All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Trusted Platform Module ST33KTPM2X / ST33KTPM2XSPI

Certificate#5109StandardFIPS 140-3Level2TypeHardwareEmbodimentSingle ChipStatusActiveVendorSTMicroelectronics
Medium review priority  ·  no TCB surface named  ·  last validated 7 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentSingle Chip
StatusActive
Sunset date12/14/2030
CaveatWhen installed, initialized and configured as specified in Section 11 of the Security Policy; When operated in approved mode
VendorSTMicroelectronics

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Trusted Platform Module ST33KTPM2X / ST33KTPM2XSPI
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>recovery<br/>upgrade<br/>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C6 clue;
  class I2,I3,I6 infer;
  class R2,R3,R6 risk;
  class E2,E3,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Trusted Platform Module ST33KTPM2X / ST33KTPM2XSPI
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>recovery<br/>upgrade<br/>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Self-Test<br/>Unauthenticated<br/>UnAuth</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C6 clueLow;

Security Policy, page by page

Page 1

STMicroelectronics Trusted Platform Module ST33KTPM2X / ST33KTPM2XSPI Document Version: 01-01 Date: 2025-12-01 Public Material

Page 2
Table of Contents
#SectionPage
Page 3

Public Material

Page 4
List of Tables
ItemPage
Table 1: Security Levels5
Table 2: Tested Module Identification – Hardware8
Table 3 – KE2 Module Configuration9
Table 4 – KE3 Module Configuration9
Table 5 – KG8 Module Configuration9
Table 6 – KG9 Module Configuration10
Table 7 – KJ5 Module Configuration10
Table 8 – KJ0 Module Configuration10
Table 9 – KJ1 Module Configuration11
Table 10: Modes List and Description12
Table 11: Approved Algorithms13
Table 12: Vendor-Affirmed Algorithms13
Table 13: Non-Approved, Allowed Algorithms with No Security Claimed13
Table 14: Non-Approved, Not Allowed Algorithms14
Table 15: Security Function Implementations19
Table 16: Entropy Certificates19
Table 17: Entropy Sources20
Table 18: Ports and Interfaces21
Table 19 – UFQFPN32 Pins Definition23
Table 20: Authentication Methods24
Table 21: Roles25
Table 22 – Mapping between services25
Table 23: Approved Services67
Table 24: Non-Approved Services73
Table 25: Mechanisms and Actions Required77
Table 26: EFP/EFT Information78
Table 27: Hardness Testing Temperatures78
Table 28: Storage Areas80
Table 29: SSP Input-Output Methods81
Table 30: SSP Zeroization Methods82
Table 31: SSP Table 184
Table 32: SSP Table 288
.96
Table 34: Pre-Operational Self-Tests97
Table 35: Conditional Self-Tests98
Table 36: Pre-Operational Periodic Information99
Table 37: Conditional Periodic Information100
Table 38: Error States100
Table 39 – List of policy commands to use in a policy session102
Table 40 – References106
Table 41 – Acronyms and Definitions107
Page 5
List of Figures
ItemPage
Figure 1 – HW block diagram7
Figure 2 – UFQFPN32 Package8
Figure 3 – UFQFPN32 Pinout Diagram23
Figure 4 – Firmware block diagram75
Page 6
2 Cryptographic Module Specification

The ST33KTPM2X / ST33KTPM2XSPI module, hereafter denoted as the Module, is a fully integrated security module implementing the revision 1.59 of the Trusted Computing Group (TCG) specification for Trusted Platform Modules (TPM) version 2.0.

2.1 Description

Purpose and Use: The Module is intended for use by US Federal agencies or other markets that require FIPS 140-3 validated level 2. The Module is designed to be integrated into personal computers or any other embedded electronic systems. TPM is primarily used for cryptographic keys generation, keys storage, keys management and secure storage for digital certificates. Module Type: Hardware Module Embodiment: SingleChip Module Characteristics: Cryptographic Boundary: The cryptographic boundary of the Module is defined as the perimeter of the IC package and is represented in the next figure. The Module is composed of:

Page 7

Figure 1

Page 8
2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

9.512 (dec.) interface is exclusive

ST33K1M5T ST33KTPM2X 0x00.09.02.00 ST33K1M5T and selectable revC & revD (hex.) dynamically during product boot.

9.512 (dec.)

ST33K1M5T ST33KTPM2XSPI 0x00.09.02.00 ST33K1M5T SPI revC & revD (hex.) Table 2: Tested Module Identification

Page 9

Module name / ST33KTPM2XSPI HW P/N Package UFQFPN32 Interface SPI Marking KTPM KE2 FW version 00.09.02.00 (9.512) TPM2.0 revision 1.59 Table 3

Page 10

Module name / ST33KTPM2X HW P/N Package UFQFPN32 Interface SPI / I2C Marking KTPM KG9 FW version 00.09.02.00 (9.512) TPM2.0 revision 1.59 Table 6

Page 11

Package UFQFPN32 Interface SPI / I2C Marking KTPM KJ1 FW version 00.09.02.00 (9.512) TPM2.0 revision 1.59 Table 9

2.3 Excluded Components
2.4 Modes of Operation

Modes List and Description: Mode Description Type Status Indicator Name TPM is in normal operation mode when all preoperational and conditional selftests (apart from TPM2_GetCapability (capability = FW load and PCT TPM_CAP_VENDOR_PROPERTIES) with the tests) are sub-capability Normal complete. All Approved TPM_SUBCAP_VENDOR_TPMA_MODES = mode approved services 0x7 shall be used. It outputs a 2-bit indicator are usable. The equals to 01b if the module is in an approved corresponding mode of operation indicator reports if the service uses an approved cryptographic algorithm or security function. TPM2_GetCapability (capability = Non- The module enters TPM_CAP_VENDOR_PROPERTIES) with the approved a non-approved Nonsub-capability mode of mode if one of the Approved TPM_SUBCAP_VENDOR_TPMA_MODES = operation non-approved 0x7 shall be used. It outputs a 2-bit indicator Public Material

Page 12

Mode Description Type Status Indicator Name services is used by equals to 10b if the module is in a non-approved the operator. mode of operation Table 10: Modes List and Description

2.5 Algorithms

Approved Algorithms: The Module implements the Approved cryptographic algorithms listed in the table below. Algorithm CAVP Cert Properties Reference AES-CBC A5356 - SP 800-38A AES-CFB128 A5356 - SP 800-38A AES-CTR A5356 - SP 800-38A AES-ECB A5356 - SP 800-38A AES-OFB A5356 - SP 800-38A ECDSA KeyGen (FIPS186-4) A5358 - FIPS 186-4 ECDSA KeyVer (FIPS186-4) A5358 - FIPS 186-4 ECDSA SigGen (FIPS186-4) A5358 - FIPS 186-4 ECDSA SigVer (FIPS186-4) A5358 - FIPS 186-4 SP 800-90A Rev. Hash DRBG A5351 HMAC-SHA-1 A5355 - FIPS 198-1 HMAC-SHA2-256 A5355 - FIPS 198-1 HMAC-SHA2-384 A5355 - FIPS 198-1 HMAC-SHA2-512 A5355 - FIPS 198-1 HMAC-SHA3-256 A5355 - FIPS 198-1 HMAC-SHA3-384 A5355 - FIPS 198-1 SP 800-56A Rev. KAS-ECC Sp800-56Ar3 A5358 SP 800-108 Rev. KDF SP800-108 A5354 SP 800-56B Rev. KTS-IFC A5357 LMS SigVer A5360 - SP 800-208 RSA Decryption Primitive Sp800-56Br2 SP 800-56B Rev. A5357 (CVL) 2 RSA KeyGen (FIPS186-5) A5357 - FIPS 186-5 RSA SigGen (FIPS186-5) A5357 - FIPS 186-5 RSA SigVer (FIPS186-5) A5357 - FIPS 186-5 SHA-1 A5352 - FIPS 180-4 Public Material

