| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Single Chip |
| Status | Active |
| Sunset date | 12/7/2030 |
| Caveat | When installed, initialized and configured as specified in Section 11 of the Security Policy; When operated in approved mode |
| Vendor | STMicroelectronics |
flowchart LR
%% Deterministic review-risk graph for Trusted Platform Module ST33KTPM2A / ST33KTPM2I
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery<br/>upgrade<br/>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status output</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C6 clue;
class I2,I3,I6 infer;
class R2,R3,R6 risk;
class E2,E3,E6 evidence;flowchart LR
%% Deterministic clue tier for Trusted Platform Module ST33KTPM2A / ST33KTPM2I
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery<br/>upgrade<br/>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>UnAuth<br/>Status output</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C6 clueLow;STMicroelectronics Trusted Platform Module ST33KTPM2A / ST33KTPM2I Document Version: 04-02 Date: 2025-11-13 Public Material
| # | Section | Page |
|---|
Public Material
| Item | Page |
|---|---|
| Table 1: Security Levels | 6 |
| Table 2: Tested Module Identification – Hardware | 9 |
| Table 3: Modes List and Description | 11 |
| Table 4: Approved Algorithms | 13 |
| Table 5: Vendor-Affirmed Algorithms | 13 |
| Table 6: Non-Approved, Allowed Algorithms | 14 |
| Table 7: Non-Approved, Allowed Algorithms with No Security Claimed | 14 |
| Table 8: Non-Approved, Not Allowed Algorithms | 15 |
| Table 9: Security Function Implementations | 18 |
| Table 10: Entropy Certificates | 18 |
| Table 11: Entropy Sources | 19 |
| Table 12: Ports and Interfaces | 20 |
| Table 13 – UFQFPN32 / UFQFPN32 WF Pins Definition | 22 |
| Table 14 – TSSOP20 Pins Definition | 23 |
| Table 15 – WLCSP24 Pins Definition | 24 |
| Table 16: Authentication Methods | 25 |
| Table 17: Roles | 26 |
| Table 18 – Mapping between services | 26 |
| Table 19: Approved Services | 62 |
| Table 20: Non-Approved Services | 67 |
| Table 21: Mechanisms and Actions Required | 71 |
| Table 22: EFP/EFT Information | 72 |
| Table 23: Hardness Testing Temperatures | 73 |
| Table 24: Storage Areas | 75 |
| Table 25: SSP Input-Output Methods | 76 |
| Table 26: SSP Zeroization Methods | 77 |
| Table 27: SSP Table 1 | 79 |
| Table 28: SSP Table 2 | 82 |
| Table 29 – Security Strength of a Key Depending on the Underlying Algorithm Used and its Size | 83 |
| Table 30: Pre-Operational Self-Tests | 84 |
| Table 31: Conditional Self-Tests | 85 |
| Table 32: Pre-Operational Periodic Information | 86 |
| Table 33: Conditional Periodic Information | 87 |
| Table 34: Error States | 87 |
| Table 35 – List of policy commands to use in a policy session | 89 |
| Table 36 – ZA9 Module Configuration | 89 |
| Table 37 – AC5 Module Configuration | 90 |
| Table 38 – ZB1 Module Configuration | 90 |
| Table 39 – AD6 Module Configuration | 90 |
| Table 40 – References | 95 |
| Table 41 – Acronyms and Definitions | 96 |
| Figure 1 – HW block diagram | 8 |
Public Material
This document is the non-proprietary FIPS 140-3 Security Policy for the STMicroelectronics Trusted Platform Module ST33KTPM2A / ST33KTPM2I (ST33KTPM2A is also branded commercially “STSAFE-V100TPM”). It contains the security rules under which the Module must operate and describes how this module meets the requirements as specified in FIPS PUB 140-3 (Federal Information Processing Standards Publication 140-3) for an overall Security Level 2 module.
The FIPS 140-3 security levels for the Module are listed in table below: Section Title Security Level
1 General 2
2 Cryptographic module specification 2
3 Cryptographic module interfaces 2
4 Roles, services, and authentication 2
5 Software/Firmware security 2
6 Operational environment N/A
7 Physical security 3
8 Non-invasive security N/A
9 Sensitive security parameter management 2
10 Self-tests 2
11 Life-cycle assurance 2
12 Mitigation of other attacks N/A
Overall Level 2 Table 1: Security Levels Public Material
The ST33KTPM2A / ST33KTPM2I module, hereafter denoted as the Module, is a fully integrated security module implementing the revision 1.59 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM) version 2.0.
Purpose and Use: The Module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated Level 2. The Module is designed to be integrated into personal computers or any other embedded electronic systems. TPM is primarily used for cryptographic keys generation, keys storage, keys management and secure storage for digital certificates. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the Module is defined as the perimeter of the IC package and both versions of the Module are represented in the next figure. The Module is composed of:
Figure 1
Tested Module Identification
ST33K1M5A dynamically during product ST33KTPM2A 0x00.0A.02.00 ST33K1M5A revB boot. Available as a (hex.) UFQFPN32WF or TSSOP20 package. SPI or I2C. The interface is exclusive and selectable
ST33K1M5A dynamically during product ST33KTPM2I 0x00.0A.02.00 ST33K1M5A revB boot. Available as a (hex.) UFQFPN32WF or WLCSP24 package. Table 2: Tested Module Identification
Figure 3
No components have been excluded from the cryptographic boundary.
Modes List and Description: Mode Description Type Status Indicator Name TPM is in normal operation mode when all preoperational and conditional selftests (apart from TPM2_GetCapability (capability = FW load and PCT TPM_CAP_VENDOR_PROPERTIES) with the tests) are sub-capability Normal complete. All Approved TPM_SUBCAP_VENDOR_TPMA_MODES = mode approved services 0x7 shall be used. It outputs a 2-bit indicator are usable. The equals to 01b if the module is in an approved corresponding mode of operation indicator reports if the service uses an approved cryptographic algorithm or security function. Public Material
Mode Description Type Status Indicator Name TPM2_GetCapability (capability = The module enters TPM_CAP_VENDOR_PROPERTIES) with the Non- a non-approved sub-capability approved mode if one of the NonTPM_SUBCAP_VENDOR_TPMA_MODES = mode of non-approved Approved 0x7 shall be used. It outputs a 2-bit indicator operation services is used by equals to 10b if the module is in a nonthe operator. approved mode of operation Table 3: Modes List and Description
Approved Algorithms: The Module implements the Approved cryptographic algorithms listed in the table below: CAVP Algorithm Properties Reference Cert Direction - Decrypt, Encrypt AES-CBC A5356 SP 800-38A Key Length - 128, 192, 256 Direction - Decrypt, Encrypt AES-CFB128 A5356 SP 800-38A Key Length - 128, 192, 256 Direction - Decrypt, Encrypt AES-CTR A5356 SP 800-38A Key Length - 128, 192, 256 Direction - Decrypt, Encrypt AES-ECB A5356 SP 800-38A Key Length - 128, 192, 256 Direction - Decrypt, Encrypt AES-OFB A5356 SP 800-38A Key Length - 128, 192, 256 ECDSA KeyGen Curve - P-256, P-384, P-521 A5358 FIPS 186-4 (FIPS186-4) Secret Generation Mode - Extra Bits ECDSA KeyVer A5358 Curve - P-256, P-384, P-521 FIPS 186-4 (FIPS186-4) Component - No ECDSA SigGen Curve - P-256, P-384, P-521 A5358 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512, SHA3-256, SHA3-384 Component - No ECDSA SigVer Curve - P-256, P-384, P-521 A5358 FIPS 186-4 (FIPS186-4) Hash Algorithm - SHA2-256, SHA2-384, SHA2-512, SHA3-256, SHA3-384 EDDSA KeyGen A5359 Curve - ED-448 FIPS 186-5 EDDSA KeyVer A5359 Curve - ED-448 FIPS 186-5 EDDSA SigGen A5359 Curve - ED-448 FIPS 186-5 EDDSA SigVer A5359 Curve - ED-448 FIPS 186-5 Public Material
CAVP Algorithm Properties Reference Cert Prediction Resistance - No SP 800-90A Hash DRBG A5351 Mode - SHA2-256 Rev. 1 Key Length - Key Length: 8-8192 HMAC-SHA-1 A5355 FIPS 198-1 Increment 8 Key Length - Key Length: 8-8192 HMAC-SHA2-256 A5355 FIPS 198-1 Increment 8 Key Length - Key Length: 8-8192 HMAC-SHA2-384 A5355 FIPS 198-1 Increment 8 Key Length - Key Length: 8-8192 HMAC-SHA2-512 A5355 FIPS 198-1 Increment 8 Key Length - Key Length: 8-8192 HMAC-SHA3-256 A5355 FIPS 198-1 Increment 8 Key Length - Key Length: 8-8192 HMAC-SHA3-384 A5355 FIPS 198-1 Increment 8 Domain Parameter Generation Methods P-256, P-384, P-521 Function - Full Validation, Key Pair Generation Scheme fullUnified KAS Role - Initiator, Responder KAS-ECC Sp800- SP 800-56A A5358 KDF Methods 56Ar3 Rev. 3 oneStepKdf Key Length - 128 onePassDh KAS Role - Initiator, Responder KDF Methods oneStepKdf Key Length - 128 KDF Mode - Counter SP 800-108 KDF SP800-108 A5354 Supported Lengths - Supported Lengths: Rev. 1 160-512 Increment 8 Modulo - 2048, 3072, 4096 Key Generation Methods - rsakpg1-basic Scheme SP 800-56B KTS-IFC A5357 KTS-OAEP-basic Rev. 2 KAS Role - initiator, responder Key Transport Method Key Length - 256 LMS SigVer A5360 LMS Modes - LMS_SHA256_M32_H10 SP 800-208 RSA Decryption SP 800-56B Primitive Sp800-56Br2 A5357 Modulo - 2048, 3072, 4096 Rev. 2 (CVL) Key Generation Mode - probable RSA KeyGen Modulo - 2048, 3072, 4096 A5357 FIPS 186-5 (FIPS186-5) Primality Tests - 2pow100 Private Key Format - standard Public Material
CAVP Algorithm Properties Reference Cert RSA SigGen Modulo - 2048, 3072, 4096 A5357 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss RSA SigVer Modulo - 2048, 3072, 4096 A5357 FIPS 186-5 (FIPS186-5) Signature Type - pkcs1v1.5, pss Message Length - Message Length: 160, SHA-1 A5352 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 160, SHA-1 A5353 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 256, SHA2-256 A5352 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 256, SHA2-256 A5353 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 384, SHA2-384 A5352 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 384, SHA2-384 A5353 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 512, SHA2-512 A5352 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 512, SHA2-512 A5353 FIPS 180-4 0-65528 Increment 8 Message Length - Message Length: 0SHA3-256 A5352 FIPS 202
Message Length - Message Length: 0SHA3-384 A5352 FIPS 202
Table 4: Approved Algorithms Vendor-Affirmed Algorithms: The Module implements the Vendor Affirmed cryptographic algorithms listed. Name Properties Implementation Reference Section 4, Example 1 of [133r2]; IG CKG Key Type:Symmetric N/A D.H CKG- Key Section 4, Example 1 of [133r2]; IG N/A Asym Type:Asymmetric D.H Table 5: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: The Module implements the Non-Approved, but Allowed cryptographic algorithms listed. Name Properties Implementation Reference ECC BP ECDSA [186] (KeyGen, PKV, SigGen, [RFC5639], IG C.A brainpool256r1: P-256 SigVer), KAS [56Ar3] ([IG]) Public Material
