SF Properties [O] Algorithms Properties SP 800-56A, Rev 3 P-256, P-384 KAS-ECC (Initiator, Key fullUnified, KAS KAS Key length 128 bits Responder), KPG, establishment onePassDH Full (Cert. #A2555) IG D.F oneStepKDF SP 800-38F KTS (AES Cert. AES CFB IG D.G KTS KTS Key Transport #A2553 + HMAC Key size 128 or SSP establishment methodology Cert. #2551) provides 128 or 256 bits of 256 bits. encryption strength SP 800-56B Rev 2 IG D.G KTS- KTS-OAEP-basic KTS-IFC (Cert. Key size 2048, KTS Key Transport IFC #A2554) 3072, or 4096 SSP establishment methodology provides between 112 and 150 bits of encryption strength Table 14 - Security Function Implementations Entropy Type Operating Sample Size Entropy per Conditioning Source/Name Environment Sample Components (CAVP number if vetted) E41 Physical ST33K1M5T/A 1 bit 0.819266 bits A2548 (SHA2-256) platforms Table 15 - Entropy Source(s)
A block diagram of the security module with its associated cryptographic boundary is provided in Figure 5. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
RSA/ECC Flash HW accelerator memory CPU core CPU core Read RAM RAM ST ROM cache MPU MPU S bus C-AHB bus APB/AHB Cryptographic bridge boundary APB CRC HW accelerator Security Administrator SPI with RAM buffer I2C with RAM buffer AES HW accelerator Clock generator Reset manager ESV #E41) EDES+ HW Timers GPIOs module Power mngt SPI / I2C interface GPIO GND VC LEGEND Instructions Input/output data/commands External control Internal data Cryptographic Internal control boundary Figure 5 - HW Block Diagram Module is composed of:
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The pin layouts for the UFQFPN32 / UFQFPN32 WF packages are shown in Figure 6. The ST33KTPM2X / ST33KTPM2A / ST33KTPM2I security modules support both SPI and I2C physical interfaces but only one interface is configured during TPM boot. The interface configured remains active until the next module reset. The ST33KTPM2XSPI only supports SPI physical interface and thus pins 29 and 30 are configured as GPIOs (GPIO5 and GPIO6).
NC NC I2C SCL I2C SDA NC NC NC NC VCC 1 24 SPI MISO GND 2 23 NC NC 3 22 VCC NC 4 UFQFPN32 / 21 SPI MOSI NC 5 UFQFPN32 WF 20 SPI NSS GPI8 6 19 SPI CLK PP 7 18 PIRQ NC 8 17 RESET NC NC NC NC NC NC NC GND Figure 6 - UFQFPN32 / UFQFPN32 WF Pinout Diagram Table 15 below gives a description of the products pins. Signal Type Description Power supply. This pin must be connected to 1.8V or 3.3V DC power rail VCC Input supplied by the motherboard. GND Input GND has to be connected to the main motherboard ground. RESET Input Reset used to re-initialize the device I2C SCL / Input or I²C serial clock (Open drain with no weak pull-up resistor) or GPIO if SPI GPIO5 Input/Output interface is selected I2C SDA / I²C serial data (Open drain with no weak pull-up resistor) or GPIO if SPI Input/Output GPIO6 interface is selected PIRQ Output IRQ used by TPM to generate an interrupt SPI CLK / Input or SPI serial clock (output from master) or GPIO if I2C interface is selected GPIO1 Input/Output SPI NSS / Input or SPI slave select (active low; output from master) or GPIO if I2C interface is GPIO2 Input/Output selected SPI MISO Output or SPI Master Input, Slave Output (output from slave) or GPIO if I2C interface / GPIO0 Input/Output is selected SPI MOSI Input or SPI Master Output, Slave Input (output from master) or GPIO if I2C / GPIO3 Input/Output interface is selected GPI default to low. The level of this pin on the rising edge of the RESET GPI8 Input signal is used to determine the physical interface to use (high level corresponds to SPI configuration and low-level to I2C) Physical presence, active high, internal pull-down. Used to indicate PP Input Physical Presence to the TPM. Not Connected: connected to the die but not usable. May be left NC unconnected. Internal pull-down. Table 16 - UFQFPN32 / UFQFPN32 WF Pins Definition FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The pin layouts for the TSSOP20 package are shown in Figure 7. The security Module supports both SPI and I2C physical interfaces but only one interface is configured during TPM boot. The interface configured remains active until the next module reset. I2C SCL 1 20 I2C SDA VCC 2 19 SPI MISO GND 3 18 VCC NiC 4 17 SPI MOSI I2C SEL 5 TSSOP20 16 SPI NSS PP 6 15 SPI MISO NiC 7 14 PIRQ NiC 8 13 RESET NiC 9 12 NiC NiC 10 11 GND Figure 7 - TSSOP20 Pinout Diagram Table 16 below gives a description of the products pins. Signal Type Description Power supply. This pin must be connected to 1.8V or 3.3V DC VCC Input power rail supplied by the motherboard. GND Input GND has to be connected to the main motherboard ground. RESET Input Reset used to re-initialize the device I2C SCL / Input or I²C serial clock (Open drain with no weak pull-up resistor) or GPIO if GPIO5 Input/Output SPI interface is selected I2C SDA / I²C serial data (Open drain with no weak pull-up resistor) or GPIO if GPIO6 Input/Output SPI interface is selected PIRQ Output IRQ used by TPM to generate an interrupt SPI CLK / Input or SPI serial clock (output from master) or GPIO if I2C interface is GPIO1 Input/Output selected SPI NSS / Input or SPI slave select (active low; output from master) or GPIO if I2C GPIO2 Input/Output interface is selected SPI MISO / Output or SPI Master Input, Slave Output (output from slave) or GPIO if I2C GPIO0 Input/Output interface is selected SPI MOSI / Input or SPI Master Output, Slave Input (output from master) or GPIO if I2C GPIO3 Input/Output interface is selected Input This pin must be connected to an external pull-down resistor to activate the I²C protocol during product boot time. It can remain unconnected for the SPI protocol. This pin is internal pull-up by I2C SEL default and becomes internal floating after I²C activation. Physical presence, active high, internal pull-down. Used to indicate PP Input Physical Presence to the TPM. Not internally connected: not connected to the die. May be left NiC - unconnected but no impact on TPM if connected. Table 17
Figure 8 - WLCSP24 Pinout Diagram Table 17 below gives a description of the products pins. Signal Type Description Power supply. This pin must be connected to 1.8V or 3.3V DC VCC Input power rail supplied by the motherboard. GND Input GND has to be connected to the main motherboard ground. RESET Input Reset used to re-initialize the device I2C SCL / Input or I²C serial clock (Open drain with no weak pull-up resistor) or GPIO if GPIO5 Input/Output SPI interface is selected I2C SDA / I²C serial data (Open drain with no weak pull-up resistor) or GPIO if GPIO6 Input/Output SPI interface is selected PIRQ Output IRQ used by TPM to generate an interrupt SPI CLK / Input or SPI serial clock (output from master) or GPIO if I2C interface is GPIO1 Input/Output selected SPI NSS / Input or SPI slave select (active low; output from master) or GPIO if I2C GPIO2 Input/Output interface is selected SPI MISO / Output or SPI Master Input, Slave Output (output from slave) or GPIO if I2C GPIO0 Input/Output interface is selected SPI MOSI / Input or SPI Master Output, Slave Input (output from master) or GPIO if I2C GPIO3 Input/Output interface is selected Input This pin must be connected to an external pull-down resistor to activate the I²C protocol during product boot time. It can remain unconnected for the SPI protocol. This pin is internal pull-up by I2C SEL default and becomes internal floating after I²C activation. Physical presence, active high, internal pull-down. Used to indicate PP Input Physical Presence to the TPM. Table 18 - WLCSP24 Pins Definition FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The physical port of the security module is the SPI bus or I2C Bus. The logical interfaces and their mapping to physical ports of the module are described in Table 18 below: Physical port Logical interface Data that passes over the port/interface SPI_NSS / SPI_CLK / SPI_MOSI / Control input Control parts of the TPM commands RESET / PP interface provided to the security module. It concerns all bytes of a command except plaintext data, I2C_SCL / I2C_SDA / RESET / PP ciphertext data and SSPs (entered with the data input interface). SPI_NSS / SPI_CLK / SPI_MISO / Control output Control parts of the TPM responses output PIRQ interface by the security module. It concerns all bytes of a response except plaintext data, I2C_SCL / I2C_SDA / PIRQ ciphertext data and SSPs (output with the data output interface) and except the responseCode of a response (output with the status output interface) SPI_NSS / SPI_CLK / SPI_MISO / Status output Status output by the security module PIRQ interface (responseCode parameter of a response) I2C_SCL / I2C_SDA SPI_NSS / SPI_CLK / SPI_MOSI Data input Data (plaintext data, ciphertext data and interface SSPs) provided to the security module as I2C_SCL / I2C_SDA part of an input processing command. SPI_NSS / SPI_CLK / SPI_MISO Data output Data (plaintext data, ciphertext data and interface SSPs) output by the security module as part I2C_SCL / I2C_SDA of the response to a processing command. VCC / GND Power interface Power interface of the security module Table 19 - Ports and Interfaces Here are some details concerning the ports and interfaces of TPM:
This chapter gives details about the roles managed by TPM.