Page 13

Algorithm CAVP Cert Properties Reference SHA-1 A5353 - FIPS 180-4 SHA2-256 A5352 - FIPS 180-4 SHA2-256 A5353 - FIPS 180-4 SHA2-384 A5352 - FIPS 180-4 SHA2-384 A5353 - FIPS 180-4 SHA2-512 A5352 - FIPS 180-4 SHA2-512 A5353 - FIPS 180-4 SHA3-256 A5352 - FIPS 202 SHA3-384 A5352 - FIPS 202 Table 11: Approved Algorithms Vendor-Affirmed Algorithms: The Module implements the Vendor Affirmed cryptographic algorithms listed. Name Properties Implementation Reference Section 4, Example 1 of [133r2]; IG CKG Key Type:Symmetric N/A D.H CKG- Key Section 4, Example 1 of [133r2]; IG N/A Asym Type:Asymmetric D.H Table 12: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: The Module implements the Non-Approved, Allowed cryptographic Algorithms with No Security Claimed. Use and Name Caveat Function No security claimed per IG 2.4.A with the example of scenario #1. The algorithm: * is not used except for this purpose * does not Obfuscation of XOR access or share CSPs in a way that counters the requirements of the input or output IG * not intended to be used as a security function. * can't be data confused for a security function Table 13: Non-Approved, Allowed Algorithms with No Security Claimed Non-Approved, Not Allowed Algorithms: Public Material

Page 14

The Module implements the Non-Approved, Not Allowed cryptographic algorithms listed. Name Use and Function ECC BN P-256 Key generation, digital signature generation based on ECC BN P-256 (non-compliant) ECC derived keys Secret exchange or digital signature generation/verification (non-compliant) ECDAA (nonKey generation, digital signature generation compliant) Digital signature with an ECC signing key generated with an ECDSA (non- undetermined scheme (field inPublic.buffer.parameters.scheme.scheme = compliant) TPM_ALG_NULL), derived from a derivation parent key, or a key loaded in the NULL hierarchy ECSchnorr (nonKey generation, digital signature generation and verification compliant) HMAC (nonKey length < 112 bits for message authentication compliant) KAS (non- Key agreement with an ECC key that has an undetermined scheme (field compliant) inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL) KBKDF (nonNon-Approved key derivation usage compliant) Key encapsulation with an RSA decryption key that has an undetermined KTS-IFC (nonscheme (field inPublic.buffer.parameters.scheme.scheme = compliant) TPM_ALG_NULL) RSA (non- 1024-bit RSA digital signature generation or with a key loaded in the compliant) Null hierarchy RSA with no padding mode Key transport (null scheme) (non-compliant) RSAES-PKCS1v1_5 (non- Key transport compliant) SHA-1 (nonDigital signature generation compliant) Table 14: Non-Approved, Not Allowed Algorithms

2.6 Security Function Implementations

Next table shows the Security Function Implementations that the Module implements: Public Material

Page 15

Name Type Description Properties Algorithms ECDSA KeyGen (FIPS186-4): (A5358) AsymKeyPair- Key-Pair Publications:FIPS CKG-Asym: () KeyGen KeyGen Generation 186-5 Key Type: Asymmetric RSA KeyGen (FIPS186-5): (A5357) ECDSA AsymKeyPair- Key-Pair Publications:FIPS KeyVer KeyVer KeyVer Verification 186-5 (FIPS186-4): (A5358) KAS-ECC Sp800-56Ar3: (A5358) Function: Full AsymKeyPair- Key-pair KeyVal Publications:186-5 Validation PubKeyVal Validation KTS-IFC: (A5357) Function: partialVal AES-CBC: (A5356) AES-CFB128: (A5356) Unauthenticated Publication:FIPS AES-CTR: AES-ENC BC-UnAuth Encryption 197 (A5356) AES-ECB: (A5356) AES-OFB: (A5356) AES-CBC: (A5356) AES-CFB128: (A5356) Unauthenticated Publication:FIPS AES-CTR: AES-DEC BC-UnAuth Decryption 197 (A5356) AES-ECB: (A5356) AES-OFB: (A5356) Signature Publication:FIPS ECDSA SigGen DigSig-SigGen Generation 186-5 SigGen Public Material

Page 16

Name Type Description Properties Algorithms (FIPS186-4): (A5358) RSA SigGen (FIPS186-5): (A5357) SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) LMS SigVer: (A5360) ECDSA SigVer (FIPS186-4): (A5358) RSA SigVer (FIPS186-5): (A5357) Signature Publications:FIPS SHA2-256: SigVer DigSig-SigVer Verification 186-5 (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) Hash DRBG: (A5351) Random Publication: :SP800- Method: SHA2DRBG DRBG Number 90A 256 Generation SHA2-256: (A5352) SHA2-256: (A5352) Publications:SP800ENT-ESV ENT-ESV ESV Conditioning 90B Component: SHA2-256 Public Material

Page 17

Name Type Description Properties Algorithms KAS-ECC Sp800-56Ar3: (A5358) Schemes: fullUnified, onePassDH KDF: oneStepKDF SHA-1: Key Publications:SP (A5352) KAS KAS-Full establishment 800-56A, Rev 3 SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) KTS-IFC: (A5357) Publication:SP 800RSA Key 56B rev 2, IG D.G KTS-IFC KTS-Encap Decryption Encapsulation Method:KTSPrimitive OAEP-basic Sp800-56Br2: (A5357) HMAC-SHA2Publication:SP 800- 256: (A5355) KTS KTS-Wrap Key transport 38F, IG D.G AES-CFB128: (A5356) KDF SP800108: (A5354) SHA-1: (A5353) SHA2-256: (A5353) Key-Based Key Publications:SP800- SHA2-384: KBKDF KBKDF Derivation 108 (A5353) SHA2-512: (A5353) SHA3-256: (A5352) SHA3-384: (A5352) Public Material

Page 18

Name Type Description Properties Algorithms HMAC-SHA-1: (A5355) HMAC-SHA2256: (A5355) HMAC-SHA2384: (A5355) HMAC-SHA2512: (A5355) HMAC-SHA3256: (A5355) HMAC-SHA3Message 384: (A5355) MAC MAC Publication:FIPS198 Authentication SHA-1: (A5352) SHA2-256: (A5352) SHA2-384: (A5352) SHA2-512: (A5352) SHA3-256: (A5352) SHA3-384: (A5352) SHA-1: (A5353, A5352) SHA2-256: (A5352, A5353) SHA2-384: Publications:FIPS (A5352, SHA SHA Secure Hash 180-4, FIPS 202 A5353) SHA2-512: (A5352, A5353) SHA3-256: (A5352) SHA3-384: (A5352) Publications:SP800Symmetric Key Hash DRBG: CKG CKG 133rev2, Section 4; Generation (A5351) IG D.H Public Material

Page 19

Name Type Description Properties Algorithms KAS-ECC KAS-ECC Key Publication:SP800KAS-KeyGen KAS-KeyGen Sp800-56Ar3: Generation 56Arev3 (A5358) Table 15: Security Function Implementations

2.7 Algorithm Specific Information

Notes: KAS [56Ar3] - Per [IG] D.F Scenario 2 path (2), compliant key agreement scheme where testing is performed end-to-end for the shared secret computation and a KDF compliant with <KDA>. With/without key confirmation.

2.8 RBG and Entropy

The Module implements:

Page 20

Entropy Operational Sample Conditioning Name Type per Environment Size Component Sample ST33KTPM2A, ST33KTPM2I entropy source Table 17: Entropy Sources

2.9 Key Generation

For Key Generation methods, see Section 2.6 Security Function Implementations above.

2.10 Key Establishment

Key Agreement Information For Key Establishment methods, see Section 2.6 Security Function Implementations above. Key Transport Information For Key Transport methods, see Section 2.6 Security Function Implementations above.