Name Properties Implementation Reference ECC BP ECDSA [186] (KeyGen, PKV, SigGen, [RFC5639], IG C.A brainpool384r1: P-384 SigVer), KAS [56Ar3] ([IG]) ECC BP ECDSA [186] (KeyGen, PKV, SigGen, [RFC5639], IG C.A brainpool512r1: P-512 SigVer), KAS [56Ar3] ([IG]) Table 6: Non-Approved, Allowed Algorithms Non-Approved, Allowed Algorithms with No Security Claimed: The Module implements the Non-Approved, Allowed cryptographic Algorithms with No Security Claimed. Use and Name Caveat Function No security claimed per IG 2.4.A with the example of scenario #1. The algorithm: * is not used except for this purpose * does not Obfuscation of XOR access or share CSPs in a way that counters the requirements of input or output the IG * not intended to be used as a security function. * can't be data confused for a security function Table 7: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: The Module implements the Non-Approved, Not Allowed cryptographic algorithms listed. Name Use and Function ECC BN P-256 Key generation, digital signature generation based on ECC BN P-256 (non-compliant) ECC derived keys Secret exchange or digital signature generation/verification (non-compliant) ECDAA (nonKey generation, digital signature generation compliant) Digital signature with an ECC signing key generated with an ECDSA (non- undetermined scheme (field inPublic.buffer.parameters.scheme.scheme compliant) = TPM_ALG_NULL), derived from a derivation parent key, or a key loaded in the NULL hierarchy ECSchnorr (nonKey generation, digital signature generation and verification compliant) HMAC (nonKey length < 112 bits for message authentication compliant) KAS (non- Key agreement with an ECC key that has an undetermined scheme (field compliant) inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL) KBKDF (nonNon-Approved key derivation usage compliant) Public Material
Name Use and Function Key encapsulation with an RSA decryption key that has an undetermined KTS-IFC (nonscheme (field inPublic.buffer.parameters.scheme.scheme = compliant) TPM_ALG_NULL) RSA (non- 1024-bit RSA digital signature generation or with a key loaded in the Null compliant) hierarchy RSA with no padding mode Key transport (null scheme) (non-compliant) RSAES-PKCS1v1_5 (non- Key transport compliant) SHA-1 (nonDigital signature generation compliant) X448 (nonKey generation, key agreement scheme based on Curve448 compliant) Table 8: Non-Approved, Not Allowed Algorithms
Next table shows the Security Function Implementations that the Module implements: Name Type Description Properties Algorithms ECDSA KeyGen (FIPS186-4): (A5358) EDDSA KeyGen: (A5359) KeyGe AsymKeyPair Key-Pair Publications:FIPS Curves: Ed448 n -KeyGen Generation 186-5 CKG-Asym: () Key Type: Asymmetric RSA KeyGen (FIPS1865): (A5357) ECDSA KeyVer (FIPS186AsymKeyPair Key-Pair Publications:FIPS 4): (A5358) KeyVer -KeyVer Verification 186-5 EDDSA KeyVer: (A5359) Curves: Ed448 KAS-ECC Sp800-56Ar3: (A5358) AsymKeyPair Key-pair KeyVal Publications:186-5 Function: Full Validation -PubKeyVal Validation KTS-IFC: (A5357) Function: partialVal AES-CBC: (A5356) AES-CFB128: (A5356) AES- Unauthenticate Publication:FIPS BC-UnAuth AES-CTR: (A5356) ENC d Encryption 197 AES-ECB: (A5356) AES-OFB: (A5356) ECDSA SigGen (FIPS186DigSig- Signature Publication:FIPS SigGen 4): (A5358) SigGen Generation 186-5 Curves: P-256, P-384, PPublic Material
Name Type Description Properties Algorithms 521, brainpool256r1, brainpool384r1, brainpool512r1 EDDSA SigGen: (A5359) Curves: Ed448 RSA SigGen (FIPS186-5): (A5357) Key Sizes: 2048, 3072, 4096 SHA: SHA2-256, SHA2384, SHA2-512, SHA3256, SHA3-384 SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) LMS SigVer: (A5360) LMS: LMOTS_SHA256_N32_W LMS_SHA256_M32_H10 ECDSA SigVer (FIPS1864): (A5358) Curves: P-256, P-384, P521, brainpool256r1, brainpool384r1, DigSig- Signature Publications:FIPS brainpool512r1 SigVer SigVer Verification 186-5 EDDSA SigVer: (A5359) Curves: Ed448 RSA SigVer (FIPS186-5): (A5357) Key Sizes: 2048, 3072, 4096 SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) Random Hash DRBG: (A5351) Publication: DRBG DRBG Number Method: SHA2-256 :SP800-90A Generation SHA2-256: (A5352) SHA2-256: (A5352) ENT- Publications:SP800 ENT-ESV ESV Conditioning Component: ESV -90B SHA2-256 KAS-ECC Sp800-56Ar3: Key Publications:SP (A5358) KAS KAS-Full establishment 800-56A, Rev 3 Schemes: fullUnified, onePassDH Public Material
Name Type Description Properties Algorithms KDF: oneStepKDF SHA-1: (A5352) SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) Publication:SP 800KTS-IFC: (A5357) KTS- Key 56B rev 2, IG D.G KTS-Encap RSA Decryption Primitive IFC Encapsulation Method:KTSSp800-56Br2: (A5357) OAEP-basic HMAC-SHA2-256: Publication:SP 800KTS KTS-Wrap Key transport (A5355) 38F, IG D.G AES-CFB128: (A5356) KDF SP800-108: (A5354) SHA-1: (A5353) SHA2-256: (A5353) Key-Based Key Publications:SP800 KBKDF KBKDF SHA2-384: (A5353) Derivation -108 SHA2-512: (A5353) SHA3-256: (A5352) SHA3-384: (A5352) HMAC-SHA-1: (A5355) HMAC-SHA2-256: (A5355) HMAC-SHA2-384: (A5355) HMAC-SHA2-512: (A5355) HMAC-SHA3-256: Message Publication:FIPS19 MAC MAC (A5355) Authentication 8 HMAC-SHA3-384: (A5355) SHA-1: (A5352) SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) SHA-1: (A5353, A5352) SHA2-256: (A5352, A5353) SHA2-384: (A5352, Publications:FIPS SHA SHA Secure Hash A5353) 180-4, FIPS 202 SHA2-512: (A5352, A5353) SHA3-256: (A5352) SHA3-384: (A5352) Public Material
Name Type Description Properties Algorithms Publications:SP800 Symmetric Key CKG CKG -133rev2, Section Hash DRBG: (A5351) Generation 4; IG D.H KASKAS-ECC Key Publication:SP800- KAS-ECC Sp800-56Ar3: KeyGe KAS-KeyGen Generation 56Arev3 (A5358) n AES-CBC: (A5356) AES-CFB128: (A5356) AES- Unauthenticate Publication:FIPS BC-UnAuth AES-CTR: (A5356) DEC d Decryption 197 AES-ECB: (A5356) AES-OFB: (A5356) Table 9: Security Function Implementations
Notes: KAS [56Ar3] - Per [IG] D.F Scenario 2 path (2), compliant key agreement scheme where testing is performed end-to-end for the shared secret computation and key derivation.
The Module implements:
Entropy Operational Sample Conditioning Name Type per Environment Size Component Sample ST33KTPM2A, ST33KTPM2I entropy source Table 11: Entropy Sources
For Key Generation, see Section 2.5 and Section 2.6 above.
Key Agreement Information For Key Agreement, see Section 2.5 and Section 2.6 above. Key Transport Information For Key Transport, see Section 2.5 and Section 2.6 above.
The Module does not implement any Industry Protocols. Public Material
The Module’s ports and associated logical interface categories are listed below: Logical Physical Port Data That Passes Interface(s) SPI_NSS / SPI_CLK / Control parts of the TPM commands provided to the SPI_MOSI / Control security module. It concerns all bytes of a command I2C_SCL / Input except plaintext data, ciphertext data and SSPs (entered I2C_SDA / RESET / with the data input interface). PP Control parts of the TPM responses output by the SPI_NSS / security module. It concerns all bytes of a response SPI_CLK / Control except plaintext data, ciphertext data and SSPs (output SPI_MISO / Output with the data output interface) and except the I2C_SCL / responseCode of a response (output with the status I2C_SDA / PIRQ output interface) SPI_NSS / SPI_CLK / Status Status output by the security module (responseCode SPI_MISO / Output parameter of a response) I2C_SCL / I2C_SDA / PIRQ SPI_NSS / SPI_CLK / Data (plaintext data, ciphertext data and SSPs) provided SPI_MOSI / Data Input to the security module as part of an input processing I2C_SCL / command I2C_SDA SPI_NSS / SPI_CLK / Data (plaintext data, ciphertext data and SSPs) output SPI_MISO / Data Output by the security module as part of the response to a I2C_SCL / processing command I2C_SDA VCC / GND Power Power interface of the security module Table 12: Ports and Interfaces Additional details concerning the ports and interfaces of TPM: 1. Control and data inputs are multiplexed over the same physical interface. Control and data are distinguished by properly parsing input TPM command parameters according to input structures description, indicated for each command in [TPM2.0 Part3]. Some commands only deal with control input and status output parameters. Public Material
The pin layouts for the various packages are shown in the next figures. The ST33KTPM2A / ST33KTPM2I security modules support both SPI and I2C physical interfaces but only one interface is configured during TPM boot. The interface configured remains active until the next module reset. Public Material
UFQFPN32 / UFQFPN32 WF configuration The pin layouts for the UFWFPN32 / UFWFPN32 WF packages are shown in the next figure. Figure 5
TSSOP20 configuration The pin layouts for the TSSOP20 package are shown in the next figure. Figure 6
WLCSP24 configuration The pin layouts for the WLCSP24 package are shown in the next figure. Figure 7
The Module implements the following authentication techniques in accordance with the Level 2 requirements: Strength Method Security Strength per Description Each Name Mechanism Minute Attempt Probability of a successful random The challenge-response attempt during a mechanism uses an Minimum one-minute period authorization value strength is is equal to (authValue) as HMAC key reached 60000*1.92*10^-34 or part of an HMAC key. with an = 1.15*10^-29 Challenge- The authValue is entered authValue (considering 60000 response into the Module during the MAC of 14 trials per minute). authentication creation/loading of an bytes: Assuming a object (key, NV index) or 1/2^112 = minimum during replacement of the 1.92*10^- command duration default value (hierarchies).
The Module enforces a trials can be minimum size of 14 bytes. executed during a one-minute period. Enhanced authorization Minimum Probability of a includes a policy command strength is successful random (i.e., reached attempt during a TPM2_PolicyAuthValue, with an one-minute period TPM2_PolicySigned, authValue is equal to TPM2_PolicyAuthorize, of 14 60000*1.92*10^-34 TPM2_PolicySecret, bytes: = 1.15*10^-29 Enhanced TPM2_PolicyTicket) 1/2^112 = (considering 60000 SigVer authorization requiring the knowledge of 1.92*10^- trials per minute). an authValue or the proof 34 or an Assuming a of the ownership of a RSA 2048 minimum signing key. It can also be signature command duration a bound session, which with a of 1ms, 60000 also requires proving security trials can be knowledge of an authValue strength of executed during a of an object. 112 bits one-minute period. Table 16: Authentication Methods
The Roles Table below lists all operator roles supported by the Module. Public Material
Name Type Operator Type Authentication Methods Challenge-response Administrator of Crypto officer (CO) Role authentication the Module Enhanced authorization Challenge-response User of the User (U) Role authentication Module Enhanced authorization Table 17: Roles The Module does not provide a maintenance role or maintenance interface and does not support concurrent operators. The role is implicitly selected by the TPM operator on service execution by proving the knowledge of the enhanced authorization commands sequence and/or the authorization value of an object.