Services proposed by TPM are accessible under the roles defined in Table 19 below. The list of services accessible by each role is indicated in Table 21. Role Service Input Output Crypto This role performs the cryptographic initialization of Any valid inputs and outputs officer (CO) the security module and executes the management for commands are usable functions. This role also covers the use of the (refer to [TPM2.0 Part3]). general security services provided by the cryptographic module. Table 20 - Roles, Service Commands, Input and Output The security module does not provide a maintenance role or maintenance interface and does not support concurrent operators. The CO role is implicitly selected by the TPM operator on service execution.
In the context of this FIPS 140-3 Level 1 evaluation, there is no authentication mechanism claimed to control access of the security module. The authorization mechanisms (password, HMAC and policy) provided by the TPM2.0 standard are available and protected as sensitive parameters but are not employed to satisfy FIPS 140-3 requirements. Crypto officer role is implicitly assumed by the operator when using services corresponding to that role.
All services are accessible under the roles defined in Table 19 and no specific access rights are considered to operate with keys and SSPs. Full services inputs and outputs are defined in [TPM2.0 Part3]. Table 20 below indicates how mandatory services required in §7.4.3.1 of [ISO/IEC 19790] are mapped to security module’s services: Mandatory service requested from Corresponding services from the [ISO/IEC 19790] security module Show module’s versioning information TPM2_GetCapability Show status TPM2_GetTestResult Perform self-tests TPM2_SelfTest TPM2_IncrementalSelfTest Perform approved security functions See approved services listed in Table 21 Perform zeroisation TPM2_Clear, TPM2_ChangePPS, TPM2_ChangeEPS, TPM2_FlushContext, TPM2_EvictControl Table 21 - Mapping Between Services The security module does not implement any bypass capability, nor self-initiated cryptographic output capability. Table 21 below lists all approved services supported by the TPM. The indicator is accessible with the TPM2_GetCapability (capability = TPM_CAP_VENDOR_PROPERTIES) command by using the sub-capability TPM_SUBCAP_VENDOR_TPMA_MODES = 0x7. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Service Description Approved Security Functions Keys and/or SSPs Roles Access Indicator 2 rights to Keys and/or SSPs 1 TPM2_Startup Set-up the TPM after a power cycle. None phSeed, ehSeed, shSeed, CO G Approved phProof, ehProof, shProof, drbgState nullSeed, nullProof, G, Z contextKey, drbgSeed TPM2_Shutdown (I) Prepare the TPM for a power cycle. None None CO N/A Non-security relevant TPM2_SelfTest (I) Self-tests execution SHS, SHA3, ESV, HMAC, AES, None CO N/A Approved DRBG, KBKDF, KAS, RSA (signature generation, verification) ECC (signature generation, verification) TPM2_IncrementalSelfTest (I) Incremental self-tests execution SHS, SHA3, ESV, HMAC, AES, None CO N/A Approved DRBG, KBKDF, KAS, RSA (signature generation, verification), ECC (signature generation, verification) TPM2_GetTestResult (I) Get self-tests result None None CO N/A Non-security relevant TPM2_StartAuthSession (I/E/D) Session command SHS, SHA3, HMAC, AES, sesHmacKey, sesSymKey CO G, W Approved DRBG, KBKDF, KTS-IFC, KAS, KDA, CKG sesSalt E, Z objSens, objAuth, nvAuth, E platformAuth, endorsementAuth, ownerAuth, lockoutAuth, seqAuth TPM2_PolicyRestart (I) Policy session restart None None CO N/A Non-security relevant TPM2_Create (I/E/D) Object creation objSeed, objSens, objPub CO G, R, E Approved G = generate, R = read, W = write, E = execute, Z = zeroise Approved, non-approved or non-security relevant. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
SHS, SHA3, HMAC, AES, objSymKey, objHmacKey G, E DRBG, KBKDF, CKG, RSA (signature generation, drbgState W, E verification, key generation), ECC (signature generation, verification, key generation) objAuth W nullProof, phProof, ehProof, E shProof TPM2_Load (I/E/D) Object loading SHS, SHA3, HMAC, AES, objSens, objSeed CO W, E Approved KBKDF objPub, objAuth W objSymKey, objHmacKey G, W, E TPM2_LoadExternal (I/E/D) External object loading None objPub, objSens, objAuth CO W Approved TPM2_ReadPublic (I) Read public part of a loaded object None objPub CO R Approved TPM2_ActivateCredential (I/E/D) Enables the association of a SHS, SHA3, HMAC, AES, objSens CO E Approved credential with an object KBKDF, KTS-IFC, KAS, CKG creSeed E, Z creSymKey, creHmacKey G, E, Z TPM2_MakeCredential (I/E/D) Allows the TPM to perform the SHS, SHA3, HMAC, AES, objPub CO E Approved actions required of a Certificate KBKDF, KTS-IFC, KAS, CKG Authority creSeed G, R, E, Z creSymKey, creHmacKey G, E, Z TPM2_Unseal (I/E/D) Returns the data in a loaded Sealed None objSens CO R Approved Data Object TPM2_ObjectChangeAuth (I/E/D) Changes the authorization secret for SHS, SHA3, HMAC, AES, drbgState, objAuth CO W Approved a TPM-resident object KBKDF, CKG objSeed R, E objSymKey, objHmacKey E objSens R TPM2_CreateLoaded (I/E/D) Creates an object and loads it in the SHS, SHA3, HMAC, AES, objPub CO R, E Approved TPM DRBG, KBKDF, CKG, RSA (signature generation, nullSeed, phSeed, ehSeed, E verification, key generation), shSeed, nullProof, phProof, ECC (signature generation, ehProof, shProof, ekRsa, verification, key generation) ekEcc, shProofForReseed objSeed, objSymKey, G, E objHmacKey, tdrbgState FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
objSens G, R, E drbgState W, E TPM2_Duplicate (I/E/D) Duplicates a loaded object so that it SHS, SHA3, HMAC, AES, dupSeed, dupInSymKey, CO G, E, Z Approved may be used in a different hierarchy DRBG, KBKDF, KTS-IFC, KAS, dupOutSymKey, CKG dupOutHmacKey objSens, objAuth R drbgState W, E objPub E TPM2_Rewrap (I/E/D) Rewraps a duplicated object with a SHS, SHA3, HMAC, AES, objSens CO W, E Approved new parent key KBKDF, KTS-IFC, KAS, CKG dupOutSymKey, G, E, Z dupOutHmacKey dupInpSymKey W, Z drbgState, objPub E dupSeed W, E, Z TPM2_Import (I/E/D) Allows an object to be encrypted SHS, SHA3, HMAC, AES, drbgState CO E Approved using the symmetric encryption KBKDF, KTS-IFC, KAS, CKG values of a Storage Key objSens, objPub W, E objAuth W dupSeed, dupInSymKey E, Z dupOutSymKey, W, E, Z dupOutHmacKey TPM2_RSA_Encrypt (I/E/D) Performs RSA encryption KTS-IFC objPub CO E Approved TPM2_RSA_Decrypt (I/E/D) Performs RSA decryption KTS-IFC objSens CO E Approved TPM2_ECDH_KeyGen (I/E/D) Shared secret value computation KAS drbgState CO W, E Approved using KAS ephSensEccKey G, E, Z ephPubEccKey G, R, Z objPub E TPM2_ECDH_ZGen (I/E/D) Shared secret value recovery using KAS objSens CO E Approved KAS ephPubEccKey W, E, Z FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_ECC_Parameters (I) Returns the parameters of an ECC None None CO N/A Non-security curve identified by its TCG-assigned relevant curveID TPM2_EncryptDecrypt (I/E) Symmetric encryption or decryption AES objSens CO E Approved TPM2_EncryptDecrypt2 (I/E/D) Symmetric encryption or decryption AES objSens CO E Approved TPM2_Hash (I/E/D) Performs a hash