2.11 Industry Protocols

The Module does not implement any Industry Protocols. Public Material

Page 21
3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

The Module’s ports and associated FIPS-defined logical interface categories are listed below. Logical Physical Port Data That Passes Interface(s) SPI_NSS / SPI_CLK / Control parts of the TPM commands provided to the SPI_MOSI / Control security module. It concerns all bytes of a command I2C_SCL / Input except plaintext data, ciphertext data and SSPs (entered I2C_SDA / RESET / with the data input interface). PP Control parts of the TPM responses output by the SPI_NSS / security module. It concerns all bytes of a response SPI_CLK / Control except plaintext data, ciphertext data and SSPs (output SPI_MISO / Output with the data output interface) and except the I2C_SCL / responseCode of a response (output with the status I2C_SDA / PIRQ output interface) SPI_NSS / SPI_CLK / Status Status output by the security module (responseCode SPI_MISO / Output parameter of a response) I2C_SCL / I2C_SDA / PIRQ SPI_NSS / SPI_CLK / Data (plaintext data, ciphertext data and SSPs) provided SPI_MOSI / Data Input to the security module as part of an input processing I2C_SCL / command I2C_SDA SPI_NSS / SPI_CLK / Data (plaintext data, ciphertext data and SSPs) output by SPI_MISO / Data Output the security module as part of the response to a I2C_SCL / processing command I2C_SDA VCC / GND Power Power interface of the security module Table 18: Ports and Interfaces Additional details concerning the ports and interfaces of TPM: 1. Control and data inputs are multiplexed over the same physical interface. Control and data are distinguished by properly parsing input TPM command parameters according to input structures description, indicated for each command in [TPM2.0 Part3]. Some commands only deal with control input and status output parameters. Public Material

Page 22
  1. Status, data and control output are multiplexed over the same physical interface. Status, data and control are distinguished by properly setting output TPM response parameters according to output structures description, indicated for each command in [TPM2.0 Part3].
  2. The logical state machine and the command structure parsing of the module prevent from using input data externally from the “data input path” and prevent from outputting data externally from the “data output path”.
  3. While performing key generation or key zeroisation (no manual key entry on TPM), the output data path is logically disconnected while the output status path remains connected to report any possible failure during command processing. Generally, the output data path is only connected when TPM outputs response containing data.
  4. To prevent the inadvertent output of CSPs in plaintext form on TPM2_Duplicate, the two following independent internal actions are performed: a. Verification of the encryptedDuplication attribute of the key to be duplicated b. Verification of the handle of the new parent of the key to be duplicated encryptedDuplication attribute must be set to 0 and new handle must be set to the null handle to authorize outputting the private part of the key in plaintext form.
  5. The logical state machine and command structure of the module guarantees the inhibition of all data output via the data output interface whenever an error state exists and while doing selftests.
  6. The status output interface remains active during the error state to output the status of the security module with the service TPM2_GetCapability and TPM2_GetTestResult.
3.2 Pinout description

The pin layout for the UFQFPN32 package is shown in the next figure. The ST33KTPM2X security module supports both SPI and I2C physical interfaces but only one interface is configured during TPM boot. The interface configured remains active until the next module reset. The ST33KTPM2XSPI security module only supports the SPI physical interface. Public Material

Page 23

UFQFPN32 configuration The pin layout for the UFWFPN32 package is shown in the next figure.

32 NC
31 NC
30 I2C SCL
29 I2C SDA
28 NC
27 NC
26 NC
25 NC

VCC 1 24 SPI MISO GND 2 23 NC NC 3 22 VCC NC 4 UFQFPN32 21 SPI MOSI NC 5 20 SPI NSS GPI8 6 19 SPI CLK PP 7 18 PIRQ NC 8 17 RESET NC NC NC NC NC NC NC GND Figure 3

Page 24
4 Roles, Services, and Authentication
4.1 Authentication Methods

The Module implements the following authentication techniques in accordance with the Level 2 requirements: Strength Method Security Strength per Description Each Name Mechanism Minute Attempt Probability of a successful random The challenge-response attempt during a mechanism uses an Minimum one-minute period authorization value strength is is equal to (authValue) as HMAC key reached 60000*1.92*10^or part of an HMAC key. with an 34 = 1.15*10^-29 Challenge- The authValue is entered authValue (considering 60000 response into the Module during the MAC of 14 trials per minute). authentication creation/loading of an bytes: Assuming a object (key, NV index) or 1/2^112 = minimum during replacement of the 1.92*10^- command duration default value (hierarchies).

34 of 1ms, 60000

The Module enforces a trials can be minimum size of 14 bytes. executed during a one-minute period. Enhanced authorization Minimum Probability of a includes a policy command strength is successful random (i.e., reached attempt during a TPM2_PolicyAuthValue, with an one-minute period TPM2_PolicySigned, authValue is equal to TPM2_PolicyAuthorize, of 14 60000*1.92*10^TPM2_PolicySecret, bytes: 34 = 1.15*10^-29 Enhanced TPM2_PolicyTicket) MAC or 1/2^112 = (considering 60000 authorization requiring the knowledge of SigVer 1.92*10^- trials per minute). an authValue or the proof 34 or an Assuming a of the ownership of a RSA 2048 minimum signing key. It can also be a signature command duration bound session, which also with a of 1ms, 60000 requires proving knowledge security trials can be of an authValue of an strength of executed during a object. 112 bits one-minute period. Table 20: Authentication Methods Public Material

Page 25
4.2 Roles

The Roles Table below lists all operator roles supported by the Module. Name Type Operator Type Authentication Methods Challenge-response Administrator of Crypto officer (CO) Role authentication the Module Enhanced authorization Challenge-response User of the User (U) Role authentication Module Enhanced authorization Table 21: Roles The Module does not provide a maintenance role or maintenance interface and does not support concurrent operators. The role is implicitly selected by the TPM operator on service execution by proving the knowledge of the enhanced authorization commands sequence and/or the authorization value of an object.

4.3 Approved Services

All services are accessible under the roles defined above and no specific access rights are considered to operate with keys and SSPs. Full services inputs and outputs are defined in [TPM2.0 Part3]. Next table indicates how mandatory services of [ISO/IEC 19790] (§7.4.3.1) are mapped to security module’s services: Mandatory service requested from [ISO/IEC Corresponding services from the security module 19790]* Show module’s versioning information TPM2_GetCapability Show status TPM2_GetTestResult Perform self-tests TPM2_SelfTest Perform approved security functions See approved services listed in next table Perform zeroization See services listed in section 9.3 SSP Zeroization Methods. Table 22

Page 26

Some details about information in the table:

Page 27

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns - sesSalt: Z sesHmac Key: Z sesSymK ey: Z contextK ey: Z drbgSeed :Z objSym Key: Z objHmac Key: Z contextE ncKey: Z dupSeed: Z dupInSy mKey: Z dupOutS ymKey: Z dupOutH macKey: Z creSeed: Z Public Material

Page 28

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns creSymK ey: Z creHmac Key: Z ephSens EccKey: Z ephPubE ccKey: Z seqAuth: Z tdrbgStat e: Z fuSymK ey: Z diagSym Key: Z Unauthe nticated phSeed: G - ehSeed: ENT G Set-up the TPM App - - shSeed: Startup TPM2_Startup after a power rove None ESV G type cycle. d DRB G phProof: G ehProof: G shProof: Public Material

Page 29

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns G contextK ey: G drbgSeed :G drbgStat e: G nullSeed: G nullProof :G Non Prepare the secu Shutdow Non Unauthe TPM2_Shutdown (I) TPM for a None rity n type e nticated power cycle. rele vant AES ENC AES DEC SigG en Full or Self-test App SigV Self-tests backgrou result if full Unauthe TPM2_SelfTest (I) rove er execution nd self- self-tests nticated d DRB tests required G ENT ESV KAS KB KDF MA Public Material

Page 30

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns C SHA AES ENC AES DEC SigG en SigV Incremental App List of List of er TPM2_IncrementalSelf Unauthe self-tests rove tests to remaining DRB Test (I) nticated execution d pass tests G ENT ESV KAS KB KDF MA C SHA Unauthe nticated Non diagSym TPM2_GetTestResult Get self-tests secu Self-tests KB None Key: (I) result rity status KDF G,E,Z rele vant diagSym Seed: E Decrypti Unauthe on key nticated handle; KAS App Binding KTS sesHmac TPM2_StartAuthSessi Session rove entity Nonce TPM -IFC Key: on (I/E/D) command d handle; KB G,W Encrypte KDF d salt; sesSymK Nonce ey: G,W Public Material