All services are accessible under the roles defined above and no specific access rights are considered to operate with keys and SSPs. Full services inputs and outputs are defined in [TPM2.0 Part3]. The next table indicates how mandatory services of [ISO/IEC 19790] (§7.4.3.1) are mapped to security module’s services: Mandatory service requested from Corresponding services from the security module [ISO/IEC 19790] Show module’s versioning information TPM2_GetCapability Show status TPM2_GetTestResult Perform self-tests TPM2_SelfTest Perform Approved security functions See Approved services listed in next table Perform zeroization See services listed in section 9.3 SSP Zeroization Methods. Table 18
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions ey: Z objHmac Key: Z contextE ncKey: Z dupSeed: Z dupInSy mKey: Z dupOutS ymKey: Z dupOutH macKey: Z creSeed: Z creSymK ey: Z creHmac Key: Z ephSens EccKey: Z ephPubE ccKey: Z seqAuth: Z drbgSeed :Z tdrbgStat e: Z fuSymKe Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions y: Z diagSym Key: Z Unauthen ticated - phSeed: G - ehSeed: G - shSeed: G phProof: G ehProof: G DRB Set-up the - shProof: Startup G TPM2_Startup TPM after a 01b None G type ENTpower cycle. ESV contextK ey: G drbgSeed :G drbgState :G nullSeed: G nullProof: G Prepare the Shutdow Unauthen TPM2_Shutdown (I) TPM for a 00b None None n type ticated power cycle. AESENC Full or Self-test SigG Self-tests backgrou result if full en Unauthen TPM2_SelfTest (I) 01b execution nd self- self-tests SigV ticated tests required er DRB G Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions ENTESV KAS KBK DF MAC SHA AESDEC AESENC SigG en SigV er DRB Incremental List of List of G TPM2_IncrementalSelf Unauthen self-tests 01b tests to remaining ENTTest (I) ticated execution pass tests ESV KAS KBK DF MAC SHA AESDEC Unauthen ticated diagSym TPM2_GetTestResult Get self-tests Self-tests KBK 00b None Key: (I) result status DF G,E,Z diagSym Seed: E Decrypti Unauthen on key ticated handle; Binding KAS sesHmac entity KTS- Key: G,W TPM2_StartAuthSessio Session 01b handle; Nonce TPM IFC n (I/E/D) command Encrypte KBK sesSymK d salt; DF ey: G,W Nonce - sesSalt: caller; W,E,Z Session Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Type objSens: (HMAC E or - objAuth: Policy) E - nvAuth: E platformA uth: E endorse mentAuth :E ownerAut h: E lockoutA uth: E seqAuth: E Policy session Session Unauthen TPM2_PolicyRestart (I) 00b None None restart handle ticated User (U) Key Gen objSeed: AES- G,R,E ENC Object SigG objSymK Parent private part en ey: G,E,Z object (encrypted) SigV handle Object er objHmac Object public part DRB Key: sensitive Creation G G,E,Z part data Digest TPM2_Create (I/E/D) Object creation 01b ENT- Object of creation ESV objSens: public data Ticket KTS G,R,E template to be used KBK - objPub: Creation by DF G,R,E data List TPM2_Cert MAC of PCR ifyCreation( SHA drbgState ) CKG : W,E KAS- - objAuth: Key W,R Gen nullProof: Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions E phProof: E ehProof: E - shProof: E User (U) objSymK ey: Parent G,W,E,Z object KeyV handle er objHmac Object KTS Key: private Name of KBK G,W,E,Z TPM2_Load (I/E/D) Object loading 01b part the loaded DF (encrypt object MAC objSens: ed) SHA W,E Object AES- - objPub: public DEC W part objSeed: W,E - objAuth: W Unauthen ticated - objPub: W Object public Name of TPM2_LoadExternal External object KeyV objSens: 01b part the loaded (I/E/D) loading al W Hierarch object - objAuth: y W objSeed: W Object Unauthen Read public Handle public part ticated TPM2_ReadPublic (I) part of a 01b of an Object None - objPub: loaded object object name R Object Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions qualified name Handle Crypto of the officer object Enables the (CO) with association of KAS credentia a credential KTS- creSymK ls with an object IFC ey: G,E,Z Handle in a way that KTS of a Decrypted TPM2_ActivateCredent ensures that KBK creHmac 01b loaded certificate ial (I/E/D) the TPM has DF Key: private information validated the MAC G,E,Z key parameters of SHA Encrypte the AES- objSens: d credentialed DEC E credentia object l creSeed: Encrypte W,E,Z d seed Handle Unauthen Allows the of a ticated TPM to loaded AES- perform the public ENC creSeed: actions key KAS G,R,E,Z required of a Credenti Encrypted KTS- Certificate TPM2_MakeCredential al credential IFC creSymK Authority (CA) 01b (I/E/D) informati Encrypted KTS ey: G,E,Z in creating a on Name seed KBK TPM2B_ID_O of the DF creHmac BJECT object MAC Key: containing an with SHA G,E,Z activation credentia - objPub: credential ls E Handle Returns the User (U) of a data in a Unsealed TPM2_Unseal (I/E/D) 01b loaded None loaded Sealed data objSens: data Data Object R object Handle User (U) of an AES- Changes the object ENC objSeed: authorization TPM2_ObjectChangeA Handle Object KBK R,E secret for a 01b uth (I/E/D) of the private part DF TPM-resident parent of MAC objSens: object the SHA R object Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions New drbgState authoriza : W,E tion - objAuth: value R objSymK ey: E objHmac Key: E Crypto officer (CO) objSeed: G,R,E Key objSymK Gen ey: G,E KeyV er objHmac AES- Key: G,E ENC SigG objSens: Parent en G,R,E Object object SigV - objPub: private part handle er G,R,E Creates an (encrypted) Object DRB TPM2_CreateLoaded object and Object 01b sensitive G tdrbgStat (I/E/D) loads it in the public part part ENT- e: G,W,E TPM Creation Object ESV object public KAS drbgState name template KBK : W,E DF - objAuth: MAC W,R SHA CKG nullSeed: KAS- E Key - phSeed: Gen E - ehSeed: E - shSeed: E nullProof: E Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions phProof: E ehProof: E - shProof: E - ekRsa: E - ekEcc: E shProofF orReseed : G,E User (U) objSeed: G,E objSymK ey: G,E objHmac Key: G,E objSens: G,R - objPub: G,R,E tdrbgStat e: G,W,E drbgState :W - objAuth: W nullSeed: E - phSeed: E ephSens EccKey: Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions E - shSeed: E nullProof: E phProof: E ehProof: E shProofF orReseed : G,E - ekRsa: E - ekEcc: E User (U) dupSeed: G,R,E,Z objSeed: R Handle AES- of the ENC dupOutS loaded Encryption DRB ymKey: object to key for G G,E,Z Duplicates a duplicate inner KTS- loaded object Handle wrapper IFC dupInSy TPM2_Duplicate so that it may of the Duplicated 01b KAS mKey: (I/E/D) be used in a new object KTS G,R,W,E, different parent private part KBK Z hierarchy Optional (encrypted) DF symmetri Encrypted MAC dupOutH c seed SHA macKey: encryptio CKG G,E,Z n key objSens: R - objAuth: R drbgState Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions : W,E - objPub: E User (U) dupOutS ymKey: Handle G,E,Z of the old parent dupOutH Handle macKey: of the AES- G,E,Z new ENC parent AES- objSens: Duplicat DEC R,W,E Duplicated ed object KAS Rewraps a object private KTS- dupSeed: duplicated private part TPM2_Rewrap (I/E/D) 01b part IFC R,W,E,Z object with a (encrypted) (encrypt KTS new parent key Encrypted ed) KBK objSeed: seed Name of DF R,W the MAC object SHA dupInSy being CKG mKey: rewrapp W,Z ed Encrypte drbgState d seed : W,E - objPub: E - objAuth: R,W Handle User (U) of the AES- new ENC objSens: parent AES- R,W,E,Z Allows an Duplicat DEC object to be ed object KAS objSeed: encrypted private Object KTS- R,W,Z using the TPM2_Import (I/E/D) 01b part private part IFC - objPub: symmetric (encrypt (encrypted) KTS W,E,Z encryption ed) KBK values of a Object DF dupOutS Storage Key public MAC ymKey: part SHA W,E,Z Encrypte CKG - objAuth: d seed R,W,Z Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Encrypti on key drbgState for inner :E wrapper dupSeed: E,W,Z dupInSy mKey: E,W,Z dupOutH macKey: W,E,Z RSA public key handle Unauthen TPM2_RSA_Encrypt Performs RSA Message Encrypted KTS- ticated 01b (I/E/D) encryption to output IFC - objPub: encrypt E RSA scheme to use RSA private key handle User (U) TPM2_RSA_Decrypt Performs RSA Cipherte Decrypted KTS- 01b (I/E/D) decryption xt to output IFC objSens: decrypt Z RSA scheme to use Unauthen ticated ephSens Shared secret ECC key Shared KAS EccKey: TPM2_ECDH_KeyGen value public secret KAS- G,E,Z 01b (I/E/D) computation part Ephemeral Key using ECDH handle public key Gen ephPubE ccKey: G,R,Z drbgState Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions : W,E - objPub: E User (U) Handle of a ephPubE Shared secret loaded Recovered TPM2_ECDH_ZGen ccKey: value recovery 01b ECC key shared KAS (I/E/D) W,E,Z using ECDH Ephemer secret al public objSens: key E Returns the parameters of ID of an TPM2_ECC_Paramete an ECC curve Curve Unauthen 00b ECC None rs (I) identified by its parameters ticated curve TCG-assigned curveID Symmetr ic key handle Encrypted Decrypti or AES- User (U) Symmetric on or TPM2_EncryptDecrypt decrypted ENC encryption or 01b encryptio (I/E) data Output AES- objSens: decryption n IV (for DEC E indicator chaining) Input IV Data Mode Symmetr ic key handle Encrypted Decrypti or AES- User (U) Symmetric on or TPM2_EncryptDecrypt decrypted ENC encryption or 01b encryptio
2 (I/E/D) data Output AES- objSens:
decryption n IV (for DEC E indicator chaining) Input IV Data Mode Data to Unauthen hash Digest ticated Performs a Hash Ticket MAC TPM2_Hash (I/E/D) hash operation 01b algorithm linked to nullProof: SHA on data Hierarch the input E y to use hierarchy for ticket phProof: Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions E ehProof: E - shProof: E Symmetr ic signing Performs a User (U) key HMAC TPM2_HMAC (I/E/D) 01b handle HMAC MAC operation on objSens: Data to data E HMAC Hash algorithm Number Unauthen Outputs of Output ticated TPM2_GetRandom DRB random bytes 01b random random (I/E) G from a DRBG bytes to bytes drbgState generate : W,E Unauthen ticated Addition DRB Reseed the TPM2_StirRandom al G drbgSeed state of a 01b None (I/D) informati ENT- : W,E,Z DRBG on ESV drbgState : W,E Handle of an User (U) HMAC key Starts an seqAuth: TPM2_HMAC_Start Authoriz Sequence HMAC 01b MAC W (I/D) ation handle sequence value for objSens: sequenc E e Hash algorithm Authoriz Unauthen ation Starts a hash ticated TPM2_HashSequence value for Sequence or an event 01b SHA Start (I/D) sequenc handle sequence seqAuth: e Hash W algorithm Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Sequenc User (U) Adds data to a e handle TPM2_SequenceUpda MAC hash or HMAC 01b Data to None te (I/D) SHA objSens: sequence hash/HM E AC User (U) nullProof: E Sequenc phProof: Adds last part e handle HMAC or E of data to a Data to digest TPM2_SequenceComp hash or HMAC hash/HM Ticket MAC ehProof: 01b lete (I/E/D) sequence and AC linked to SHA E returns the Hierarch the input - shProof: result y for hierarchy E ticket objSens: E seqAuth: Z Handle Adds last part User (U) of PCR of data to a to extend List of hash or HMAC objSens: TPM2_EventSequence Sequenc digests MAC sequence and 01b E Complete (I/D) e handle computed SHA returns the Data to for the PCR result in a seqAuth: hash/HM digest list Z AC Handle of the object to SigG User (U) certify en Certification Proves that an Handle DRB drbgState structure object with a of a G : W,E Signature TPM2_Certify (I/E/D) specific Name 01b signing KBK over the is loaded in the key DF objSens: certification TPM Qualifyin MAC E structure g data SHA - shProof: Signatur CKG E e scheme TPM2_CertifyCreation Proves the Handle Certification SigG User (U) 01b (I/E/D) association of the structure en Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions between an object to Signature DRB drbgState object and its certify over the G : W,E creation data Handle certification KBK of a structure DF objSens: signing MAC E key SHA Qualifyin CKG nullProof: g data E Signatur e phProof: scheme E Ticket Creation ehProof: hash E - shProof: E Handle of a SigG User (U) signing en Quoted key DRB drbgState information Qualifyin G : W,E Quotes PCR Signature TPM2_Quote (I/E/D) 01b g data KBK values over the Selection DF objSens: quoted of PCRs MAC E information Signatur SHA - shProof: e CKG E scheme Handle of a privacy administr Crypto ator SigG officer Handle en (CO) of a Audit Returns a KBK signing information digital DF drbgState TPM2_GetSessionAudi key Signature signature of 01b DRB : W,E tDigest (I/E/D) Handle over the the audit G of an quoted session digest MAC objSens: audit information SHA E session CKG - shProof: Qualifyin E g data Signatur e scheme Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Handle of a Crypto Returns the privacy SigG officer current value administr en (CO) of the ator Audit DRB command audit Handle information G drbgState TPM2_GetCommandA digest, a digest of a Signature 01b KBK : W,E uditDigest (I/E/D) of the signing over the DF commands key quoted MAC objSens: being audited, Qualifyin information SHA E and the audit g data CKG - shProof: hash algorithm Signatur E e scheme Handle of a Crypto privacy SigG officer administr en (CO) ator Attestation KBK Returns the Handle data DF drbgState current values of a Signature