operation on data SHS, SHA3 nullProof, phProof, ehProof, CO E Approved shProof TPM2_HMAC (I/E/D) Performs a HMAC operation on data HMAC objSens CO E Approved TPM2_GetRandom (I/E) Outputs random bytes from a DRBG DRBG drbgState CO W, E Approved TPM2_StirRandom (I/D) Reseed the state of a DRBG ESV, DRBG drbgSeed CO W, E, Z Approved drbgState W, E TPM2_HMAC_Start (I/D) Starts an HMAC sequence HMAC seqAuth CO W Approved objSens E TPM2_HashSequenceStart (I/D) Starts a hash or an event sequence SHS, SHA3 seqAuth CO W Approved TPM2_SequenceUpdate (I/D) Adds data to a hash or HMAC SHS, SHA3, HMAC objSens CO E Approved sequence TPM2_SequenceComplete (I/E/D) Adds last part of data to a hash or SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved HMAC sequence and returns the shProof, objSens result seqAuth Z TPM2_EventSequenceComplete (I/D) Adds last part of data to a hash or SHS, SHA3, HMAC objSens CO E Approved HMAC sequence and returns the result in a digest list seqAuth Z TPM2_Certify (I/E/D) Proves that an object with a specific SHS, SHA3, HMAC, DRBG, drbgState CO W, E Approved Name is loaded in the TPM KBKDF, CKG, RSA (signature generation), objSens, shProof E ECC (signature generation) TPM2_CertifyCreation (I/E/D) Proves the association between an SHS, SHA3, HMAC, drbgState CO W, E Approved object and its creation data DRBG, KBKDF, CKG, objSens, nullProof, phProof, E RSA (signature generation), ehProof, shProof ECC (signature generation) TPM2_Quote (I/E/D) Quotes PCR values SHS, SHA3, HMAC, drbgState CO W, E Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_GetSessionAuditDigest (I/E/D) Returns a digital signature of the SHS, SHA3, HMAC, drbgState CO W, E Approved audit session digest DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_GetCommandAuditDigest (I/E/D) Returns the current value of the SHS, SHA3, HMAC, drbgState CO W, E Approved command audit digest, a digest of DRBG, KBKDF, CKG, the commands being audited, and objSens, shProof E the audit hash algorithm RSA (signature generation), ECC (signature generation) TPM2_GetTime (I/E/D) Returns the current values of Time SHS, SHA3, HMAC, drbgState CO W, E Approved and Clock DRBG, KBKDF, CKG, objSens, shProof E RSA (signature generation), ECC (signature generation) TPM2_CertifyX509 (I/E/D) X.509 certificate generation SHS, SHA3, drbgState CO W, E Approved RSA (signature generation), objSens E ECC (signature generation TPM2_VerifySignature (I/D) Validates a signature on a message HMAC, objPub, nullProof, phProof, CO E Approved with the message digest passed to RSA (signature generation), ehProof, shProof the TPM ECC (signature generation) TPM2_Sign (I/D) Signs an externally provided hash SHS, SHA3, HMAC, objSens, nullProof, phProof, CO E Approved with the specified symmetric or DRBG, ehProof, shProof asymmetric signing key RSA (signature generation), ECC (signature generation) TPM2_SetCommandCodeAuditStatus (I) Changes the audit status of a None None CO N/A Non-security command or to set the hash relevant algorithm used for the audit digest TPM2_PCR_Extend (I) Updates the indicated PCR SHS, SHA3 None CO N/A Approved TPM2_PCR_Event (I/D) Updates the indicated PCR and SHS, SHA3 None CO N/A Approved reports list of digests TPM2_PCR_Read (I) Returns the values of all PCR None None CO N/A Non-security specified in pcrSelectionIn relevant FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_PCR_Allocate (I) Sets the desired PCR allocation of None None CO N/A Non-security PCR and algorithms relevant TPM2_PCR_Reset (I) Sets the PCR in all banks to zero None None CO N/A Non-security relevant _TPM_Hash_Start Indicates to the TPM interface the SHS, SHA3 None CO N/A Approved start of an H-CRTM measurement sequence _TPM_Hash_Data Indicates to the TPM interface data SHS, SHA3 None CO N/A Approved to be included in the H-CRTM measurement sequence _TPM_Hash_End Indicates to the TPM interface the SHS, SHA3 None CO N/A Approved end of the H-CRTM measurement sequence TPM2_PolicySigned (I/E/D) Includes a signed authorization in a SHS, SHA3, HMAC, objPub, nullProof, phProof, CO E Approved policy RSA (signature verification), ehProof, shProof ECC (signature verification) TPM2_PolicySecret (I/E/D) Includes a secret-based SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved authorization to a policy shProof TPM2_PolicyTicket (I/D) Includes a ticket in a policy SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved shProof TPM2_PolicyOR (I) Allows options in authorizations SHS, SHA3 None CO N/A Approved without requiring that the TPM evaluate all the options TPM2_PolicyPCR (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on PCR TPM2_PolicyLocality (I) Indicates that the policy will be SHS, SHA3 None CO N/A Approved limited to a specific locality TPM2_PolicyNV (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on the contents of an NV Index TPM2_PolicyCounterTimer (I/D) Causes conditional gating of a policy SHS, SHA3 None CO N/A Approved based on the contents of the TPMS_TIME_INFO structure TPM2_PolicyCommandCode (I) Limits policy to a specific command SHS, SHA3 None CO N/A Approved code FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_PolicyPhysicalPresence (I) Physical presence will need to be SHS, SHA3 None CO N/A Approved asserted at the time the authorization is performed TPM2_PolicyCpHash (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific command and command parameters TPM2_PolicyNameHash (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific set of TPM entities without being bound to the parameters of the command TPM2_PolicyDuplicationSelect (I/D) Allows qualification of duplication to SHS, SHA3 None CO N/A Approved allow duplication to a selected new parent TPM2_PolicyAuthorize (I/D) Let a policy authority sign a new SHS, SHA3, HMAC nullProof, phProof, ehProof, CO E Approved policy so that it may be used in an shProof existing policy TPM2_PolicyAuthValue (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved authorization value of the authorized entity TPM2_PolicyPassword (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved authorization value of the authorized object TPM2_PolicyGetDigest (I/E) Returns the current policyDigest of a None None CO N/A Non-security policy session relevant TPM2_PolicyNvWritten (I) Allows a policy to be bound to the SHS, SHA3 None CO N/A Approved TPMA_NV_WRITTEN attributes TPM2_PolicyTemplate (I/D) Allows a policy to be bound to a SHS, SHA3 None CO N/A Approved specific creation template TPM2_PolicyAuthorizeNV (I) Provides a capability that is the SHS, SHA3 None CO N/A Approved equivalent of a revocable policy TPM2_CreatePrimary (I/E/D) Creates a Primary Object under one SHS, SHA3, HMAC, objPub CO R, E Approved of the Primary Seeds or a Temporary AES, DRBG, KBKDF, CKG, Object under TPM_RH_NULL nullSeed, phSeed, ehSeed, E RSA (signature generation, shSeed, nullProof, phProof, verification, key generation), ehProof, shProof, ekRsa, ECC (signature generation, ekEcc, shProofForReseed verification, key generation) objSeed, objSymKey, G, E objHmacKey, tdrbgState FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