Page 31

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns caller; - sesSalt: Session W,E,Z Type (HMAC objSens: or E Policy) objAuth: E nvAuth: E platform Auth: E endorse mentAut h: E ownerAu th: E lockoutA uth: E seqAuth: E Non TPM2_PolicyRestart Policy session secu Session Non Unauthe None (I) restart rity handle e nticated rele vant Parent Object Key User (U) object private part Gen handle (encrypted) AES objSeed: App Object Object - G,R,E TPM2_Create (I/E/D) Object creation rove sensitive public part ENC d part Creation SigG objSym Object data Digest en Key: public of creation SigV G,E,Z Public Material

Page 32

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns template data Ticket er Creation to be used DRB objHmac data List by G Key: of PCR TPM2_Cert ENT G,E,Z ifyCreation( - ) ESV objSens: KTS G,R,E KB - objPub: KDF G,R,E MA C drbgStat SHA e: W,E CK G objAuth: KAS W,R - Key nullProof Gen :E phProof: E ehProof: E shProof: E User (U) Parent Key objSym object Ver Key: handle AES G,W,E,Z Object App private Name of the DEC objHmac TPM2_Load (I/E/D) Object loading rove part loaded KTS Key: d (encrypt object KB G,W,E,Z ed) KDF Object MA objSens: public C W,E part SHA - objPub: W Public Material

Page 33

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns objSeed: W,E objAuth: W Unauthe nticated - objPub: W Object App public Name of the objSens: TPM2_LoadExternal External object Key rove part loaded W (I/E/D) loading Val d Hierarch object y objAuth: W objSeed: W Object public part Unauthe Read public App Handle Object Non nticated TPM2_ReadPublic (I) part of a loaded rove of an name e - objPub: object d object Object R qualified name Handle Crypto of the officer AES Enables the object (CO) association of a with DEC credential with credentia creSymK KAS an object in a ls ey: KTS way that App Handle Decrypted G,E,Z TPM2_ActivateCreden -IFC ensures that the rove of a certificate tial (I/E/D) KTS TPM has d loaded information creHmac KB validated the private Key: KDF parameters of key G,E,Z MA the credentialed Encrypte C object d objSens: SHA credentia E l Public Material

Page 34

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Encrypte creSeed: d seed W,E,Z Unauthe Handle nticated Allows the of a AES TPM to perform loaded creSeed: the actions public ENC G,R,E,Z required of a key KAS Certificate Credenti Encrypted KTS App creSymK TPM2_MakeCredentia Authority (CA) al credential -IFC rove ey: l (I/E/D) in creating a informati Encrypted KTS d G,E,Z TPM2B_ID_O on Name seed KB BJECT of the KDF creHmac containing an object MA Key: activation with C G,E,Z credential credentia SHA - objPub: ls E Handle Returns the data User (U) App of a in a loaded Unsealed Non TPM2_Unseal (I/E/D) rove loaded Sealed Data data e objSens: d data Object R object User (U) objSeed: R,E Handle of an objSens: object AES R Handle Changes the of the ENC authorization App drbgStat TPM2_ObjectChange parent of Object KB secret for a rove e: W,E Auth (I/E/D) the private part KDF TPM-resident d object MA object objAuth: New C R authoriza SHA tion objSym value Key: E objHmac Key: E Public Material

Page 35

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Crypto officer (CO) objSeed: G,R,E Key objSym Gen Key: G,E Key Ver objHmac AES Key: G,E ENC objSens: SigG G,R,E en - objPub: SigV Parent G,R,E er object Object DRB handle private part tdrbgStat G Creates an App Object (encrypted) e: G,W,E TPM2_CreateLoaded ENT object and loads rove sensitive Object (I/E/D) it in the TPM d part public part drbgStat ESV Object Creation e: W,E KAS public object name KB template objAuth: KDF W,R MA C nullSeed: SHA E CK G phSeed: KAS E - ehSeed: Key E Gen - shSeed: E nullProof :E phProof: Public Material

Page 36

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns E ehProof: E shProof: E - ekRsa: E - ekEcc: E shProofF orReseed : G,E User (U) objSeed: G,E objSym Key: G,E objHmac Key: G,E objSens: G,R - objPub: G,R,E tdrbgStat e: G,W,E drbgStat e: W objAuth: W nullSeed: Public Material

Page 37

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns E phSeed: E ephSens EccKey: E - shSeed: E nullProof :E phProof: E ehProof: E shProofF orReseed : G,E - ekRsa: E - ekEcc: E Handle AES User (U) of the - loaded Encryption ENC dupSeed: object to key for DRB G,R,E,Z Duplicates a duplicate inner G loaded object so Handle wrapper KTS objSeed: App TPM2_Duplicate that it may be of the Duplicated -IFC R rove (I/E/D) used in a new object KAS d different parent private part KTS dupOutS hierarchy Optional (encrypted) KB ymKey: symmetr Encrypted KDF G,E,Z ic seed MA encrypti C dupInSy on key SHA mKey: Public Material

Page 38

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns CK G,R,W,E G ,Z dupOutH macKey: G,E,Z objSens: R objAuth: R drbgStat e: W,E - objPub: E User (U) Handle of the dupOutS old ymKey: AES parent G,E,Z Handle ENC of the dupOutH AES new macKey: parent G,E,Z DEC Duplicat Duplicated KAS Rewraps a ed object object objSens: App KTS duplicated private private part R,W,E TPM2_Rewrap (I/E/D) rove -IFC object with a part (encrypted) d KTS new parent key (encrypt Encrypted dupSeed: KB ed) seed R,W,E,Z KDF Name of MA the objSeed: C object R,W SHA being CK rewrappe dupInSy G d mKey: Encrypte W,Z d seed drbgStat Public Material

Page 39

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns e: W,E - objPub: E objAuth: R,W User (U) objSens: R,W,E,Z objSeed: Handle R,W,Z of the AES - objPub: new W,E,Z parent ENC Duplicat AES dupOutS ed object ymKey: Allows an private DEC W,E,Z object to be part KAS encrypted using App (encrypt Object KTS objAuth: TPM2_Import (I/E/D) the symmetric rove ed) private part -IFC R,W,Z encryption d Object (encrypted) KTS values of a public KB drbgStat Storage Key part KDF e: E Encrypte MA d seed C dupSeed: Encrypti SHA E,W,Z on key CK for inner G dupInSy wrapper mKey: E,W,Z dupOutH macKey: W,E,Z RSA Unauthe App public TPM2_RSA_Encrypt Performs RSA Encrypted KTS nticated rove key (I/E/D) encryption output -IFC - objPub: d handle E Message Public Material

Page 40

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns to encrypt RSA scheme to use RSA private key handle User (U) App TPM2_RSA_Decrypt Performs RSA Cipherte Decrypted KTS rove (I/E/D) decryption xt to output -IFC objSens: d decrypt Z RSA scheme to use Unauthe nticated ephSens EccKey: G,E,Z Shared secret ECC key Shared KAS App TPM2_ECDH_KeyGe value public secret rove ephPubE n (I/E/D) computation part Ephemeral Key d ccKey: using ECDH handle public key Gen G,R,Z drbgStat e: W,E - objPub: E User (U) Handle of a ephPubE Shared secret App loaded Recovered TPM2_ECDH_ZGen ccKey: value recovery rove ECC key shared KAS (I/E/D) W,E,Z using ECDH d Ephemer secret al public objSens: key E Returns the Non ID of an TPM2_ECC_Paramete Curve Non Unauthe parameters of - ECC rs (I) parameters e nticated an ECC curve secu curve Public Material

Page 41

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns identified by its rity TCG-assigned rele curveID vant Symmetr ic key handle Encrypted AES Decrypti or - User (U) Symmetric App on or TPM2_EncryptDecrypt decrypted ENC encryption or rove encrypti (I/E) data Output AES objSens: decryption d on IV (for - E indicator chaining) DEC Input IV Data Mode Symmetr ic key handle Encrypted AES Decrypti or - User (U) Symmetric App on or TPM2_EncryptDecrypt decrypted ENC encryption or rove encrypti