TPM2_GetTime (I/E/D) 01b DRB : W,E of Time and signing over the G Clock key attestation MAC objSens: Qualifyin data SHA E g data CKG - shProof: Signatur E e scheme Handle of the object to certify Additional User (U) Handle certificate of a X.509 information SigG drbgState TPM2_CertifyX509 signing certificate 01b Digest en : W,E (I/E/D) key generation Signature SHA Partial over the objSens: certificat digest E e Signatur e scheme Uses loaded Handle Unauthen SigV TPM2_VerifySignature keys to of a Validation ticated 01b er (I/D) validate a public ticket - objPub: MAC signature on a key E Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions message with Digest of the message a nullProof: digest passed message E to the TPM Signatur e to be phProof: tested E ehProof: E - shProof: E User (U) Handle objSens: Causes the of a E TPM to sign an signing SigG externally key nullProof: en provided hash Digest to Signature E DRB TPM2_Sign (I/D) with the 01b be over the G specified signed digest phProof: MAC symmetric or Scheme E SHA asymmetric Proof signing key ticket for ehProof: digest E - shProof: E Changes the audit status of Authoriz a command or ation Crypto TPM2_SetCommandC to set the hash 00b handle None None officer odeAuditStatus (I) algorithm used Hash (CO) for the audit algorithm digest PCR handle List of Updates the Unauthen TPM2_PCR_Extend (I) 01b digests None SHA indicated PCR ticated used to extend PCRs Updates the PCR TPM2_PCR_Event indicated PCR handle Unauthen 01b Digests SHA (I/D) and reports list Event ticated of digests data Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Returns the values of all Selection PCR Unauthen TPM2_PCR_Read (I) PCR specified 00b of PCR None information ticated in to read pcrSelectionIn Sets the Selection desired PCR PCR Crypto TPM2_PCR_Allocate of PCR allocation of 00b allocation None officer (I) to PCR and information (CO) allocate algorithms Sets the PCR PCR to Unauthen TPM2_PCR_Reset (I) in all banks to 00b none None reset ticated zero Indicates to the TPM interface the start of an Unauthen _TPM_Hash_Start 01b None None SHA H-CRTM ticated measurement sequence Indicates to the TPM interface data to be Unauthen _TPM_Hash_Data included in the 01b Data None SHA ticated H-CRTM measurement sequence Indicates to the TPM interface the end of the Unauthen TPM_Hash_End 01b None None SHA H-CRTM ticated measurement sequence Signatur Unauthen e key ticated handle - objPub: Policy E session Includes a handle SigV Policy nullProof: TPM2_PolicySigned signed Nonce er 01b timeout E (I/E/D) authorization in TPM MAC Policy ticket a policy Digest SHA phProof: Signatur E e Expiratio ehProof: n of E authoriza Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions tion - shProof: Policy E referenc e value Authoriz ation object User (U) handle Policy nullProof: session E handle Includes a Nonce Policy TPM2_PolicySecret secret-based MAC phProof: 01b TPM timeout (I/E/D) authorization to SHA E Digest Policy ticket a policy Expiratio ehProof: n of E authoriza - shProof: tion E Policy referenc e value Policy session handle Unauthen Nonce ticated TPM Digest nullProof: Expiratio E n of Includes a TPM2_PolicyTicket authoriza MAC ticket in a 01b None phProof: (I/D) tion SHA policy E Policy referenc ehProof: e value E Authoriz - shProof: ation E object name Ticket Allows options Policy in session authorizations Unauthen TPM2_PolicyOR (I) 01b handle None SHA without ticated List of requiring that digests the TPM Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions evaluate all the options Policy session Causes handle conditional Expecte Unauthen TPM2_PolicyPCR (I/D) gating of a 01b None SHA d digest ticated policy based value on PCR PCR selection Indicates that Policy TPM2_PolicyLocality the policy will session Unauthen 01b None SHA (I) be limited to a handle ticated specific locality Locality Authoriz ation handle Causes NV index conditional handle gating of a Policy TPM2_PolicyNV (I/D) 01b None SHA User (U) policy based session on the contents handle of an NV Index Operand , offset, operatio n Causes Policy conditional session gating of a handle TPM2_PolicyCounterTi policy based Unauthen 01b Operand None SHA mer (I/D) on the contents ticated , offset, of the operatio TPMS_TIME_I n NFO structure Policy Limits policy to session TPM2_PolicyComman Unauthen a specific 01b handle None SHA dCode (I) ticated command code Comman d code Physical presence will need to be Policy TPM2_PolicyPhysicalP Unauthen asserted at the 01b session None SHA resence (I) ticated time the handle authorization is performed Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Allows a policy Policy to be bound to session TPM2_PolicyCpHash a specific handle Unauthen 01b None SHA (I/D) command and Digest to ticated command add to parameters policy Allows a policy to be bound to Policy a specific set session TPM2_PolicyNameHas of TPM entities handle Unauthen 01b None SHA h (I/D) without being Digest to ticated bound to the add to parameters of policy the command Policy session handle Object Allows name to qualification of be duplication to TPM2_PolicyDuplicatio duplicate Unauthen allow 01b None SHA nSelect (I/D) d New ticated duplication to a Parent selected new name parent Object name inclusion indicator Policy Unauthen session ticated handle Check a ticket Digest of nullProof: issued from the the E signature policy TPM2_PolicyAuthorize verification of a MAC 01b being None phProof: (I/D) new policy so SHA approve E that it may be d Policy used in an qualifier ehProof: existing policy Key E name - shProof: Ticket E Allows a policy to be bound to Policy TPM2_PolicyAuthValu Unauthen the 01b session None SHA e (I) ticated authorization handle value of the Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions authorized entity Allows a policy to be bound to the Policy TPM2_PolicyPassword Unauthen authorization 01b session None SHA (I) ticated value of the handle authorized object Returns the current Policy TPM2_PolicyGetDigest Policy Unauthen policyDigest of 00b session None (I/E) digest ticated a policy handle session Allows a policy Policy to be bound to session TPM2_PolicyNvWritten the handle Unauthen 01b None SHA (I) TPMA_NV_W NV index ticated RITTEN written attributes indicator Policy Allows a policy session to be bound to TPM2_PolicyTemplate handle Unauthen a specific 01b None SHA (I/D) Digest to ticated creation add to template policy Source handle Provides a for capability that authoriza TPM2_PolicyAuthorize is the tion NV 01b None SHA User (U) NV (I) equivalent of a index to revocable read policy Policy session handle Object Key Crypto Creates a Primary handle Gen officer Primary Object handle Object KeyV (CO) under one of Key Public part er the Primary sensitive TPM2_CreatePrimary Creation AES- objSeed: Seeds or a 01b data Key (I/E/D) data Digest ENC G,E,Z Temporary public of creation SigG Object under template data en objSymK TPM_RH_NUL Creation Creation SigV ey: G,E,Z L data ticket Name er Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Creation of the DRB objHmac PCR object G Key: KBK G,E,Z DF MAC objSens: SHA G,E,Z CKG - objPub: KAS- G,R,E,Z Key Gen tdrbgStat e: G,W,E,Z drbgState : W,E - objAuth: W nullSeed: E - phSeed: E - ehSeed: E - shSeed: E nullProof: E phProof: E ehProof: E - shProof: E - ekRsa: E - ekEcc: E shProofF orReseed : G,E Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Primary handle Hierarch Enables and y to disables use of enable Crypto TPM2_HierarchyContr a hierarchy 00b or None None officer ol (I) and its disable (CO) associated NV Enable storage or disable indicator Primary Sets the handle Crypto TPM2_SetPrimaryPolic authorization Policy 00b None None officer y (I/D) policy for a digest (CO) hierarchy Hash algorithm Crypto officer (CO) Replaces the drbgState current : W,E platform primary seed phProof: (PPS) with a Authoriz Z DRB TPM2_ChangePPS (I) value from the 01b ation None - phSeed: G RNG and sets handle Z platformPolicy to the default objSeed: initialization Z value objSens: Z - objPub: Z Replaces the Crypto current officer endorsement (CO) primary seed Authoriz EPS) with a DRB drbgState TPM2_ChangeEPS (I) 01b ation None value from the G : W,E handle RNG and sets - ehSeed: endorsementP Z olicy to the default ehProof: Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions initialization Z value objSeed: Z objSens: Z - objPub: Z - ekRsa: Z - ekEcc: Z Crypto officer (CO) drbgState : W,E - shSeed: Z ehProof: Z Removes all - shProof: TPM context Authoriz Z DRB TPM2_Clear (I) associated with 01b ation None G a specific handle shProofF Owner orReseed :Z objSeed: Z objSens: Z - objPub: Z - objAuth: Z Authoriz ation Disables and handle Crypto enables the TPM2_ClearControl (I) 00b Set or None None officer execution of clear (CO) TPM2_Clear() disableO wnerFlag Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Crypto officer (CO) lockoutA Authoriz uth: W ation Changes the handle TPM2_HierarchyChan endorse authValue of 00b New None None geAuth (I/D) mentAuth hierarchies authoriza :W tion value ownerAut h: W platformA uth: W Cancels the effect of a TPM lockout due to Authoriz Crypto TPM2_DictionaryAttac several 00b ation None None officer kLockReset (I) successive handle (CO) authorization failures Authoriz ation handle newMax Changes the Tries, Crypto TPM2_DictionaryAttac lockout 00b newRec None None officer kParameters (I) parameters overyTim (CO) e and lockoutR ecovery values Crypto officer (CO) SigV er fuSigEC Initiates a field TPM2_VendorCmdFiel Approve KBK CKey: E upgrade 01b None dUpgradeStart (I) d DF session SHA fuSigLMS CKG Key: E fuSymKe y: G Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions fuSymSe ed: E Unauthen Conveys Field AES- ticated TPM2_VendorCmdFiel firmware in a Completion 01b upgrade DEC dUpgradeData (I) field upgrade indicator data blob SHA fuSymKe session y: E,Z Unauthen ticated contextE ncKey: G,E,Z objSeed: R objSens: R - objPub: R Saves a - objAuth: AESsession R ENC context, object KTS context, or Saved nullProof: TPM2_ContextSave 01b Context KBK sequence handle E DF object context MAC outside the phProof: CKG TPM E ehProof: E - shProof: E contextK ey: E sesHmac Key: R seqAuth: R Reloads a Loaded AES- Unauthen TPM2_ContextLoad 01b Context context that handle DEC ticated Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions has been KTS saved by KBK contextE TPM2_Context DF ncKey: Save() MAC G,E,Z CKG objSeed: W objSens: W - objPub: W - objAuth: W nullProof: E phProof: E ehProof: E - shProof: E contextK ey: E sesHmac Key: W seqAuth: W Unauthen Causes all ticated context associated with objSeed: a loaded Z object, Flush TPM2_FlushContext 01b None None sequence handle objSens: object, or Z session to be - objPub: removed from Z TPM memory - objAuth: Z Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions Crypto officer (CO) Allows certain Authoriz Transient ation objSeed: Objects to be handle W,Z made Loaded TPM2_EvictControl (I) 01b None None persistent or a object objSens: persistent handle W,Z object to be Persiste - objPub: evicted nt handle W,Z - objAuth: W,Z Reads the current Current Unauthen TPM2_ReadClock (I) 00b None None TPMS_TIME_I time ticated NFO structure Advances the Crypto New TPM2_ClockSet (I) value of the 00b None None officer time TPM's clock (CO) Authoriz ation Adjusts the handle rate of Crypto TPM2_ClockRateAdjus Clock advance of 00b None None officer t (I) update Clock and (CO) rate Time adjustme nt Returns Capabilit More data various y, availability TPM2_GetCapability information Unauthen 00b property, indicator None (I) regarding the ticated property Capability TPM and its count data current state Set specific data in the TPM, such as TPM Crypto TPM2_SetCapability Capabilit configurations, 00b None None officer (I/D) y data which may (CO) change the TPM's function and behavior Checks if Algorith Unauthen TPM2_TestParms (I) specific 00b None None m ticated combinations Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions of algorithm paramet parameters are ers supported Authoriz Defines the ation attributes of an handle NV Index and Crypto NV causes the officer TPM2_NV_DefineSpac authoriza TPM to reserve 01b None None (CO) e (I/D) tion space to hold - nvAuth: value NV the data W public associated with paramet the NV Index ers Authoriz Crypto Removes an ation officer TPM2_NV_UndefineSp Index from the 01b handle None None (CO) ace (I) TPM NV index - nvAuth: to delete Z Removal of a Platform platform- Crypto authoriza created NV officer TPM2_NV_UndefineSp tion Index that has 01b None None (CO) aceSpecial (I) handle TPMA_NV_PO - nvAuth: NV index LICY_DELETE Z to delete SET NV index Reads the public area TPM2_NV_ReadPublic public area and Unauthen 01b NV index Name of SHA (I/E) Name of an NV ticated the NV Index index Authoriz ation Writes a value handle to an area in NV index NV memory to write that was TPM2_NV_Write (I/D) 00b Data to None None User (U) previously write