objSens G, R, E drbgState W, E TPM2_HierarchyControl (I) Enables and disables use of a None None CO N/A Non-security hierarchy and its associated NV relevant storage TPM2_SetPrimaryPolicy (I/D) Sets the authorization policy for a None None CO N/A Non-security hierarchy relevant TPM2_ChangePPS (I) Replaces the current platform None drbgState CO W, E Approved primary seed (PPS) with a value from the DRBG and sets phSeed, phProof, objSeed, Z platformPolicy to the default objSens, objPub initialization value TPM2_ChangeEPS (I) Replaces the current endorsement None drbgState CO W, E Approved primary seed (EPS) with a value from the DRBG and sets ehSeed, ehProof, objSeed, Z endorsementPolicy to the default objSens, objPub, ekRsa, ekEcc initialization value TPM2_Clear (I) Removes all TPM context associated None drbgState CO W, E Approved with a specific Owner shSeed, ehProof, shProof, Z shProofForReseed, objSeed, objSens, objPub, objAuth TPM2_ClearControl (I) Disables and enables the execution None None CO N/A Non-security of TPM2_Clear() relevant TPM2_HierarchyChangeAuth (I/D) Changes the authValue of None None CO N/A Non-security hierarchies relevant TPM2_DictionaryAttackLockReset (I) Cancels the effect of a TPM lockout None None CO N/A Non-security due to several successive relevant authorization failures TPM2_DictionaryAttackParameters (I) Changes the lockout parameters None None CO N/A Non-security relevant TPM2_VendorCmdFieldUpgradeStart (I) Initiates a field upgrade session SHS, SHA3, KBKDF, CKG, fuSigKey CO E Approved ECC (signature verification) TPM2_VendorCmdFieldUpgradeData (I) Conveys firmware in a field upgrade SHS None CO N/A Approved session TPM2_ContextSave KBKDF, HMAC, AES, CKG contextEncKey CO G, E, Z Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Saves a session context, object objSeed, objSens, objPub, R context, or sequence object context objAuth outside the TPM nullProof, phProof, ehProof, E shProof, contextEncKey, contextKey TPM2_ContextLoad Reloads a context that has been KBKDF, HMAC, AES, CKG contextEncKey CO G, E, Z Approved saved by TPM2_ContextSave() objSeed, objSens, objPub, R objAuth nullProof, phProof, ehProof, E shProof, contextEncKey, contextKey TPM2_FlushContext Causes all context associated with a None objSeed, objSens, objPub, CO Z Approved loaded object, sequence object, or sesHmacKey, sesSymKey session to be removed from TPM memory TPM2_EvictControl (I) Allows certain Transient Objects to None objSeed, objSens, objPub, CO R, W, Z Approved be made persistent or a persistent objAuth object to be evicted sesHmacKey, sesSymKey R, W TPM2_ReadClock (I) Reads the current None None CO N/A Non-security TPMS_TIME_INFO structure relevant TPM2_ClockSet (I) Advances the value of the TPM’s None None CO N/A Non-security clock relevant TPM2_ClockRateAdjust (I) Adjusts the rate of advance of Clock None None CO N/A Non-security and Time relevant TPM2_GetCapability (I) Returns various information None None CO N/A Non-security regarding the TPM and its current relevant state TPM2_TestParms (I) Checks if specific combinations of None None CO N/A Non-security algorithm parameters are supported relevant TPM2_NV_DefineSpace (I/D) Defines the attributes of an NV Index None nvAuth CO W Approved and causes the TPM to reserve space to hold the data associated with the NV Index TPM2_NV_UndefineSpace (I) Removes an Index from the TPM None nvAuth CO Z Approved FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_NV_UndefineSpaceSpecial (I) Removal of a platform-created NV None nvAuth CO Z Approved Index that has TPMA_NV_POLICY_DELETE SET TPM2_NV_ReadPublic (I/E) Reads the public area and Name of SHS, SHA3 None CO N/A Approved an NV Index TPM2_NV_Write (I/D) Writes a value to an area in NV None None CO N/A Non-security memory that was previously defined relevant by TPM2_NV_DefineSpace() TPM2_NV_Increment (I) Increments the value in an NV Index None None CO N/A Non-security that has the TPM_NT_COUNTER relevant attribute TPM2_NV_Extend (I/D) Extends a value to an area in NV SHS, SHA3 None CO N/A Approved memory that was previously defined by TPM2_NV_DefineSpace() TPM2_NV_SetBits (I) Sets bits in an NV Index that was None None CO N/A Non-security created as a bit field relevant TPM2_NV_WriteLock (I) Inhibits further writes of the NV Index None None CO N/A Non-security if the TPMA_NV_WRITEDEFINE or relevant TPMA_NV_WRITE_STCLEAR attributes of an NV location are SET TPM2_NV_GlobalWriteLock (I) Sets TPMA_NV_WRITELOCKED for None None CO N/A Non-security all indexes that have their relevant TPMA_NV_GLOBALLOCK attribute SET TPM2_NV_Read (I/E) Reads a value from an area in NV None None CO N/A Non-security memory previously defined by relevant TPM2_NV_DefineSpace() TPM2_NV_ReadLock (I) Prevents further reads of the NV None None CO N/A Non-security Index until the next TPM2_Startup relevant (TPM_SU_CLEAR) if TPMA_NV_READ_STCLEAR is SET TPM2_NV_ChangeAuth (I/D) Allows the authValue of an NV Index None nvAuth CO W Approved to be changed TPM2_NV_Certify (I/E/D) Certifies the contents of an NV Index SHS, SHA3, HMAC, objSens CO E Approved or portion of an NV Index ECC (signature generation), RSA (signature generation) TPM2_VendorCmdSetMode (I) Sets the low power mode None None CO N/A Non-security relevant FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_VendorCmdSetCommandSet (I) Activates and locks commands None None CO N/A Non-security relevant TPM2_VendorCmdSetCommandSetLock (I) Prevents locking commands None None CO N/A Non-security relevant TPM2_VendorCmdGetRandom2 (I/E) Get random value from DRBG DRBG drbgState CO W, E Approved TPM2_VendorCmdGPIOConfig (I) Configures GPIO None None CO N/A Non-security relevant TPM2_VendorCmdGetRandom800_90B (I/E) Get random value from ESV (Cert. ENT None CO N/A Approved #E41) TPM2_VendorCmdChangeObjectDeletionAuth Modifies deletion authorization for an None None CO N/A Non-security (I) object relevant TPM2_VendorCmdRestoreEK (I) Restore EK RSA or EK ECC in case None ekRsa, ekEcc CO W Approved of deletion by TPM2_ChangeEPS TPM2_VendorCmdZeroizeEK (I) Zeroise EK RSA and EK ECC None ekRsa, ekEcc CO Z Approved TPM2_PP_Commands Determines which commands require None None CO N/A Non-security assertion of Physical Presence relevant Integrity mechanism provided by sessions 1 This service is not callable from TPM SHS, SHA3, DRBG, KBKDF, sesHmacKey CO E, Z Approved interface but is only used internally HMAC, CKG by any command and response with an authorization area. It consists in computing the integrity of the received command or transmitted response. Encryption mechanism provided by sessions 2 This service is not callable from TPM SHS, SHA3, DRBG, KBKDF, sesSymKey CO G, E, Z Approved interface but is only used internally CKG, AES, XOR by any command and response with an encryption or decryption session. It consists in decrypting the first parameter of a received command or encrypting the first parameter of a transmitted response. Table 22 - Approved Services The internal security function is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Name Description Algorithms Accessed Role Indicator TPM2_Create Creation or loading of an ECC key with a non-approved elliptic curve: ECC BN P-256 CO Not approved TPM2_CreateLoaded