2 (I/E/D) data Output AES objSens:

decryption d on IV (for - E indicator chaining) DEC Input IV Data Mode Unauthe nticated Data to nullProof hash :E Digest Hash Performs a hash App Ticket MA algorith phProof: TPM2_Hash (I/E/D) operation on rove linked to C m E data d the input SHA Hierarch hierarchy y to use ehProof: for ticket E shProof: E Public Material

Page 42

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Symmetr ic signing Performs a key User (U) App HMAC handle MA TPM2_HMAC (I/E/D) rove HMAC operation on Data to C objSens: d data HMAC E Hash algorith m Number Unauthe Outputs random App of Output nticated TPM2_GetRandom DRB bytes from a rove random random (I/E) G DRBG d bytes to bytes drbgStat generate e: W,E Unauthe nticated DRB Addition App G TPM2_StirRandom Reseed the state al drbgSeed rove None ENT (I/D) of a DRBG informati : W,E,Z d on ESV drbgStat e: W,E Handle of an HMAC User (U) key Starts an App Authoriz seqAuth: TPM2_HMAC_Start Sequence MA HMAC rove ation W (I/D) handle C sequence d value for sequence objSens: Hash E algorith m Authoriz ation Unauthe Starts a hash or App value for nticated TPM2_HashSequence Sequence an event rove sequence SHA Start (I/D) handle sequence d Hash seqAuth: algorith W m Public Material

Page 43

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Sequenc User (U) Adds data to a App e handle MA TPM2_SequenceUpdat hash or HMAC rove Data to None C e (I/D) objSens: sequence d hash/HM SHA E AC User (U) nullProof :E phProof: Sequenc E Adds last part e handle HMAC or of data to a hash Data to digest App MA ehProof: TPM2_SequenceComp or HMAC hash/HM Ticket rove C E lete (I/E/D) sequence and AC linked to d SHA returns the Hierarch the input shProof: result y for hierarchy E ticket objSens: E seqAuth: Z Handle Adds last part User (U) of PCR of data to a hash to extend List of or HMAC App MA objSens: TPM2_EventSequence Sequenc digests sequence and rove C E Complete (I/D) e handle computed returns the d SHA Data to for the PCR result in a digest seqAuth: hash/HM list Z AC Handle SigG User (U) of the en Certificatio Proves that an object to DRB n structure drbgStat object with a App certify G Signature e: W,E TPM2_Certify (I/E/D) specific Name rove Handle KB over the is loaded in the d of a KDF certification objSens: TPM signing MA structure E key C Qualifyi SHA Public Material

Page 44

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns ng data CK shProof: Signatur G E e scheme User (U) Handle drbgStat of the e: W,E object to SigG certify en objSens: Handle DRB E Certificatio Proves the of a G n structure association App signing KB nullProof TPM2_CertifyCreation Signature between an rove key KDF :E (I/E/D) over the object and its d Qualifyi MA certification creation data ng data C phProof: structure Signatur SHA E e scheme CK Ticket G ehProof: Creation E hash shProof: E SigG Handle User (U) en of a DRB signing Quoted drbgStat G key information e: W,E App KB Quotes PCR Qualifyi Signature TPM2_Quote (I/E/D) rove KDF values ng data over the objSens: d MA Selection quoted E C of PCRs information SHA Signatur shProof: CK e scheme E G Handle SigG Crypto of a Audit en officer Returns a privacy information KB (CO) App TPM2_GetSessionAud digital signature administ Signature KDF rove itDigest (I/E/D) of the audit rator over the DRB objSens: d session digest Handle quoted G E of a information MA signing C shProof: Public Material

Page 45

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns key SHA E Handle CK of an G drbgStat audit e: W,E session Qualifyi ng data Signatur e scheme Handle Crypto of a SigG officer Returns the privacy en (CO) current value of administ DRB Audit the command rator G information drbgStat audit digest, a App Handle KB TPM2_GetCommandA Signature e: W,E digest of the rove of a KDF uditDigest (I/E/D) over the commands d signing MA quoted objSens: being audited, key C information E and the audit Qualifyi SHA hash algorithm ng data CK shProof: Signatur G E e scheme Handle Crypto of a SigG officer privacy en (CO) administ KB Attestation rator KDF Returns the data drbgStat App Handle DRB TPM2_GetTime current values Signature e: W,E rove of a G (I/E/D) of Time and over the d signing MA Clock attestation objSens: key C data E Qualifyi SHA ng data CK shProof: Signatur G E e scheme Handle Additional User (U) of the X.509 App certificate SigG TPM2_CertifyX509 object to certificate rove information en drbgStat (I/E/D) certify generation d Digest SHA e: W,E Handle Signature of a Public Material

Page 46

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns signing over the objSens: key digest E Partial certificat e Signatur e scheme Unauthe nticated - objPub: Handle E of a Uses loaded public nullProof keys to validate key SigV :E a signature on a App TPM2_VerifySignatur Digest of Validation er message with rove e (I/D) a ticket MA phProof: the message d message C E digest passed to Signatur the TPM e to be ehProof: tested E shProof: E User (U) objSens: Handle E Causes the of a TPM to sign an signing SigG nullProof externally key en :E provided hash App Digest to Signature DRB TPM2_Sign (I/D) with the rove be over the G phProof: specified d signed digest MA E symmetric or Scheme C asymmetric Proof SHA ehProof: signing key ticket for E digest shProof: E Public Material

Page 47

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Changes the Non Authoriz audit status of a - ation command or to Crypto TPM2_SetCommandC secu handle Non set the hash None officer odeAuditStatus (I) rity Hash e algorithm used (CO) rele algorith for the audit vant m digest PCR handle App List of TPM2_PCR_Extend Updates the Unauthe rove digests None SHA (I) indicated PCR nticated d used to extend PCRs Updates the PCR App TPM2_PCR_Event indicated PCR handle Unauthe rove Digests SHA (I/D) and reports list Event nticated d of digests data Non Returns the values of all Selection secu PCR Non Unauthe TPM2_PCR_Read (I) PCR specified of PCR rity information e nticated in to read rele pcrSelectionIn vant Non Sets the desired - Selection PCR Crypto TPM2_PCR_Allocate PCR allocation secu of PCR Non allocation officer (I) of PCR and rity to e information (CO) algorithms rele allocate vant Non Sets the PCR in secu PCR to Non Unauthe TPM2_PCR_Reset (I) none all banks to zero rity reset e nticated rele vant Indicates to the App TPM interface Unauthe _TPM_Hash_Start rove None None SHA the start of an nticated d H-CRTM Public Material

Page 48

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns measurement sequence Indicates to the TPM interface data to be App Unauthe _TPM_Hash_Data included in the rove Data None SHA nticated H-CRTM d measurement sequence Indicates to the TPM interface App the end of the Unauthe TPM_Hash_End rove None None SHA H-CRTM nticated d measurement sequence Signatur e key Unauthe handle nticated Policy - objPub: session E handle Nonce nullProof SigV Includes a TPM Policy :E App er TPM2_PolicySigned signed Digest timeout rove MA (I/E/D) authorization in Signatur Policy phProof: d C a policy e ticket E SHA Expiratio n of ehProof: authoriza E tion Policy shProof: reference E value Authoriz User (U) ation Includes a object Policy nullProof App MA TPM2_PolicySecret secret-based handle timeout :E rove C (I/E/D) authorization to Policy Policy d SHA a policy session ticket phProof: handle E Nonce Public Material

Page 49

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns TPM ehProof: Digest E Expiratio n of shProof: authoriza E tion Policy reference value Policy session handle Unauthe Nonce nticated TPM Digest nullProof Expiratio :E n of App MA TPM2_PolicyTicket Includes a ticket authoriza phProof: rove None C (I/D) in a policy tion E d SHA Policy reference ehProof: value E Authoriz ation shProof: object E name Ticket Allows options in Policy authorizations App session without Unauthe TPM2_PolicyOR (I) rove handle None SHA requiring that nticated d List of the TPM digests evaluate all the options Policy Causes session conditional App TPM2_PolicyPCR handle Unauthe gating of a rove None SHA (I/D) Expected nticated policy based on d digest PCR value Public Material