defined by Offset in TPM2_NV_Def the NV ineSpace() index area Authoriz Increments the ation TPM2_NV_Increment value in an NV 00b handle None None User (U) (I) Index that has NV index the to Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions TPM_NT_COU incremen NTER attribute t Extends a Authoriz value to an ation area in NV handle TPM2_NV_Extend memory that 01b NV index None SHA User (U) (I/D) was previously to extend defined by Data to TPM2_NV_Def extend ineSpace() Authoriz ation handle Sets bits in an NV index NV Index that TPM2_NV_SetBits (I) 00b to extend None None User (U) was created as Data to a bit field OR with NV content Inhibits further writes of the NV Index if the TPMA_NV_W Authoriz RITEDEFINE TPM2_NV_WriteLock ation or 00b None None User (U) (I) handle TPMA_NV_W NV index RITE_STCLEA R attributes of an NV location are SET Sets TPMA_NV_W RITELOCKED Authoriz Crypto TPM2_NV_GlobalWrite for all indexes 00b ation None None officer Lock (I) that have their handle (CO) TPMA_NV_GL OBALLOCK attribute SET Reads a value Authoriz from an area in ation NV memory handle TPM2_NV_Read (I/E) previously 00b NV index Data read None User (U) defined by to be TPM2_NV_Def read ineSpace() Size and Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions offset in NV area Prevents further reads of the NV Index Authoriz until the next ation TPM2_NV_ReadLock TPM2_Startup handle 00b None None User (U) (I) (TPM_SU_CL NV index EAR) if to be TPMA_NV_RE locked AD_STCLEAR is SET NV index Allows the New User (U) TPM2_NV_ChangeAut authValue of 01b authoriza None None - nvAuth: h (I/D) an NV Index to tion W be changed value Handle of signing key Authoriz SigG User (U) Certifies the ation Structure en contents of an TPM2_NV_Certify handle that was KBK objSens: NV Index or 01b (I/E/D) NV index signed DF E portion of an Qualifyin Signature MAC - shProof: NV Index g data SHA E Scheme Size and offset in NV area Authoriz ation handle Crypto TPM2_VendorCmdSet Sets the low Low 00b None None officer Mode (I) power mode power (CO) configura tion structure Authoriz ation Activates and handle Crypto TPM2_VendorCmdSet locks 00b Comman None None officer CommandSet (I) commands d code (CO) Activatio n and Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions lock indicator s Prevents Authoriz Crypto TPM2_VendorCmdSet locking 00b ation None None officer CommandSetLock (I) commands handle (CO) Unauthen Number Get random ticated TPM2_VendorCmdGet of bytes Random value from 01b None Random2 (I/E) to value DRBG drbgState generate : W,E Authoriz ation TPM2_VendorCmdGPI Configures handle Unauthen 00b None None OConfig (I) GPIO GPIO ticated configura tion Number Get random TPM2_VendorCmdGet of bytes Random ENT- Unauthen value from 01b Random800_90B (I/E) to value ESV ticated ENT (P) generate Authoriz ation Modifies TPM2_VendorCmdCha handle Crypto deletion ngeObjectDeletionAuth 00b Platform None None officer authorization (I) authoriza (CO) for an object tion use indicator Crypto Restore EK officer RSA or EK Authoriz (CO) TPM2_VendorCmdRes ECC in case of 01b ation None None - ekRsa: toreEK (I) deletion by handle W TPM2_Change - ekEcc: EPS W Crypto officer Zeroize EK Authoriz (CO) TPM2_VendorCmdZer RSA and EK 01b ation None None - ekRsa: oizeEK (I) ECC handle Z - ekEcc: Z Causes the Handle User (U) Signature SigG TPM2_VendorCmdSig TPM to sign a of a 01b over the en n message with signing objSens: message DRB the specified key E Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions asymmetric Message G - objPub: signing key to be SHA E signed Context nullProof: Scheme E phProof: E ehProof: E - shProof: E Unauthen ticated - objPub: Handle E Uses loaded of a keys to public nullProof: validate a key E TPM2_VendorCmdVeri signature on a Signed SigV 01b None fySignature message with message er phProof: the message Context E digest passed Signatur to the TPM e to be ehProof: tested E - shProof: E Authoriz Configure the ation TPM2_VendorCmdSet Crypto RSA handle BackgroundSlotsConfi 00b None None officer background Slots g (CO) key slots configura tion Authoriz ation Determines handle which List of commands comman Crypto TPM2_PP_Commands require 00b ds to add None None officer assertion of and list (CO) Physical of Presence comman d to remove Public Material
Secu Indi rity SSP Name Description cato Inputs Outputs Func Access r tions This service is not callable from TPM interface but is only used internally by DRB any command G Unauthen and response Comman KBK ticated Integrity mechanism with an Integrity 01b d or DF provided by sessions authorization value response MAC sesHmac area. It SHA Key: E,Z consists in CKG computing the integrity of the received command or transmitted response. This service is not callable from TPM interface but is only used internally by any command AESand response ENC with an AESUnauthen encryption or DEC Comman ticated Encryption mechanism decryption Encrypted DRB 01b d or provided by sessions session. It parameter G response sesSymK consists in KBK ey: G,E,Z decrypting the DF first parameter SHA of a received CKG command or encrypting the first parameter of a transmitted response. Table 19: Approved Services Public Material
The integrity mechanism provided by sessions is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. The encryption mechanism provided by sessions is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. Public Material
All Approved services implemented by the Module are listed in the table below: Name Description Algorithms Role Creation or loading of an ECC key with a non-approved elliptic curve; Creation or loading of an ECC key for a non-approved key ECC BN P-256 agreement usage; Creation or loading of an ECC signing key with (non-compliant) an undetermined scheme (field TPM2_Create; TPM2_CreateLoaded; RSA (noninPublic.buffer.parameters.scheme.scheme = User TPM2_Load; TPM2_LoadExternal compliant) TPM_ALG_NULL);Creation or loading of an RSA decryption key X448 (nonwith an undetermined scheme (field compliant) inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL); Creation or loading of a 1024-bit RSA key ECC derived keys (nonTPM2_CreateLoaded Derivation of an ECC key from a derivation parent key compliant) User KBKDF (noncompliant) ECC BN P-256 Loading of an ECC or RSA key (sensitive and public parts) in the (non-compliant) TPM2_Load; TPM2_LoadExternal User NULL hierarchy RSA (noncompliant) ECC BN P-256 (non-compliant) KAS (nonKey transport with a 1024-bit RSA key Key agreement scheme TPM2_Duplicate; TPM2_Rewrap; compliant) with a non-approved ECC curve Key agreement scheme with an User TPM2_Import RSA (nonECC key used in a non-approved key agreement usage compliant) X448 (noncompliant) Key transport with a non-approved scheme: * RSAES-PKCS1- KTS-IFC (nonTPM2_RSA_Encrypt; TPM2_RSA_Decrypt v1_5 * RSA with no padding mode (null scheme) Key transport compliant) User with an RSA decryption key: * Generated with an undetermined RSA with no Public Material
Name Description Algorithms Role scheme (field inPublic.buffer.parameters.scheme.scheme = padding mode TPM_ALG_NULL) * Loaded in the NULL hierarchy (null scheme) (non-compliant) RSAESPKCS1-v1_5 (non-compliant) ECC BN P-256 Use of a non-approved elliptic curve: * ECC key with curve BN P(non-compliant) TPM2_ECDH_KeyGen 256 Use of an ECC key for a non-approved key agreement usage: N/A X448 (non* ECC key with curve Curve448 compliant) ECC BN P-256 (non-compliant) Use of an ECC key: * Generated on curve BN P-256 * For a nonX448 (nonTPM2_ECDH_ZGen approved key agreement usage * Derived from a derivation parent User compliant) key * Loaded in the NULL hierarchy KBKDF (noncompliant) ECC derived This command is only usable jointly with TPM2_EC_Ephemeral keys (nonTPM2_ZGen_2Phase service that is non approved as using key derivation to generate compliant) User ECC keys KBKDF (noncompliant) HMAC (nonTPM2_HMAC HMAC generation with a key length < 112 bits User compliant) TPM2_HMAC_Start; HMAC (nonTPM2_SequenceUpdate; HMAC generation with a key length < 112 bits User compliant) TPM2_SequenceComplete Digital signature with a non-approved signature scheme: * ECC ECC BN P-256 signature with ECDAA signature scheme * ECC signature with (non-compliant) TPM2_Certify; TPM2_CertifyCreation; ECSchnorr signature scheme * RSA signature with key length of ECDAA (nonTPM2_Quote;
TPM2_GetSessionAuditDigest; User/CO method * ECC signature with curve BN P-256; Digital signature ECDSA (nonTPM2_GetCommandAuditDigest; with an ECC signing key generated with an undetermined scheme compliant) TPM2_GetTime; TPM2_CertifyX509 (field inPublic.buffer.parameters.scheme.scheme = ECSchnorr TPM_ALG_NULL); Digital signature with an ECC signing key (non-compliant) Public Material
Name Description Algorithms Role derived from a derivation parent key; Digital signature with an RSA (nonECC or RSA key loaded in the NULL hierarchy compliant) SHA-1 (noncompliant) KBKDF (nonTPM2_Commit Generation of an ECC key through key derivation method User compliant) KBKDF (nonTPM2_EC_Ephemeral Generation of an ECC key through key derivation method User compliant) ECC BN P-256 Digital signature verification with a non-approved signature (non-compliant) scheme or a non-approved curve: * ECDAA signature scheme * ECDAA (nonTPM2_VerifySignature NA ECSchnorr signature scheme * ECC signature with curve BN P- compliant)
(non-compliant) ECC BN P-256 Digital signature generation with a non-approved signature (non-compliant) scheme: * ECC signature with ECDAA signature scheme * ECC ECDAA (nonsignature with ECSchnorr signature scheme * RSA signature with compliant) key length of 1024 bits * ECC or RSA signature key using SHA-1 ECDSA (nonas digest method * ECC signature with curve BN P-256; Digital compliant) TPM2_Sign signature with an ECC signing key generated with an User ECSchnorr undetermined scheme (field (non-compliant) inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL); RSA (nonDigital signature with an ECC signing key derived from a compliant) derivation parent key; Digital signature with an ECC or RSA key SHA-1 (nonloaded in the NULL hierarchy compliant) ECC BN P-256 Digital signature verification with a non-approved signature (non-compliant) scheme or a non-approved curve: * ECDAA signature scheme * ECDAA (nonTPM2_PolicySigned N/A ECSchnorr signature scheme * ECC signature with curve BN P- compliant)
(non-compliant) Creation and loading of an ECC key with a non-approved elliptic ECC BN P-256 TPM2_CreatePrimary CO curve: * ECC key with curve BN P-256 Use of an ECC key for a (non-compliant) Public Material
Name Description Algorithms Role non-approved key agreement usage: * ECC key with curve X448 (nonCurve448 Creation and loading of an ECC signing key with an compliant) undetermined scheme (field inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL) Creation and loading of an RSA decryption key with an undetermined scheme (field inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL) ECC BN P-256 Digital signature with a non-approved signature scheme: * ECC (non-compliant) signature with ECDAA signature scheme * ECC signature with ECDAA (nonECSchnorr signature scheme * RSA signature with key length of compliant)
method * ECC signature with curve BN P-256; Digital signature compliant) TPM2_NV_Certify User with an ECC signing key generated with an undetermined scheme ECSchnorr (field inPublic.buffer.parameters.scheme.scheme = (non-compliant) TPM_ALG_NULL); Digital signature with an ECC key derived from RSA (nona derivation parent key; Digital signature with an ECC or RSA key compliant) loaded in the NULL hierarchy SHA-1 (noncompliant) Table 20: Non-Approved Services Public Material
Loading of firmware onto the Module can be achieved by using two services:
The Module is composed of the following firmware component(s):
The operator can initiate the integrity test on demand by using the TPM2_SelfTest command with the full parameter set to YES or by using the TPM2_IncrementalSelfTest command. Public Material
Type of Operational Environment: Limited The operational environment of the Module is “limited” because it allows loading authenticated firmware that meets all applicable requirements of [140-3] standard. Data outputs are inhibited until the loading session has completed successfully. Execution of the successfully loaded FW is only effective after the next reset of the security module. New firmware versions must be validated through the FIPS 140-3 validation process. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. The core memory loader (CML) represented in Figure 8 is non-modifiable, only the TPM instances are modifiable by using an authenticated firmware upgrade mechanism. The security module contains two instances of the FW but only one FW instance is executed after a boot sequence. Public Material
The security module is production grade and meets the Physical Security protection requirements for single-chip module at FIPS 140-3 Level 3.