TPM2_HMAC_Start HMAC generation with a key length < 112 bits HMAC CO Not approved TPM2_SequenceUpdate TPM2_SequenceComplete TPM2_Certify Digital signature with a non-approved signature scheme: ECDAA, CO Not approved TPM2_CertifyCreation
Digital signature with an ECC or RSA key loaded in the NULL hierarchy RSA, ECDSA TPM2_PolicySigned Digital signature verification with a non-approved signature scheme or a non- ECDAA, CO Not approved approved curve: ECSchnorr,
A block diagram of the FW is provided in Figure 9. Core Memory Loader Sequencer Sequencer HWINTF HWINTF library TPM2.0 commands library TPM2.0 commands TPM2.0 core TPM2.0 core Memory Memory management and management and low-level services low-level services Cryptographic Cryptographic library library TPM instance #1 TPM instance #2 Figure 9 - FW Block Diagram FW integrity is verified by computing an EDC (CRC-16 ISO 13239) over the active FW and comparing it to a reference value. FW integrity is verified during boot sequence before execution of one of the code blocks (CML and TPM) and can be triggered on demand by the operator with the execution of the service TPM2_SelfTest (full parameter must be set to YES) or TPM2_IncrementalSelfTest. If failure is detected during boot sequence, TPM enters an infinite reset loop that can be exit only by a power-off/power-on sequence. If failure is detected during self-tests, the security module enters failure mode. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Module operational environment is “limited” because it allows loading authenticated firmware that meets all applicable requirements of [FIPS 140-3] standard. Loading of FW on the security module can be achieved by using two services:
The security module is production grade and meets the Physical Security protection requirements for single-chip module at FIPS 140-3 Level 3.
Zeroisation of CSPs can be triggered by specific services (as detailed in Table 21 - Approved Services). It occurs in a sufficiently small time-period to prevent the recovery of the sensitive data between start of zeroisation and the zeroisation completeness.
The security module is encapsulated in a hard opaque package to prevent direct observation of internal security components. It implements additional security mechanisms:
Physical security Recommended Frequency Inspection/Test Guidance mechanism of Inspection/Test Details Hard opaque package Dependent on the security Visual inspection of the module integration package to confirm that it environment varies from has not been damaged by once per month to once per an external action year Active metal shield Continuously monitored The tests are automatically when security module is performed by the security Environmental conditions powered on module. When abnormal circuitry conditions are detected, the module resets and enters one of the error modes (see §11.3.3) as detailed in §7.2. The cause of the reset can be known with the command TPM2_GetTestResult. Table 24 - Physical Security Inspection Guidelines FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
EFT has been performed for all security module configurations. Low and high temperatures have been measured at a nominal voltage of 3.3V. Low and high voltage have been measured at ambient temperature (25°C). The nominal operating ranges are:
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -60°C EFT Shutdown High Temperature 145°C Low Voltage 1.5V High Voltage 4.3V Table 25 - EFP/EFT
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -70°C EFT Shutdown High Temperature 145°C Low Voltage 1.4V High Voltage 4.3V Table 26 - EFP/EFT
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -60°C EFT Shutdown High Temperature 145°C Low Voltage 1.4V High Voltage 4.3V Table 27 - EFP/EFT FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -70°C EFT Shutdown High Temperature 145°C Low Voltage 1.4V High Voltage 4.3V Table 28 - EFP/EFT
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -70°C EFT Shutdown High Temperature 145°C Low Voltage 1.4V High Voltage 4.3V Table 29 - EFP/EFT
Temperature or Specify EFP or Specify if this voltage EFT condition results measurement in a shutdown or zeroisation Low Temperature -70°C EFT Shutdown High Temperature 160°C Low Voltage 1.4V High Voltage 4.3V Table 30 - EFP/EFT
Hardness Tested Temperature Measurement Low Temperature 25°C High Temperature 25°C Table 31 - Hardness Testing Temperature Ranges FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The security module does not claim support of non-invasive security attack mitigation techniques referenced in [NIST SP800-140F]. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Table 31 below lists the SSP storage methods. Name Description Persistence Type Dynamic RAM Volatile memory used to store SSPs between two consecutive resets or power-on/power-off sequence of the security module. Dynamic SSPs doesn’t persist after command execution. Static RAM Volatile memory used to store SSPs between two consecutive resets or power-on/power-off sequence of the security module. Static SSPs persist after command execution. NVRAM Non-volatile memory (flash-based) used to store SSPs and make them persistent to a reset or a power-off/power-on sequence of the security module Static Table 32 - Storage Areas
Table 32 below lists the SSP input and output methods. Name From To Format type Distribution type Entry type SFI or Algorithm [O] Input plaintext to NVRAM Outside of cryptographic NVRAM Plaintext Manual or Automated Electronic None boundary Input protected to NVRAM Outside of cryptographic NVRAM Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Input plaintext to RAM Outside of cryptographic Static RAM Plaintext Manual or Automated Electronic None boundary Input protected to RAM Outside of cryptographic Static RAM Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Output plaintext from NVRAM NVRAM Outside of cryptographic Plaintext Manual or Automated Electronic None boundary Output protected from NVRAM NVRAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Output plaintext from RAM Static RAM Outside of cryptographic Plaintext Manual or Automated Electronic None boundary Output protected from RAM Static RAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS (AES cert + HMAC cert) (A2553 + A2551) boundary Input asym. encrypted to RAM Outside of cryptographic Static RAM Encrypted Manual or Automated Electronic KTS-IFC (A2554) boundary KAS (A2555) Output asym. encrypted to Static RAM Outside of cryptographic Encrypted Manual or Automated Electronic KTS-IFC (A2554) RAM boundary KAS (A2555) Input during manufacturing Outside of cryptographic NVRAM Obfuscated Automated Electronic None boundary Table 33 - SSP Input-Output Methods
Table 33 below lists the SSP zeroisation methods. Method Description Rationale Operator Initiation Capability Reset Zeroisation of all volatile SSPs - Activation of reset signal TPM2_Clear Zeroisation of all contexts associated with an Owner SSPs linked to an Owner must not persist if the Owner changes Send TPM2_Clear command TPM2_Startup Zeroisation of platformAuth Zeroise platformAuth before its first use after a reset Send TPM2_Startup command TPM2_ChangePPS Zeroise the platform primary seed and flush all transient Platform hierarchy renewal Send TPM2_ChangePPS command and persistent objects in the Platform hierarchy FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