Page 50

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns PCR selection Indicates that Policy App TPM2_PolicyLocality the policy will session Unauthe rove None SHA (I) be limited to a handle nticated d specific locality Locality Authoriz ation handle NV Causes index conditional App handle gating of a TPM2_PolicyNV (I/D) rove Policy None SHA User (U) policy based on d session the contents of handle an NV Index Operand, offset, operatio n Causes Policy conditional session gating of a App handle TPM2_PolicyCounterT policy based on Unauthe rove Operand, None SHA imer (I/D) the contents of nticated d offset, the operatio TPMS_TIME_I n NFO structure Policy Limits policy to App session TPM2_PolicyComman Unauthe a specific rove handle None SHA dCode (I) nticated command code d Comman d code Physical presence will need to be App Policy TPM2_PolicyPhysical Unauthe asserted at the rove session None SHA Presence (I) nticated time the d handle authorization is performed Public Material

Page 51

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Allows a policy Policy to be bound to a session App TPM2_PolicyCpHash specific handle Unauthe rove None SHA (I/D) command and Digest to nticated d command add to parameters policy Allows a policy to be bound to a Policy specific set of session App TPM2_PolicyNameHa TPM entities handle Unauthe rove None SHA sh (I/D) without being Digest to nticated d bound to the add to parameters of policy the command Policy session handle Object Allows name to qualification of be duplication to App TPM2_PolicyDuplicati duplicate Unauthe allow rove None SHA onSelect (I/D) d New nticated duplication to a d Parent selected new name parent Object name inclusion indicator Policy Unauthe session nticated handle Check a ticket Digest of issued from the nullProof the signature :E App policy MA TPM2_PolicyAuthoriz verification of a rove being None C e (I/D) new policy so phProof: d approved SHA that it may be E Policy used in an qualifier existing policy ehProof: Key E name Ticket Public Material

Page 52

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns shProof: E Allows a policy to be bound to the App Policy TPM2_PolicyAuthVal Unauthe authorization rove session None SHA ue (I) nticated value of the d handle authorized entity Allows a policy to be bound to the App Policy TPM2_PolicyPassword Unauthe authorization rove session None SHA (I) nticated value of the d handle authorized object Non Returns the Policy TPM2_PolicyGetDiges current secu Policy Non Unauthe session t (I/E) policyDigest of rity digest e nticated handle a policy session rele vant Policy Allows a policy session to be bound to App handle TPM2_PolicyNvWritte the Unauthe rove NV None SHA n (I) TPMA_NV_W nticated d index RITTEN written attributes indicator Policy Allows a policy session App TPM2_PolicyTemplate to be bound to a handle Unauthe rove None SHA (I/D) specific creation Digest to nticated d template add to policy Source Provides a handle capability that App TPM2_PolicyAuthoriz for is the equivalent rove None SHA User (U) eNV (I) authoriza of a revocable d tion NV policy index to Public Material

Page 53

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns read Policy session handle Crypto officer (CO) objSeed: G,E,Z objSym Key Key: Gen G,E,Z Key Ver objHmac SigG Key: Object Primary en G,E,Z handle handle SigV Creates a Object Key er objSens: Primary Object Public part sensitive DRB G,E,Z under one of the Creation App data Key G - objPub: TPM2_CreatePrimary Primary Seeds data Digest rove public KB G,R,E,Z (I/E/D) or a Temporary of creation d template KDF Object under data Creation MA tdrbgStat TPM_RH_NUL Creation data C e: L ticket Name Creation SHA G,W,E,Z of the PCR CK object G drbgStat KAS e: W,E - Key objAuth: Gen W nullSeed: E phSeed: E - ehSeed: E Public Material

Page 54

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns - shSeed: E nullProof :E phProof: E ehProof: E shProof: E - ekRsa: E - ekEcc: E shProofF orReseed : G,E Primary handle Non Hierarch Enables and - y to disables use of a Crypto TPM2_HierarchyContr secu enable or Non hierarchy and None officer ol (I) rity disable e its associated (CO) rele Enable NV storage vant or disable indicator Primary Non handle Sets the Policy Crypto TPM2_SetPrimaryPoli authorization secu Non digest None officer cy (I/D) policy for a rity e Hash (CO) hierarchy rele algorith vant m Public Material

Page 55

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Crypto officer (CO) drbgStat Replaces the e: W,E current platform primary seed phProof: (PPS) with a Z App Authoriz value from the DRB TPM2_ChangePPS (I) rove ation None RNG and sets G phSeed: d handle platformPolicy Z to the default initialization objSeed: value Z objSens: Z - objPub: Z Crypto officer (CO) drbgStat Replaces the e: W,E current - ehSeed: endorsement Z primary seed EPS) with a App Authoriz ehProof: value from the DRB TPM2_ChangeEPS (I) rove ation None Z RNG and sets G d handle endorsementPol objSeed: icy to the Z default initialization objSens: value Z - objPub: Z - ekRsa: Z Public Material

Page 56

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns - ekEcc: Z Crypto officer (CO) drbgStat e: W,E - shSeed: Z ehProof: Z Removes all shProof: TPM context App Authoriz Z DRB TPM2_Clear (I) associated with rove ation None G a specific d handle shProofF Owner orReseed :Z objSeed: Z objSens: Z - objPub: Z objAuth: Z Authoriz Non ation Disables and - handle Crypto TPM2_ClearControl enables the secu Set or Non None officer (I) execution of rity clear e (CO) TPM2_Clear() rele disableO vant wnerFla g Public Material

Page 57

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Crypto officer (CO) lockoutA Authoriz Non uth: W ation - Changes the handle TPM2_HierarchyChan secu Non endorse authValue of New None geAuth (I/D) rity e mentAut hierarchies authoriza rele h: W tion vant value ownerAu th: W platform Auth: W Cancels the Non effect of a TPM lockout due to Authoriz Crypto TPM2_DictionaryAtta secu Non several ation None officer ckLockReset (I) rity e successive handle (CO) rele authorization vant failures Authoriz ation handle Non newMax Changes the Tries, Crypto TPM2_DictionaryAtta secu Non lockout newReco None officer ckParameters (I) rity e parameters veryTim (CO) rele e and vant lockoutR ecovery values SigV Crypto er officer App KB (CO) TPM2_VendorCmdFie Initiates a field Approve rove None KDF ldUpgradeStart (I) upgrade session d d SHA fuSigEC CK CKey: E G Public Material

Page 58

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns fuSigLM SKey: E fuSymK ey: G fuSymSe ed: E Unauthe Conveys AES App Field nticated TPM2_VendorCmdFie firmware in a Completion rove upgrade ldUpgradeData (I) field upgrade indicator DEC d data blob fuSymK session SHA ey: E,Z Unauthe nticated contextE ncKey: G,E,Z objSeed: R AES - objSens: Saves a session ENC R context, object KTS - objPub: App context, or Saved KB R TPM2_ContextSave rove Context sequence object handle KDF d context outside MA objAuth: the TPM C R CK G nullProof :E phProof: E ehProof: E shProof: Public Material

Page 59

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns E sesHmac Key: R seqAuth: R contextK ey: E Unauthe nticated contextE ncKey: G,E,Z objSeed: W objSens: AES W - objPub: DEC Reloads a W KTS context that has App Loaded KB TPM2_ContextLoad been saved by rove Context objAuth: handle KDF TPM2_Context d W MA Save() C nullProof CK :E G phProof: E ehProof: E shProof: E sesHmac Public Material

Page 60

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Key: W seqAuth: W contextK ey: E Unauthe nticated Causes all context objSeed: associated with Z a loaded object, App Flush Non TPM2_FlushContext sequence rove None objSens: handle e object, or d Z session to be - objPub: removed from Z TPM memory objAuth: Z Crypto officer (CO) objSeed: W,Z Authoriz Allows certain ation objSens: Transient handle W,Z Objects to be App Loaded Non - objPub: TPM2_EvictControl (I) made persistent rove None object e W,Z or a persistent d handle object to be Persisten objAuth: evicted t handle W,Z sesHmac Key: W sesSymK ey: W Public Material