Zeroization Zeroization of CSPs can be triggered by specific services as detailed in Section 9.3. It occurs in a sufficiently small time-period to prevent the recovery of the sensitive data between start of zeroization and the zeroization completion. Physical security mechanisms The security module is encapsulated in a hard opaque package to prevent direct observation of internal security components. It implements additional security mechanisms:
EFT has been performed for all security module configurations. Low and high temperatures have been measured at a nominal voltage of 3.3V. Low and high voltage have been measured at ambient temperature (25°C). The nominal operating ranges are:
EFP Temp/Voltage Temperature or Voltage or Result Type EFT -77°C (ST33KTPM2A in UFQFPN32 WF); -70 LowTemperature (ST33KTPM2I in UFQFPN32 WF); -70 (ST33KTPM2A EFT Shutdown in TSSOP20); -75 (ST33KTPM2I in WLCSP24) 165°C (ST33KTPM2A in UFQFPN32 WF); 160 HighTemperature (ST33KTPM2I in UFQFPN32 WF); 145 (ST33KTPM2A EFT Shutdown in TSSOP20); 160 (ST33KTPM2I in WLCSP24) LowVoltage 1.4V EFT Shutdown HighVoltage 4.3V EFT Shutdown Table 22: EFP/EFT Information Public Material
Hardness testing was conducted at the temperature indicated in the table below: Temperature Temperature Type LowTemperature -40°C HighTemperature 105°C Table 23: Hardness Testing Temperatures Public Material
The Module does not claim support of non-invasive attack mitigation techniques referenced in [140F]. Public Material
Storage Persistence Area Description Type Name Volatile memory used to store SSPs between two consecutive Dynamic resets or power-on/power-off sequence of the security module. Dynamic RAM SSPs don't persist after command execution. This area is marked as RAM on the HW block diagram. Volatile memory used to store SSPs between two consecutive Static resets or power-on/power-off sequence of the security module. Static RAM SSPs persist after command execution. This area is marked as RAM on the HW block diagram. Non-volatile memory (flash-based) used to store SSPs and make them persistent to a reset or a power-off/power-on sequence of NVRAM Static the security module. This area is marked as flash memory on the HW block diagram. Table 24: Storage Areas
Format Distribution Entry SFI or Name From To Type Type Type Algorithm Input Outside of plaintext cryptographi NVRAM Plaintext Manual Electronic to c boundary NVRAM Input Outside of protected cryptographi NVRAM Encrypted Manual Electronic KTS to c boundary NVRAM Input Outside of plaintext cryptographi Static RAM Plaintext Manual Electronic to RAM c boundary Input Outside of protected cryptographi Static RAM Encrypted Manual Electronic KTS to RAM c boundary Output Outside of plaintext NVRAM cryptographic Plaintext Manual Electronic from boundary NVRAM Output Outside of protected NVRAM cryptographic Encrypted Manual Electronic KTS from boundary NVRAM Public Material
Format Distribution Entry SFI or Name From To Type Type Type Algorithm Output Outside of plaintext Static RAM cryptographic Plaintext Manual Electronic from boundary RAM Output Outside of protected Static RAM cryptographic Encrypted Manual Electronic KTS from boundary RAM Input Outside of asym. cryptographi Static RAM Encrypted Manual Electronic KTS-IFC encrypte c boundary d to RAM Output Outside of asym. Static RAM cryptographic Encrypted Manual Electronic KTS-IFC encrypte boundary d to RAM Table 25: SSP Input-Output Methods Public Material
Zeroization Method Description Rationale Operator Initiation Zeroization of all volatile SSPs. Explicit zeroization indicator provided by TPM2_Init N/A Activation of reset signal service completion status. SSPs linked to an Owner must Zeroization of all contexts associated with an Owner. Explicit zeroization TPM2_Clear not persist if the Owner Send TPM2_Clear command indicator provided by service completion status. changes Zeroization of platformAuth. Explicit zeroization indicator provided by Zeroize platformAuth before its TPM2_Startup Send TPM2_Startup command service completion status. first use after a reset Zeroize the platform primary seed and flush all transient and persistent TPM2_ChangePPS objects in the Platform hierarchy. Explicit zeroization indicator provided Platform hierarchy renewal Send TPM2_ChangePPS command by service completion status. Zeroize the endorsement primary seed and flush all transient and Endorsement hierarchy TPM2_ChangeEPS persistent objects in the Endorsement hierarchy. Explicit zeroization Send TPM2_ChangeEPS command renewal indicator provided by service completion status. Zeroize an object from NVRAM. Explicit zeroization indicator provided by Method required to zeroize a TPM2_EvictControl Send TPM2_EvictControl command service completion status. dedicated object in NVRAM Zeroize an object from RAM. Explicit zeroization indicator provided by Method required to zeroize a TPM2_FlushContext Send TPM2_FlushContext command service completion status. dedicated object in RAM Zeroize SSPs at the end of a command processing. Implicit zeroization Method for limited life cycle Automatic No, zeroization is automatic. indication. SSPs TPM2_NV_UndefineSpace Zeroize a NV index. Explicit zeroization indicator provided by service Method required to flush NV Send TPM2_NV_UndefineSpace command. Send TPM2_NV_UndefineSpaceSpecial completion status. indices from NVRAM TPM2_NV_UndefineSpaceSpecial command Zeroize the endorsement key provisioned. Explicit zeroization indicator Mandatory zeroization method TPM2_VendorCmdZeroizeEK Send TPM2_VendorCmdZeroizeEK command provided by service completion status. for EK SSPs TPM2_SequenceComplete Zeroize a hash or HMAC sequence. Explicit zeroization indicator provided Method required to flush Send TPM2_SequenceComplete command. Send TPM2_EventSequenceComplete by service completion status. sequences from RAM TPM2_EventSequenceComplete command Table 26: SSP Zeroization Methods
All usage of these SSPs by the Module are described in the services detailed in section 4. The next table lists the SSPs used as keys. Temporary storage duration column was removed for readability purposes because when temporary storage is indicated, duration corresponds to the duration of a command execution. The algorithms indicated in “Generate by” and “Used by” columns correspond to items in the SFI table. Established Used Name Description Size - Strength Type - Category Generated By By By KBKDF nullProof Proof (secret value) of the null hierarchy 512 - 256 Symmetric key - CSP DRBG MAC phProof Proof (secret value) of the platform hierarchy 512 - 256 Symmetric key - CSP DRBG MAC ehProof Proof (secret value) of the endorsement hierarchy 512 - 256 Symmetric key - CSP DRBG MAC KBKDF shProof Proof (secret value) of the storage hierarchy 512 - 256 Symmetric key - CSP DRBG MAC shProofForReseed Random value 512 - 256 Entropy source - CSP ENT-ESV DRBG
512 - 128 to 256 (depending on the underlying hash Authentication value / KBKDF
platformAuth Authentication value for the platform hierarchy algorithm used) Symmetric key - CSP MAC
512 - 128 to 256 (depending on the underlying hash Authentication value / KBKDF
endorsementAuth Authentication value for the endorsement hierarchy algorithm used) Symmetric key - CSP MAC Public Material
Established Used Name Description Size - Strength Type - Category Generated By By By
512 - 128 to 256 (depending on the underlying hash Authentication value / KBKDF
ownerAuth Authentication value for the storage hierarchy algorithm used) Symmetric key - CSP MAC
512 - 128 to 256 (depending on the underlying hash Authentication value / KBKDF
lockoutAuth Authentication value for the lockout hierarchy algorithm used) Symmetric key - CSP MAC Data, Symmetric key - DRBG KBKDF objSeed Seed value for object generation 512 - 128 to 256 CSP KBKDF SHA Authentication value / KBKDF objAuth Object's authorization value 112 to 512 - 112 to 256 Symmetric key - CSP MAC AESENC objSymKey Encryption key of object private part 256 - 256 Symmetric key - CSP KBKDF AESDEC objHmacKey Integrity key of object private part 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC AESENC KeyGen AES2048, 3072, 4096 (RSA); 128, 192, 256 (AES); 256, Symmetric or asymmetric KBKDF DEC objSens Object private part 384, 521 (ECC); 448 (EdDSA); 112 to 1024 (HMAC) private key - CSP CKG SigGen - 112 to 256 KAS-KeyGen KAS KBKDF MAC SigVer 2048, 3072, 4096 (RSA); 512, 768, 1056 (ECC); Asymmetric public key - KeyGen KAS objPub Object public part
448 (EdDSA) - 112 to 256 PSP KAS-KeyGen KTS-
IFC Authentication value / KBKDF nvAuth Authorization of NV index 112 to 512 - 112 to 256 Symmetric key - CSP MAC sesSalt Salt for keys diversification 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP N/A KAS KBKDF KBKDF sesHmacKey HMAC session key 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC AESENC sesSymKey Encrypted session key 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF AESDEC contextKey Derivation key for context protection 128 - 128 Symmetric key - CSP DRBG KBKDF AESENC contextEncKey Wrapping key for context protection 256 - 256 Symmetric key - CSP KBKDF AESDEC AESENC dupInSymKey Wrapping key for duplicated object 128, 192, 256 - 128 to 256 Symmetric key - CSP DRBG AESDEC DRBG dupSeed Seed for protection keys derivation 160 to 512 - 128 to 256 Symmetric key - CSP KAS KBKDF KAS AESENC dupOutSymKey Encryption key for duplicated objects 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF AESDEC dupOutHmacKey HMAC key for duplicated objects 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC creSeed Seed for credential keys derivation 160 to 512 - 128 to 256 Symmetric key - CSP KAS KBKDF Public Material