TPM2_ChangeEPS Zeroise the endorsement primary seed and flush all Endorsement hierarchy renewal Send TPM2_ChangeEPS command transient and persistent objects in the Endorsement hierarchy TPM2_EvictControl Zeroise an object from NVRAM Method required to zeroise a dedicated object in NVRAM Send TPM2_EvictControl command TPM2_FlushContext Zeroise an object from RAM Method required to zeroise a dedicated object in RAM Send TPM2_FlushContext command Automatic Zeroise SSPs at the end of a command processing Method for limited life-cycle SSPs No, zeroisation is automatic. TPM2_NV_UndefineSpace Zeroise a NV index Method required to flush NV indices from NVRAM Send TPM2_NV_UndefineSpace command. TPM2_NV_UndefineSpaceSpecial Send TPM2_NV_UndefineSpaceSpecial command TPM2_VendorCmdZeroizeEK Zeroise the endorsement key provisioned Mandatory zeroisation method for EK SSPs Send TPM2_ZeroizeEK command TPM2_SequenceComplete Zeroise a hash or HMAC sequence Method required to flush sequences from RAM Send TPM2_SequenceComplete command. TPM2_EventSequenceComplete Send TPM2_EventSequenceComplete command Table 34 - SSP Zeroisation Methods
Table 34 below list all the SSPs in the security module. Name 1 Description Size Strength Type Generated Established Inputs / Outputs Storage Zeroisation Used by 3 Category Related SSPs (bits) by 2 by nullProof Proof (secret 512 256 Symmetric key DRBG Internal - Obfuscated in Reset • KBKDF CTR to generate context CSP contextEncKey is derived value) of the null Static RAM encryption key and IV (cf. [TPM2.0 from nullProof / phProof / hierarchy Part1] §30.3.1) ehProof phProof Proof (secret 512 256 Symmetric key DRBG Internal - Obfuscated in TPM2_ChangePPS CSP nullProof / phProof / • HMAC SHA2-384 to compute value) of the NVRAM ehProof are derived from context blob integrity (cf. [TPM2.0 platform drbgState Part1] §30.3.2) hierarchy ehProof Proof (secret 512 256 Symmetric key DRBG Internal - Obfuscated in TPM2_ChangeEPS • HMAC SHA2-384 to CSP value) of the NVRAM compute/verify tickets endorsement hierarchy shProof Proof (secret 512 256 Symmetric key DRBG Internal - Obfuscated in TPM2_Clear • KBKDF CTR to generate context CSP contextEncKey is derived value) of the NVRAM encryption key and IV (cf. [TPM2.0 from shProof storage hierarchy Part1] §30.3.1) shProof is derived from • HMAC SHA2-384 to compute drbgState context blob integrity (cf. [TPM2.0 Part1] §30.3.2) • HMAC SHA2-384 to compute/verify tickets • KBKDF CTR to generate obfuscation value used in attestation commands (cf. [TPM2.0 Part1] §36.7) shProofForReseed Random value 512 256 Entropy source ESV Internal - Obfuscated in TPM2_Clear DRBG for reseed before generating CSP drbgState is reseeded with NVRAM objSeed PSP in the endorsement shProofForReseed hierarchy (cf. [TPM2.0 Part1]) platformAuth Authentication 512 128 to 256 Authentication Set to 0 by Internal / Input protected to RAM Obfuscated in TPM2_Startup • HMAC SHS/SHA3 authorization in CSP sesHmacKey can be value for the (depending value / default at External Static RAM case of unsalted and unbound derived from platformAuth platform on the Symmetric key each reset / - or session / endorsementAuth / hierarchy underlying Input plaintext to RAM ownerAuth / lockoutAuth hash • KBKDF CTR to generate session algorithm (as parameter of key used in HMAC authorization in used) TPM2_HierarchyChangeAuth) case of bound session Temporary storage duration column was removed for readability purpose because when temporary storage is indicated, duration corresponds to the duration of a command execution. The algorithms indicated in this column correspond to the certified algorithms listed in Table
endorsementAuth Authentication 512 Authentication Set to 0 by Internal / Obfuscated in TPM2_Clear
4096 private key Input plaintext to RAM NVRAM TPM2_ChangeEPS
(RSA) (AES all modes) protect objSens 128, 192,
256 (AES)
256, 384 (RSA all modes) primary objects, from (ECC)
1 to 1024 ECDSA, HMAC all modes) objects and derived from
(HMAC)
4096 RSA key NVRAM TPM2_ChangeEPS 384, RSASSA-PKCS-v1.5,
(RSA) generation / RSASSA-PSS) 512,768 -
SHA2-256, SHA2-384, SHA3256, SHA3-384) nvAuth Authorization of 1 to 384 1 to 256 Authentication User External Input protected to RAM Obfuscated in TPM2_NV_UndefineSpace HMAC SHS/SHA3 and/or KBKDF CTR CSP sesHmacKey can be NV index value / Input plaintext to RAM NVRAM TPM2_NV_UndefineSpaceSpecial keys or part of keys in session based derived from nvAuth Symmetric key Changed with command on HMAC or password (usage is the TPM2_NV_ChangeAuth. same than for endorsementAuth, New input nvAuth value ownerAuth, platformAuth and can be wrapped by lockoutAuth) sesSymKey and integrity protected by sesHmacKey sesSalt Salt for keys 160, 256, 128 to 256 Symmetric key User External Input protected to RAM Obfuscated in Automatic Part of KBKDF CTR key to generate the CSP sesHmacKey is derived diversification 384 Dynamic RAM sesHmacKey CSP (cf. [TPM2.0 Part1 from sesSalt sesHmacKey HMAC session 160, 256, 128 to 256 Symmetric key KBKDF Internal / Input protected to RAM Obfuscated in Automatic
ekRsa Provisioned RSA 2048, 112 to 128 RSA private RSA key External Input during manufacturing Obfuscated in TPM2_ZeroizeEK KTS-IFC KTS-OAEP basic CSP ekRsa is copied in endorsement key 3072 key generation NVRAM objSens ekEcc Provisioned ECC 256, 384 128 to 192 ECC private ECDSA key External Input during manufacturing Obfuscated in TPM2_ZeroizeEK KAS ECC one pass DH service CSP ekEcc is copied in objSens endorsement key key generation NVRAM fuSigKey Field upgrade 384 192 ECC public ECDSA key External Input during manufacturing Obfuscated in - ECDSA SHA2-384 signature PSP signature key generation NVRAM verification on a FW upgrade start verification key command seqAuth Authorization 1 to 384 1 to 256 Authentication User External Input plaintext to RAM Obfuscated in TPM2_SequenceComplete HMAC SHS/SHA3 and/or KBKDF CTR CSP sesSymKey and value for hash or value / Input protected to RAM NVRAM TPM2_EventSequenceComplete keys or part of keys in session based sesHmacKey are derived HMAC sequence Symmetric key on on HMAC or password for from seqAuth TPM2_HashSequenceStart or TPM2_SequenceUpdate, TPM2_HMAC_Start TPM2_SequenceComplete or commands TPM2_EventSequenceComplete commands authorizations Table 35 - SSPs (List of Keys) Name 1 Description Size (bits) Strength Type Generated Established Inputs / Storage Zeroisation Used by 3 Category Related SSPs by 2 by Outputs nullSeed Seed of the null hierarchy 512 256 Seed ESV (Cert. Internal - Obfuscated in Static RAM Reset DRBG HASH_based SHA2-256 to generate CSP tdrbgState is #E41) random used for sensitive part creation of instantiated by primary keys (prime numbers for RSA and nullSeed / phSeed / phSeed Seed of the platform hierarchy 512 256 Seed ESV (Cert. Internal - Obfuscated in NVRAM TPM2_ChangePPS private