Page 61

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Non Reads the current secu Current Non Unauthe TPM2_ReadClock (I) None TPMS_TIME_I rity time e nticated NFO structure rele vant Non Advances the Crypto secu New Non TPM2_ClockSet (I) value of the None officer rity time e TPM's clock (CO) rele vant Authoriz Non ation - handle Adjusts the rate Crypto TPM2_ClockRateAdju secu Clock Non of advance of None officer st (I) rity update e Clock and Time (CO) rele rate vant adjustme nt Non Returns various Capabilit More data information y, availability TPM2_GetCapability secu Non Unauthe regarding the property, indicator (I) rity e nticated TPM and its property Capability rele current state count data vant Set specific data in the TPM, Non such as TPM Crypto TPM2_SetCapability configurations, secu Capabilit Non None officer (I/D) which may rity y data e (CO) change the rele TPM's function vant and behavior Checks if Non specific - Algorith combinations of secu m Non Unauthe TPM2_TestParms (I) None algorithm rity paramete e nticated parameters are rele rs supported vant Public Material

Page 62

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Authoriz ation Defines the handle attributes of an Crypto NV NV Index and officer App authoriza TPM2_NV_DefineSpa causes the TPM Non (CO) rove tion None ce (I/D) to reserve space e d value to hold the data nvAuth: NV associated with W public the NV Index paramete rs Authoriz Crypto ation officer Removes an App TPM2_NV_UndefineS handle Non (CO) Index from the rove None pace (I) NV e TPM d index to nvAuth: delete Z Removal of a Platform Crypto platform- authoriza officer created NV App tion TPM2_NV_UndefineS Non (CO) Index that has rove handle None paceSpecial (I) e TPMA_NV_PO d NV nvAuth: LICY_DELET index to Z E SET delete Reads the NV index App TPM2_NV_ReadPubli public area and NV public area Unauthe rove SHA c (I/E) Name of an NV index Name of the nticated d Index NV index Authoriz ation Writes a value handle to an area in Non NV NV memory - index to TPM2_NV_Write that was secu write Non None User (U) (I/D) previously rity Data to e defined by rele write TPM2_NV_Def vant Offset in ineSpace() the NV index area Public Material

Page 63

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Authoriz Increments the Non ation value in an NV handle TPM2_NV_Increment Index that has secu Non NV None User (U) (I) the rity e index to TPM_NT_COU rele incremen NTER attribute vant t Extends a value Authoriz to an area in ation NV memory handle App TPM2_NV_Extend that was NV rove None SHA User (U) (I/D) previously index to d defined by extend TPM2_NV_Def Data to ineSpace() extend Authoriz ation Non handle Sets bits in an - NV NV Index that secu index to Non TPM2_NV_SetBits (I) None User (U) was created as a rity extend e bit field rele Data to vant OR with NV content Inhibits further writes of the NV Index if the Non TPMA_NV_W Authoriz RITEDEFINE ation TPM2_NV_WriteLock secu Non or handle None User (U) (I) rity e TPMA_NV_W NV rele RITE_STCLEA index vant R attributes of an NV location are SET Sets Non TPMA_NV_W Authoriz Crypto TPM2_NV_GlobalWri - Non RITELOCKED ation None officer teLock (I) secu e for all indexes handle (CO) rity that have their Public Material

Page 64

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns TPMA_NV_GL rele OBALLOCK vant attribute SET Authoriz Reads a value ation Non from an area in handle NV memory NV secu Non TPM2_NV_Read (I/E) previously index to Data read User (U) rity e defined by be read rele TPM2_NV_Def Size and vant ineSpace() offset in NV area Prevents further reads of the NV Authoriz Index until the Non ation next handle TPM2_NV_ReadLock TPM2_Startup secu Non NV None User (U) (I) (TPM_SU_CLE rity e index to AR) if rele be TPMA_NV_RE vant locked AD_STCLEAR is SET NV Allows the index User (U) App TPM2_NV_ChangeAu authValue of an New Non rove None th (I/D) NV Index to be authoriza e nvAuth: d changed tion W value Handle of signing key SigG User (U) Certifies the Authoriz en Structure contents of an App ation KB objSens: TPM2_NV_Certify that was NV Index or rove handle KDF E (I/E/D) signed portion of an d NV MA Signature NV Index index C shProof: Qualifyi SHA E ng data Scheme Size and Public Material

Page 65

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns offset in NV area Authoriz Non ation - handle Crypto TPM2_VendorCmdSet Sets the low secu Low Non None officer Mode (I) power mode rity power e (CO) rele configur vant ation structure Authoriz ation Non handle - Comman Activates and Crypto TPM2_VendorCmdSet secu d code Non locks None officer CommandSet (I) rity Activatio e commands (CO) rele n and vant lock indicator s Non Prevents Authoriz Crypto TPM2_VendorCmdSet secu Non locking ation None officer CommandSetLock (I) rity e commands handle (CO) rele vant Unauthe Number Get random App nticated TPM2_VendorCmdGet of bytes Random Non value from rove Random2 (I/E) to value e DRBG d drbgStat generate e: W,E Non Authoriz - ation TPM2_VendorCmdGP Configures secu handle Non Unauthe None IOConfig (I) GPIO rity GPIO e nticated rele configur vant ation Number Get random App ENT TPM2_VendorCmdGet of bytes Random Unauthe value from ESV rove Random800_90B (I/E) to value nticated Cert. #E41 d ESV generate Public Material

Page 66

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns Authoriz Non ation Modifies TPM2_VendorCmdCh handle Crypto deletion secu Non angeObjectDeletionAu Platform None officer authorization rity e th (I) authoriza (CO) for an object rele tion use vant indicator Crypto Restore EK officer RSA or EK App Authoriz (CO) TPM2_VendorCmdRe ECC in case of Non rove ation None - ekRsa: storeEK (I) deletion by e d handle W TPM2_Change - ekEcc: EPS W Crypto officer Zeroize EK App Authoriz (CO) TPM2_VendorCmdZer Non RSA and EK rove ation None - ekRsa: oizeEK (I) e ECC d handle Z - ekEcc: Z Non Authoriz Configure the - ation TPM2_VendorCmdSet Crypto RSA secu handle Non BackgroundSlotsConfi None officer background key rity Slots e g (CO) slots rele configur vant ation Authoriz ation Determines handle Non which List of commands comman Crypto secu Non TPM2_PP_Commands require ds to add None officer rity e assertion of and list (CO) rele Physical of vant Presence comman d to remove This service is App Comman DRB Unauthe Integrity mechanism Integrity not callable rove d or G nticated provided by sessions value from TPM d response KB Public Material

Page 67

Secu Indi rity SSP Name Description cato Inputs Outputs Fun Access r ctio ns interface but is KDF sesHmac only used MA Key: E,Z internally by C any command SHA and response CK with an G authorization area. It consists in computing the integrity of the received command or transmitted response. This service is not callable from TPM interface but is only used AES internally by any command ENC and response AES Unauthe with an nticated encryption or App Comman DEC Encryption mechanism Encrypted decryption rove d or DRB provided by sessions parameter sesSymK session. It d response G ey: consists in KB G,E,Z decrypting the KDF first parameter SHA of a received CK command or G encrypting the first parameter of a transmitted response. Table 23: Approved Services Public Material

Page 68

The integrity mechanism provided by sessions is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. The encryption mechanism provided by sessions is not directly callable from the security module external interfaces. Function is used (or might be used) by the services listed in this table. When a service is usable with a session, (I) is added next to the service name. When a service can additionally use the encryption mechanism of a session, (I/E) is added next to the service name. Public Material

Page 69
4.4 Non-Approved Services

All approved services implemented by the Module are listed in the table below: Name Description Algorithms Role Creation or loading of an ECC key with a non-approved elliptic curve; Creation or loading of an ECC key for a nonapproved key agreement usage; Creation or loading of an ECC BN PECC signing key with an undetermined scheme (field