Established Used Name Description Size - Strength Type - Category Generated By By By AESENC creSymKey Encryption key for credentials 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF AESDEC creHmacKey HMAC key for credentials 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC ephSensEccKey ECC ephemeral private key 256, 384, 521 - 128 to 256 ECC private key - CSP KAS-KeyGen KAS ephPubEccKey ECC ephemeral public key 512, 768, 1056 - 128 to 256 ECC public key - PSP KAS-KeyGen KAS Input during KTSekRsa Provisioned RSA endorsement key 2048 - 112 RSA private key - CSP manufacturing IFC Input during ekEcc Provisioned ECC endorsement key 256, 384 - 128 to 192 ECC private key - CSP KAS manufacturing Input during fuSigECCKey Field upgrade ECC signature verification key 384 - 192 ECC public key - PSP SigVer manufacturing Input during fuSigLMSKey Field upgrade LMS signature verification key 32 - 128 LMS public key - PSP SigVer manufacturing Authentication value / KBKDF seqAuth Authorization value for hash or HMAC sequence 112 to 512 - 112 to 256 N/A Symmetric key - CSP MAC nullSeed Seed of the null hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG phSeed Seed of the platform hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG ehSeed Seed of the endorsement hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG shSeed Seed of the storage hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG Internal state (V and C secret values) of the DRBG (based on drbgState 256 - 256 State - CSP DRBG DRBG SHA256) drbgSeed Seed value for the DRBG 512 - 256 Seed - CSP ENT-ESV DRBG Internal state (V and C secret values) of the transient DRBG tdrbgState (based on SHA256) used to generate prime numbers for 256 - 256 State - CSP DRBG DRBG primary RSA keys Input during fuSymSeed Seed used for field upgrade symmetric key derivation 256 - 256 Symmetric key - Neither KBKDF manufacturing AESfuSymKey field upgrade symmetric key 256 - 256 Symmetric key - Neither KBKDF DEC Input during diagSymSeed Seed used for diagnostic symmetric key derivation 256 - 256 Symmetric key - Neither KBKDF manufacturing AESdiagSymKey diagnostic symmetric key 256 - 256 Symmetric key - Neither KBKDF ENC Table 27: SSP Table 1 Name Input - Output Storage Storage Duration Zeroization Related SSPs drbgState:Generates nullProof Static RAM:Plaintext Until next reset TPM2_Init contextEncKey:Derived From drbgState:Generates phProof NVRAM:Plaintext After Use TPM2_ChangePPS contextEncKey:Derived From TPM2_ChangeEPS drbgState:Generates ehProof NVRAM:Plaintext After Use TPM2_Clear contextEncKey:Derived From drbgState:Generates shProof NVRAM:Plaintext After Use TPM2_Clear contextEncKey:Derived From shProofForReseed NVRAM:Plaintext After Use TPM2_Clear tdrbgState:Reseeded From sesSymKey:Derived from, Protects Input plaintext to RAM (Encrypts) platformAuth Static RAM:Plaintext Until next reset TPM2_Init Input protected to RAM sesHmacKey:Derived from, Protects (Integrity) Public Material
Name Input - Output Storage Storage Duration Zeroization Related SSPs Input plaintext to sesHmacKey:Derived from, Protects NVRAM TPM2_Clear (Integrity) endorsementAuth NVRAM:Plaintext After Use Input protected to TPM2_ChangeEPS sesSymKey:Derived from, Protects NVRAM (Encrypts) Input plaintext to sesHmacKey:Derived from, Protects NVRAM (Integrity) ownerAuth NVRAM:Plaintext After Use TPM2_Clear Input protected to sesSymKey:Derived from, Protects NVRAM (Encrypts) Input plaintext to sesHmacKey:Derived from, Protects NVRAM (Integrity) lockoutAuth NVRAM:Plaintext After Use TPM2_Clear Input protected to sesSymKey:Derived from, Protects NVRAM (Encrypts) Input protected to RAM TPM2_Init tdrbgState:Derived From Input plaintext to RAM TPM2_Clear drbgState:Derived From Output protected from Static RAM:Plaintext Until object zeroization, shift to NVRAM TPM2_ChangePPS objSymKey:Derived From objSeed RAM NVRAM:Plaintext or next reset TPM2_ChangeEPS objHmacKey:Derived From Output protected from TPM2_EvictControl sesHmacKey:Protects (Integrity) NVRAM TPM2_FlushContext sesSymKey:Protects (Encrypts) Input plaintext to RAM TPM2_Init Input protected to RAM TPM2_Clear sesHmacKey:Derived from, Protects Output protected from Static RAM:Plaintext Until object zeroization, shift to NVRAM TPM2_ChangePPS objAuth (Integrity) RAM NVRAM:Plaintext or next reset TPM2_ChangeEPS sesSymKey:Derived from, Encrypts Output protected from TPM2_EvictControl NVRAM TPM2_FlushContext Dynamic objAuth:Encrypted by objSymKey RAM:Plaintext After Use Automatic objSens:Encrypted by NVRAM:Plaintext objSeed:Encrypted by Dynamic objAuth:Protected by (Integrity) objHmacKey RAM:Encrypted After Use Automatic objSens:Protected by (Integrity) NVRAM:Plaintext objSeed:Protected by (Integrity) Input plaintext to RAM TPM2_Init tdrbgState:Generates Input protected to RAM TPM2_Clear drbgState:Generates Output protected from Static RAM:Plaintext Until object zeroization, shift to NVRAM TPM2_ChangePPS objSens:Derives objSens RAM NVRAM:Plaintext or next reset TPM2_ChangeEPS objSymKey:Encrypts Output protected from TPM2_EvictControl objHmacKey:Protects (Integrity) NVRAM TPM2_FlushContext objPub:Paired With TPM2_Init Input plaintext to RAM TPM2_Clear Output plaintext from Static RAM:Plaintext Until object zeroization, shift to NVRAM TPM2_ChangePPS objPub NVRAM objSens:Paired With NVRAM:Plaintext or next reset TPM2_ChangeEPS Output plaintext from TPM2_EvictControl RAM TPM2_FlushContext Input plaintext to sesHmacKey:Derived from, Protects NVRAM TPM2_NV_UndefineSpace nvAuth NVRAM:Plaintext After Use (Integrity) Input protected to TPM2_NV_UndefineSpaceSpecial sesSymKey:Encrypts NVRAM Input asym. encrypted to Dynamic sesHmacKey:Derived From sesSalt After Use Automatic RAM RAM:Plaintext objPub:Encrypts nvAuth:Derives; Protected by (Integrity) Input protected to RAM contextKey:Encrypts Dynamic sesHmacKey Output protected from After Use Automatic contextEncKey:Encrypts RAM:Plaintext RAM platformAuth:Protected by (Integrity) endorsementAuth:Protected by Public Material
Name Input - Output Storage Storage Duration Zeroization Related SSPs (Integrity) ownerAuth:Protected by (Integrity) lockoutAuth:Protected by (Integrity) objAuth:Protected by (Integrity) seqAuth:Protected by (Integrity) dupInSymKey:Protected by (Integrity) dupSeed:Protected by (Integrity) creSeed:Protected by (Integrity) sesHmacKey:Derives platformAuth:Derives; Encrypts endorsementAuth:Derives; Encrypts ownerAuth:Derives; Encrypts Dynamic sesSymKey After Use Automatic lockoutAuth:Derives; Encrypts RAM:Plaintext objAuth:Derives; Encrypts seqAuth:Derives; Encrypts nvAuth:Derives; Encrypts dupInSymKey:Encrypted by drbgState:Generates contextKey Static RAM:Plaintext Until next reset TPM2_Init contextEncKey:Derived From contextKey:Derives nullProof:Derives Dynamic contextEncKey After Use Automatic phProof:Derives RAM:Plaintext ehProof:Derives shProof:Derives Input plaintext to RAM Input protected to RAM sesSymKey:Encrypts Output plaintext from Dynamic dupInSymKey After Use Automatic sesHmacKey:Protects (Integrity) RAM RAM:Plaintext objSens:Encrypted by Output protected from RAM Input asym. encrypted to objPub:Encrypts RAM Dynamic dupSeed After Use Automatic dupOutSymKey:Derived from Output asym. encrypted RAM:Plaintext dupOutHmacKey:Derived from to RAM dupSeed:Derives Dynamic objSens:Encrypted by dupOutSymKey After Use Automatic RAM:Plaintext objAuth:Encrypted by objSeed:Encrypted by dupSeed:Derives Dynamic objSens:Protects (Integrity) dupOutHmacKey After Use Automatic RAM:Plaintext objAuth:Protects (Integrity) objSeed:Protects (Integrity) Input asym. encrypted to creSymKey:Derives RAM Dynamic creSeed After Use Automatic creHmacKey:Derives Output asym. encrypted RAM:Plaintext objPub:Encrypts to RAM Dynamic creSymKey After Use Automatic creSeed:Derived From RAM:Plaintext Dynamic creHmacKey After Use Automatic creSeed:Derived From RAM:Plaintext Dynamic ephSensEccKey After Use Automatic drbgState:Generates RAM:Plaintext Public Material
Name Input - Output Storage Storage Duration Zeroization Related SSPs Input plaintext to RAM Dynamic ephPubEccKey Output plaintext from After Use Automatic ephSensEccKey:Derives RAM:Plaintext RAM ekRsa NVRAM:Plaintext After Use TPM2_VendorCmdZeroizeEK objSens:Derived From ekEcc NVRAM:Plaintext After Use TPM2_VendorCmdZeroizeEK objSens:Derived From fuSigECCKey NVRAM:Plaintext After Use N/A fuSigLMSKey NVRAM:Plaintext After Use N/A Input plaintext to RAM Input protected to RAM Until use of zeroization command or TPM2_SequenceComplete sesSymKey:Derived From seqAuth NVRAM:Plaintext Output protected from next reset TPM2_EventSequenceComplete sesHmacKey:Derived From RAM nullSeed Static RAM:Plaintext Until next reset TPM2_Init tdrbgState:Instantiated with phSeed NVRAM:Plaintext After Use TPM2_ChangePPS tdrbgState:Instantiated with ehSeed NVRAM:Plaintext After Use TPM2_ChangeEPS tdrbgState:Instantiated with shSeed NVRAM:Plaintext After Use TPM2_Clear tdrbgState:Instantiated with TPM2_Init drbgState Static RAM:Plaintext Until next reset or use of TPM2_Clear drbgSeed:Instantiates TPM2_Clear Dynamic drbgSeed After Use Automatic drbgState:Instantiated with RAM:Plaintext nullSeed:Instantiates Dynamic phSeed:Instantiates tdrbgState After Use Automatic RAM:Plaintext ehSeed:Instantiates shSeed:Instantiates fuSymSeed NVRAM:Plaintext After Use N/A fuSymKey:Derived From Dynamic fuSymKey After Use Automatic fuSymSeed:Derives RAM:Plaintext diagSymSeed NVRAM:Plaintext After Use N/A diagSymKey:Derived From Dynamic diagSymKey After Use Automatic diagSymSeed:Derives RAM:Plaintext Table 28: SSP Table 2
The use of SHA-1 for digital signature generation is non-Approved and only available through non-Approved services. All other applications of SHA-1 are acceptable, where collision resistance is not required. Public Material
The next table gives the security strength of a key depending on the underlying algorithm used and its size: Algorithm Underlying algorithm Key size (bits) Security strength (bits) size ≥ 128 128 SHA-1 size < 128 Key size size ≥ 192 192 KBKDF SHA2-256 size < 192 Key size SHA2-384 size ≥ 256 256 SHA2-512 size < 256 Key size size ≥ 128 128 SHA-1 size < 128 Key size size ≥ 192 192 HMAC SHA2-256 size < 192 Key size SHA2-384 size ≥ 256 256 SHA2-512 size < 256 Key size DRBG SHA2-256 - 256 AES - 128 / 192 / 256 128 / 192 / 256 RSA - 2048 / 3072 / 4096 112 / 128 / 142 ECC - 256 / 384 / 448 / 521 128 / 192 / 224 / 256 Table 29
The Module performs self-tests to ensure the proper operation of the Module. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. Pre-operational self–tests are available on demand by power cycling the Module. The Module performs the following pre-operational self-tests in the table below: Algorithm or Test Test Properties Test Type Indicator Details Test Method Firmware SW/FW Successful execution of TPM2_Startup command FW integrity is verified by computing an EDC (CRC-16 [ISO13239]) and comparing it to CRC 16 EDC integrity test Integrity indicates tests have been run reference values. HW registers Critical Successful execution of TPM2_Startup command HW integrity is guaranteed via check of HW sensors. If failure is detected during boot HW integrity KAT verification Function indicates tests have been run sequence, status is set to FAIL, and error is returned. Table 30: Pre-Operational Self-Tests