key for ECC / KEYEDHASH / CSP ehSeed / shSeed #E41) SYMCIPHER objects) and objSeed CSP ehSeed Seed of the endorsement hierarchy 512 256 Seed ESV (Cert. Internal - Obfuscated in NVRAM TPM2_ChangeEPS creation for all types of primary keys. CSP #E41) shSeed Seed of the storage hierarchy 512 256 Seed ESV (Cert. Internal - Obfuscated in NVRAM TPM2_Clear CSP #E41) drbgState Internal state (V and C secret values) 256 256 State DRBG Internal - Obfuscated in Static RAM TPM2_Clear Random numbers and seeds CSP drbgState is seeded of the DRBG (based on SHA2-256) by drbgSeed drbgSeed Seed value for the DRBG 512 256 Seed ESV (Cert. Internal - Obfuscated in Dynamic RAM Automatic drbgState CSP drbgSeed seeds #E41) drbgState tdrbgState Internal state (V and C secret values) 256 256 State DRBG Internal - Obfuscated in Dynamic RAM Automatic Prime numbers generation for primary RSA CSP tdrbgState is of the transient DRBG (based on keys instantiated by SHA2-256) used to generate prime nullSeed / phSeed / numbers for primary RSA keys. ehSeed / shSeed Table 36 - SSPs (Not Used as Keys) Next table gives the security strength of a key depending on the underlying algorithm used and its size. Algorithm Underlying algorithm Key size (bits) Security strength (bits) KBKDF SHA-1 size ≥ 128 128 size < 128 Key size SHA2-256 size ≥ 192 192 size < 192 Key size SHA2-384 size ≥ 256 256 size < 256 Key size HMAC SHA-1 size ≥ 128 128 size < 128 Key size SHA2-256 size ≥ 192 192 Temporary storage duration column was removed for readability purpose because when temporary storage is indicated, duration corresponds to the duration of a command execution. The algorithms indicated in this column correspond to the certified algorithms listed in Table
size < 192 Key size SHA2-384 size ≥ 256 256 size < 256 Key size DRBG SHA2-256 - 256 AES - 128 128 - 192 192 - 256 256 RSA - 2048 112 - 3072 128 - 4096 142 ECC - 256 128 - 384 192 Table 37 - Security Strength of a Key Depending on the Underlying Algorithm Used and its Size FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The security module implements:
512 bits issued from the ESV (Cert. #E41). Hash-DRBG is used for any generation of
random values used as SSP in a cryptographic operation. It can be reseeded by using the service TPM2_StirRandom.
FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Self-tests run by the cryptographic module are split into two categories:
In case of self-test failure, the security module outputs the return code TPM_RC_FAILURE as defined in [TPM2.0 Part2] via the status interface and the module enters the failure state. In failure state, the module does not perform any cryptographic functions and all data output via the data output interface are inhibited. The only usable services in failure state are TPM2_GetTestResult and TPM2_GetCapability to get a status on the functionality whose selftest failed. Failure can be exit by resetting the security module. If pre-operational self-tests passed successfully, no success status is indicated but commands that require self-tests to be completed can be successfully executed.
The module performs the following pre-operational self-tests: Test Algorithm Implementation Test properties Type Indicator Details Method Firmware NA CRC-16 EDC Integrity FW integrity is verified by integrity Test computing an EDC (CRC-16 ISO 13239) and comparing it to reference values. HW integrity NA HW registers Critical HW integrity is guaranteed via verification Function Processing of check of HW sensors. If failure TPM2_Startup is detected during boot command sequence, status is set to indicates tests FAIL, and error is returned. have been run Entropy NA RCT and APT SP 800- Critical TPM performs AIS31 and 90B Health- Function SP800-90B (RCT and APT) Tests start-up health tests on ESV (Cert. #E41) output sequence. If test fails, test status is set to FAIL, and an error is returned. Table 38 - Pre-Operational Self-Tests
The Module performs the following conditional self-tests: Test Test Algorithm Implementation Type Indicator 1 Details Condition properties Method Firmware NA CRC-16 EDC Integrity FW integrity is verified by integrity Test computing an EDC (CRC-16 TPM2_SelfTest Bit #1 clear (full = YES) ISO 13239) and comparing it to reference values. Bit index indicated corresponds to the index in the algo_status field in the TPM2_GetTestResult response. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
HW integrity NA NA Flags Critical HW integrity is guaranteed via verification Function check of HW sensors. If failure is detected during boot sequence, status is set to FAIL, and error is returned. Entropy NA RCT and APT SP 800- Critical AIS31 and SP800-90B (RCT 90B Function and APT) start-up health tests Health- on ESV (Cert. #E41) output Tests sequence. If test fails, test status is set to FAIL, and error is returned. Hash-DRBG NA Seed (64 KAT CAST Instantiate then Reseed are bytes) seeded with a known seed value. Random is then generated with Generate API to output a 32-bytes value compared to a reference value (single test sequence done in accordance with §11.3 of [SP800-90A]). SHA1 Known data Bit #1 clear Hash of known data and (16 bytes) comparison of output to an expected digest (20 bytes). SHA2-256 Certs #A2548 Bit #2 clear Hash of known data and and #A2549 comparison of output to an implementations expected digest (32 bytes). SHA2-384 Bit #3 clear Hash of known data and comparison of output to an expected digest (48 bytes). SHA3_256 NA Bit #4 clear Hash of known data and comparison of output to an expected digest (32 bytes). HMAC SHA1 Certs #A2551 known data Bit #5 clear HMAC on known data and and #A2552 (16 bytes) known key. Comparison of implementations known key (16 output to an expected MAC bytes value (20 bytes). KDF SP800- NA known data Bit #6 clear KDF on known data and known
108 (16 bytes) label. Comparison of output to
known label an expected derivation value (“TEST”) (32 bytes). TPM2_SelfTest (full = YES) AES NA known data Bit #7 clear AES CBC 128 encryption of (32 bytes) known data compared to a or known key (16 reference value. AES CBC 128 TPM2_SelfTest bytes) known decryption of encrypted data (full = NO) IV (16 bytes). and comparison to the initial plaintext data. or TPM2_Increme KAS NA known private Bit #8 clear Primitive “Z” Computation and ntalSelfTest key d (32 key derivation are or bytes) known implemented: a known private point P (2*32 key d is used with a known Execution of bytes) point P of NIST P-256 curve to command NIST P-256 compute Q = dP. Key requiring curve derivation of Q performed with algorithm SHA-1 underlying algorithm to output a key of 20 bytes that is or compared to a refence value. Automatic execution ECDSA NA Known key Bit #9 clear ECDSA signature generation (256 bits) on known data with known key known data and k. Output of signature is (20 bytes) compared to a reference signature. Signature verification fixed k (20 performed on the generated bytes) signature. NIST P-256 curve FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
RSA NA Known key Bit #10 clear RSA signature generation on (2048 bits) known data with a known key. known data Output of signature is (20 bytes) compared to a reference signature. Signature verification RSASSA- performed on the generated PKCS1-v1_5 signature (covers also KTS-IFC functionality). FW load NA ECDSA NIST Firmware Bit #1 clear Verification of chained digest P-384) load and signature (ECDSA NIST PSHA2-384 384) to ensure authentication of the FW RSA key NA known data PCT PCT Key creation Depending on the key purpose RSA key generation (16 bytes) failure (signing or encrypting) generation indicated in sign attribute of the key, en/decryption or signing/verification is done on known data. ECC key NA fixed k (20 PCT PCT Key creation Depending on the key purpose ECC key generation bytes) failure (signing or key establishment) generation NIST P-256 an ECDSA signature is generated (k fixed and the or message varies) and verified NIST P-384 with pairwise consistency test as defined by SP800-56Ar3. Table 39 - Conditional Self-Tests
Successful completion of self-tests can be verified through use of TPM2_GetTestResult command. The first 4 bytes of response indicate self-tests status. If they are equal to 0, selftests completed successfully. If not, the subsequent 4 bytes indicate the list of algorithms not fully self-tested. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
During installation of the module:
No initialization procedures are required.
TPM is operated in an approved mode of operation as long as no non-approved service using a non-approved algorithm (listed resp. in Table 22 and Table 21), is used. No specific rules of operation are required to operate this module at FIPS 140-3 Level 1. To check if the TPM is in the approved mode of operation, TPM2_GetCapability (capability = TPM_CAP_VENDOR_PROPERTIES) with the sub-capability TPM_SUBCAP_VENDOR_TPMA_MODES = 0x7 shall be used If bits 2 and 3 of the returned 32-bit value are set to 01b, the last command run prior to the execution of TPM2_GetCapability (same capability and sub-capability) was executed in an approved mode of operation by the TPM.
TPM is in normal operation mode when all pre-operational and conditional self-tests (apart from FW load and PCT tests) are complete. All approved and non-approved services are listed respectively in Table 21 and Table 22 with the corresponding indicator reporting if the service uses an approved cryptographic algorithm or security function.
TPM may reach specific states depending on the sequence of operations that occurred.
The shutdown mode is an infinite HW reset loop that may be exit only by a power-off/poweron sequence. This state is entered when TPM detects a failure of the FW integrity verification during the TPM boot sequence. No output control or data is available in this mode.
Failure state is a state of the TPM that restricts the executable commands to TPM2_GetCapability and TPM2_GetTestResult (status services). TPM answers to all other commands with the error code TPM_RC_FAILURE (0x101) and doesn’t process the requested service. This state is entered when a self-test fails (except FW integrity test during the boot sequence). This state can be exit with a reset of the TPM.
The module enters a non-approved mode if one of the non-approved services listed in Table
22 is used by the operator. To check if the TPM is in a non-approved mode of operation,
TPM2_GetCapability (capability = TPM_CAP_VENDOR_PROPERTIES) with the subcapability TPM_SUBCAP_VENDOR_TPMA_MODES = 0x7 shall be used. If bits 2 and 3 of the returned 32-bit value are set to 10b or 00b, the last command run prior to the execution of TPM2_GetCapability (same capability and sub-capability) was executed in a non-approved mode of operation or was non-security relevant, respectively.
End-of-life of the product requires the following zeroisation commands to be executed: FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
The security module does not claim mitigation of other attacks. FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Reference Document TPM2.0 standard [TPM2.0 Part1] TPM2.0 Main, Part 1, Architecture, rev 1.59, TCG [TPM2.0 Part2] TPM2.0 Main, Part 2, Structures, rev 1.59, TCG [TPM2.0 Part3] TPM2.0 Main, Part 3, Commands, rev 1.59, TCG [TPM2.0 Part4] TPM2.0 Main, Part 4, Supporting routines, rev 1.59, TCG [TPM2.0 PTP] TCG PC Client Platform TPM Profile (PTP) Specification, rev. 1.05 FIPS 140-3 standard [ISO/IEC 19790] Information technology
Reference Document [FIPS 140-3 IG] National Institute of Standards and Technology and Canadian Centre for Cyber Security, Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program NIST approved security functions [SP800-131Ar2] National Institute of Standards and Technology, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019. [FIPS 197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 2001 [SP800-38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Methods and Techniques, December 2001. [SP800-38F] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, December 2012. [FIPS 186-4] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July 2013 [FIPS 180-4] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August 2015 [FIPS 202] National Institute of Standards and Technology, SHA3 Standard: Permutation-Based Hash and Extendable-Output Functions, August 2015 [FIPS 198-1] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code, NIST Computer Security Division Page 3 07/26/2011, (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [SP800-135] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, December 2011. [SP800-108] National Institute of Standards and Technology, Recommendation for Key Derivation Using Pseudorandom Functions, October 2009. [SP800-90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2015. [SP800-56A] Rev 3 National Institute of Standards and Technology, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018. [SP800-56B] Rev 2 National Institute of Standards and Technology, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography, March 2019 [SP800-56C] Rev 1 National Institute of Standards and Technology, Recommendation for Key-Derivation Methods in Key-Establishment Schemes, April 2018 [SP800-133] Rev 2 National Institute of Standards and Technology, Recommendation for Cryptographic Key Generation, June 2020 FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
Term Definition AES Advanced Encryption Standard CO Crypto Officer DES Data Encryption Standard DSAP Delegate Specific Authorization Protocol EK Endorsement Key FIPS Federal Information Processing Standard FUM Field Upgrade Mode GPIO General Purpose I/O HMAC Keyed-Hashing for Message Authentication HW Hardware KDF Key derivation function NIST National Institute of Standards and Technology NV Non-volatile (memory) OIAP Object-Independent Authorization Protocol OSAP Object Specific Authorization Protocol PCR Platform Configuration Register RSA Rivest Shamir Adelman RTM Root of Trust for Measurement RTR Root of Trust for Reporting SHA Secure Hash Algorithm SPI Serial Peripheral Interface SRK Storage Root Key TCG Trusted Computed Group TPM Trusted Platform Module TSS TPM Software Stack FIPS140-3 SECURITY POLICY NON-PROPRIETARY DOCUMENT
IMPORTANT NOTICE