The Module performs the following conditional self-tests as shown in the table below. The bit index indicated in the “Indicator” column corresponds to the index in the algo_status field in the TPM2_GetTestResult response. Algorithm or Test Test Properties Test Method Indicator Details Conditions Test Type AES-CBC AES-128-CBC KAT CAST Bit #7 clear AES CBC 128 encryption of known data compared to a reference value. Power On (A5356) Encrypt AES-CBC AES CBC 128 decryption of known encrypted data and comparison to the expected AES-128-CBC KAT CAST Bit #7 clear Power On (A5356) Decrypt plaintext data ECDSA KeyGen Depending on the key purpose (signing or key establishment) an ECDSA signature is Key creation Upon ECC Key (FIPS186-4) P-256, P-384, P-521 PCT PCT generated (k fixed and the message varies) and verified with pairwise consistency test as failure Generation (A5358) defined by [56Ar3] or a scalar multiplication is done and compared to the public key. ECDSA SigGen ECDSA signature generation on known data with known key and k. Output of signature is (FIPS186-4) NIST P-256 KAT CAST Bit #10 clear Power On compared to a reference signature. (A5358) ECDSA SigVer (FIPS186-4) NIST P-256 KAT CAST Bit #10 clear ECDSA signature verification on known signature with known key and k. Power On (A5358) [90B] Health- AIS31 and [90B] (RCT and APT) start-up health tests on ENT(P) output sequence. If test At each random Entropy RCT and APT CAST Bit #1 clear Test fails, test status is set to FAIL, and error is returned bits generation Error returned on Signature SW/FW Upon firmware Firmware loading ECDSA P-384 and LMS FW loading Verification of chained digest and signature to ensure authentication of the FW Verification Load load command Instantiate then Reseed are seeded with a known seed value (64 bytes). Random is then Hash DRBG SHA2-256 KAT CAST Bit #1 clear generated with Generate API to output a 32-bytes value compared to a reference value Power On (A5351) (single test sequence done in accordance with §11.3 of [90A]) HMAC-SHA-1 HMAC on known data and known key. Comparison of output to an expected MAC value HMAC-SHA1 KAT CAST Bit #5 clear Power On (A5355) (20 bytes) Primitive "Z" Computation and key derivation are implemented: a known private key d is KAS-ECC used with a known point P of NIST P-256 curve to compute Q = dP. Key derivation of Q Sp800-56Ar3 NIST P-256 KAT CAST Bit #9 clear Power On performed with SHA-1 underlying algorithm to output a key of 20 bytes that is compared (A5358) to a refence value KDF SP800-108 KDF on known data and known label. Comparison of output to an expected derivation N/A KAT CAST Bit #6 clear Power On (A5354) value (32 bytes) Public Material
Algorithm or Test Test Properties Test Method Indicator Details Conditions Test Type LMS SigVer LMOTS_SHA256_N32_W4 KAT CAST Bit #8 clear LMS signature verification of known signature with known data and known key. Power On (A5360) LMS_SHA256_M32_H10 RSA SigGen RSA signature generation on known data with a known key. Output of signature is (FIPS186-5) RSASSA-PKCS1-v1_5 KAT CAST Bit #12 clear Power On compared to a reference signature (covers also KTS-IFC functionality) (A5357) RSA SigVer RSA signature verification on a known signature with a known key (covers also KTS-IFC (FIPS186-5) RSASSA-PKCS1-v1_5 KAT CAST Bit #12 clear Power On functionality) (A5357) RSA KeyGen Key creation Depending on the key purpose (signing or encrypting) indicated in sign attribute of the Upon RSA Key (FIPS186-5) 2048, 3072 or 4096-bit PCT PCT failure key, encryption/decryption or signing/verification is done on known data Generation (A5357) Bit #2 clear Bit Hash of known data and comparison of output to an expected digest. SHA-1, SHA2-256, SHA1, SHA2-256, SHA2-512, SHS KAT CAST #3 clear Bit #4 SHA2-512 are tested twice to cover each of the two implementations covered by CAVP Power On SHA3-256 clear Cert. #A5352 and #A5353. EDDSA SigGen EdDSA signature generation on known data with known key. Output of signature is Ed448 KAT CAST Bit #11 clear Power-On (A5359) compared to a reference signature. EDDSA SigVer Ed448 KAT CAST Bit #11 clear Signature verification performed on the generated signature Power-On (A5359) EDDSA KeyGen Key creation Upon EdDSA Ed448 PCT PCT An EdDSA signature is generated and verified with pairwise consistency test. (A5359) failure Key Generation Table 31: Conditional Self-Tests Public Material
Algorithm or Periodic Test Method Test Type Period Test Method Firmware EDC SW/FW Integrity On demand Manually integrity test HW integrity KAT Critical Function On demand Manually Table 32: Pre-Operational Periodic Information Algorithm or Periodic Test Method Test Type Period Test Method AES-CBC KAT CAST On Demand Manually (A5356) Encrypt AES-CBC KAT CAST On Demand Manually (A5356) Decrypt ECDSA KeyGen (FIPS186-4) PCT PCT N/A Manually (A5358) ECDSA SigGen (FIPS186-4) KAT CAST On Demand Manually (A5358) ECDSA SigVer (FIPS186-4) KAT CAST On Demand Manually (A5358) [90B] HealthEntropy CAST On Demand Manually Test Firmware Signature SW/FW Load On Demand Manually loading Verification Hash DRBG KAT CAST On Demand Manually (A5351) HMAC-SHA-1 KAT CAST On Demand Manually (A5355) KAS-ECC Sp800-56Ar3 KAT CAST On Demand Manually (A5358) KDF SP800-108 KAT CAST On Demand Manually (A5354) LMS SigVer KAT CAST On Demand Manually (A5360) RSA SigGen (FIPS186-5) KAT CAST On Demand Manually (A5357) RSA SigVer (FIPS186-5) KAT CAST On Demand Manually (A5357) RSA KeyGen (FIPS186-5) PCT PCT N/A Manually (A5357) SHS KAT CAST On Demand Manually Public Material
Algorithm or Periodic Test Method Test Type Period Test Method EDDSA SigGen KAT CAST On Demand Manually (A5359) EDDSA SigVer KAT CAST On Demand Manually (A5359) EDDSA KeyGen PCT PCT N/A Manually (A5359) Table 33: Conditional Periodic Information
Recovery Name Description Conditions Indicator Method The Module fails a Outputs return code of KAT, PCT, FW or The Module Reboot/Power TPM_RC_FAILURE, ES1 HW integrity enters the cycle the otherwise it indicates verification, [90B] failure state module successful completion by health test TPM_RC_SUCCESS Return code different from The Module fails a The Module TPM_RC_SUCCESS sent on ES2 firmware loading returns to None firmware upgrade start test normal state command Table 34: Error States All cryptographic functions are inhibited while the Module is in an error state. Successful completion of self-tests can be verified through use of TPM2_GetTestResult command. The first 4 bytes of response indicate self-tests status. If they are equal to 0, self-tests completed successfully. If not, the subsequent 4 bytes indicate the list of algorithms not fully self-tested. Public Material
Installation and Initialization: The following steps must be performed in order to securely install, initialize, and start up the Module in the FIPS 140-3 Approved mode of operation:
Signature with HMAC key (one of the proofs) TPM2_PolicyTicket Message Authentication Code generated by TPM2_PolicySigned or TPM2_PolicySecret authValue of bound entity is used as KDK Bound session Message Authentication Code generated from KBKDF in session key derivation Table 35
Marking KTPMA AC5 FW version 00.0A.02.00 (10.512) TPM2.0 revision 1.59 Table 37
No specific initialization procedure is required. Public Material
No initialization procedures are required.
Rules of Operation
End-of-life of the product requires the following zeroization commands to be executed to remove all CSPs from the memory of the Module:
The Module does not implement any mitigation method against other attacks. Public Material
References and Definitions The following standards are referred to in this Security Policy: Abbreviation Full Specification Name [TPM2.0 Part1] TPM2.0 Main, Part 1, Architecture, rev 1.59, TCG [TPM2.0 Part2] TPM2.0 Main, Part 2, Structures, rev 1.59, TCG [TPM2.0 Part3] TPM2.0 Main, Part 3, Commands, rev 1.59, TCG [TPM2.0 Part4] TPM2.0 Main, Part 4, Supporting routines, rev 1.59, TCG [PTP 1.06] TCG PC Client Platform TPM Profile (PTP) Specification, rev. 1.06 [ISO19790] International Standard, ISO/IEC 19790, Information technology
Abbreviation Full Specification Name [135] National Institute of Standards and Technology, Recommendation for Existing ApplicationSpecific Key Derivation Functions, Special Publication 800-135rev1, December 2011 [186] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-5, Feb 2023 [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197-upd1, May, 2023 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August 2015 [202] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA-3 Standard: PermutationBased Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 [208] National Institute of Standards and Technology, Recommendation for Stateful Hash-Based Signature Schemes, October 2020 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 [56Ar3] NIST Special Publication 800-56A Revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 [56Br2] NIST Special Publication 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Finite Field Cryptography, March 2019 [90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, Revision 1, June 2015 [90B] National Institute of Standards and Technology, Recommendation for the Entropy Sources Used for Random Bit Generation, Special Publication 800-90B, January 2018 [5639] Request for Comments, Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation, March 2010 Table 40
Acronym Definition APT Adaptive Proportion Test BN P-256 Barreto-Naehrig 256-bit elliptic curve BP P-256 Brainpool 256-bit elliptic curve BP P-384 Brainpool 384-bit elliptic curve BP P-512 Brainpool 512-bit elliptic curve FW Firmware HW Hardware KAT Know Answer Test I2C Inter-Integrated Circuit MPU Memory Protection Unit RCT Repetition Count Test SPI Serial Peripheral Interface SSP Sensitive Security Parameter TCG Trusted Computing Group TPM Trusted Platform Module Table 41