256 (non-

TPM2_Create; TPM2_CreateLoaded; inPublic.buffer.parameters.scheme.scheme = compliant) User TPM2_Load; TPM2_LoadExternal TPM_ALG_NULL);Creation or loading of an RSA RSA (nondecryption key with an undetermined scheme (field compliant) inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL); Creation or loading of a 1024-bit RSA key ECC derived keys (nonTPM2_CreateLoaded Derivation of an ECC key from a derivation parent key compliant) User KBKDF (noncompliant) ECC BN P-

256 (non-

Loading of an ECC or RSA key (sensitive and public parts) TPM2_Load; TPM2_LoadExternal compliant) User in the NULL hierarchy RSA (noncompliant) ECC BN P-

256 (non-

Key transport with a 1024-bit RSA key Key agreement compliant) TPM2_Duplicate; TPM2_Rewrap; scheme with a non-approved ECC curve Key agreement KAS (non- User TPM2_Import scheme with an ECC key used in a non-approved key compliant) agreement usage RSA (noncompliant) Public Material

Page 70

Name Description Algorithms Role KTS-IFC (noncompliant) Key transport with a non-approved scheme: * RSAES- RSA with no PKCS1-v1_5 * RSA with no padding mode (null scheme) padding mode TPM2_RSA_Encrypt; Key transport with an RSA decryption key: * Generated (null scheme) User TPM2_RSA_Decrypt with an undetermined scheme (field (noninPublic.buffer.parameters.scheme.scheme = compliant) TPM_ALG_NULL) * Loaded in the NULL hierarchy RSAESPKCS1-v1_5 (noncompliant) Use of a non-approved elliptic curve: * ECC key with ECC BN PTPM2_ECDH_KeyGen curve BN P-256 Use of an ECC key for a non-approved 256 (non- N/A key agreement usage: * ECC key with curve Curve448 compliant) ECC BN PUse of an ECC key: * Generated on curve BN P-256 * For 256 (nonTPM2_ECDH_ZGen a non-approved key agreement usage * Derived from a compliant) User derivation parent key * Loaded in the NULL hierarchy KBKDF (noncompliant) ECC derived This command is only usable jointly with keys (nonTPM2_ZGen_2Phase TPM2_EC_Ephemeral service that is non approved as compliant) User using key derivation to generate ECC keys KBKDF (noncompliant) HMAC (nonTPM2_HMAC HMAC generation with a key length < 112 bits User compliant) TPM2_HMAC_Start; HMAC (nonTPM2_SequenceUpdate; HMAC generation with a key length < 112 bits User compliant) TPM2_SequenceComplete TPM2_Certify; TPM2_CertifyCreation; Digital signature with a non-approved signature scheme: * ECC BN PUser/CO TPM2_Quote; ECC signature with ECDAA signature scheme * ECC 256 (nonPublic Material

Page 71

Name Description Algorithms Role TPM2_GetSessionAuditDigest; signature with ECSchnorr signature scheme * RSA compliant) TPM2_GetCommandAuditDigest; signature with key length of 1024 bits * ECC or RSA ECDAA (nonTPM2_GetTime; TPM2_CertifyX509 signature key using SHA-1 as digest method * ECC compliant) signature with curve BN P-256 Digital signature with an ECDSA (nonECC signing key generated with an undetermined scheme compliant) (field inPublic.buffer.parameters.scheme.scheme = ECSchnorr TPM_ALG_NULL); Digital signature with an ECC signing (nonderived from a derivation parent key; Digital signature with compliant) an ECC or RSA key loaded in the NULL hierarchy RSA (noncompliant) SHA-1 (noncompliant) KBKDF (nonTPM2_Commit Generation of an ECC key through key derivation method User compliant) KBKDF (nonTPM2_EC_Ephemeral Generation of an ECC key through key derivation method User compliant) ECC BN P-

256 (non-

Digital signature verification with a non-approved compliant) signature scheme or a non-approved curve: * ECDAA ECDAA (nonTPM2_VerifySignature NA signature scheme * ECSchnorr signature scheme * ECC compliant) signature with curve BN P-256 ECSchnorr (noncompliant) Digital signature generation with a non-approved signature ECC BN Pscheme: * ECC signature with ECDAA signature scheme * 256 (nonECC signature with ECSchnorr signature scheme * RSA compliant) signature with key length of 1024 bits * ECC or RSA ECDAA (nonTPM2_Sign User signature key using SHA-1 as digest method * ECC compliant) signature with curve BN P-256; Digital signature with an ECDSA (nonECC signing key generated with an undetermined scheme compliant) (field inPublic.buffer.parameters.scheme.scheme = ECSchnorr Public Material

Page 72

Name Description Algorithms Role TPM_ALG_NULL); Digital signature with an ECC signing (nonderived from a derivation parent key; Digital signature compliant) with an ECC or RSA key loaded in the NULL hierarchy RSA (noncompliant) SHA-1 (noncompliant) ECC BN P-

256 (non-

Digital signature verification with a non-approved compliant) signature scheme or a non-approved curve: * ECDAA ECDAA (nonTPM2_PolicySigned N/A signature scheme * ECSchnorr signature scheme * ECC compliant) signature with curve BN P-256 ECSchnorr (noncompliant) Creation and loading of an ECC key with a non-approved elliptic curve: * ECC key with curve BN P-256 Use of an ECC key for a non-approved key agreement usage: * ECC key with curve Curve448 Creation and loading of an ECC ECC BN Psigning key with an undetermined scheme (field TPM2_CreatePrimary 256 (non- CO inPublic.buffer.parameters.scheme.scheme = compliant) TPM_ALG_NULL) Creation and loading of an RSA decryption key with an undetermined scheme (field inPublic.buffer.parameters.scheme.scheme = TPM_ALG_NULL) Digital signature with a non-approved signature scheme: * ECC BN PECC signature with ECDAA signature scheme * ECC 256 (nonsignature with ECSchnorr signature scheme * RSA compliant) signature with key length of 1024 bits * ECC or RSA ECDAA (nonTPM2_NV_Certify User signature key using SHA-1 as digest method * ECC compliant) signature with curve BN P-256 Digital signature with an ECDSA (nonECC signing key generated with an undetermined scheme compliant) (field inPublic.buffer.parameters.scheme.scheme = ECSchnorr Public Material

Page 73

Name Description Algorithms Role TPM_ALG_NULL) Digital signature with an ECC signing (nonderived from a derivation parent key Digital signature with compliant) an ECC or RSA key loaded in the NULL hierarchy RSA (noncompliant) SHA-1 (noncompliant) Table 24: Non-Approved Services Public Material

Page 74
4.5 External Software/Firmware Loaded

Loading of firmware on the Module can be achieved by using two services:

Page 75
5 Software/Firmware Security
5.1 Integrity Techniques

The Module is composed of the following firmware component(s):

5.2 Initiate on Demand

The operator can initiate the integrity test on demand by using the TPM2_SelfTest command with the full parameter set to YES or by using the TPM2_IncrementalSelfTest command. Public Material

Page 76
6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Limited The operational environment of the Module is “limited” because it allows loading authenticated firmware that meets all applicable requirements of [140-3] standard. Data outputs are inhibited until the loading session has completed successfully. Execution of the successfully loaded FW is only effective after the next reset of the security module. New firmware versions must be validated through the FIPS 140-3 validation process. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. The core memory loader (CML) represented in Figure 4 is non-modifiable, only the TPM instances are modifiable by using an authenticated firmware upgrade mechanism. The security module contains two instances of the FW but only one FW instance is executed after a boot sequence. Public Material

Page 77
7 Physical Security

The security module is production grade and meets the Physical Security protection requirements for single-chip module at FIPS 140-3 Level 3.

7.1 Mechanisms and Actions Required

Zeroisation Zeroisation of CSPs can be triggered by specific services as detailed in Section 9.3. It occurs in a sufficiently small time-period to prevent the recovery of the sensitive data between start of zeroisation and the zeroisation completeness. Physical security mechanisms The security module is encapsulated in a hard opaque package to prevent direct observation of internal security components. It implements additional security mechanisms:

7.2 User Placed Tamper Seals
7.3 Filler Panels
7.4 Fault Induction Mitigation

N/A Public Material

Page 78
7.5 EFP/EFT Information

EFT has been performed for all security module configurations. Low and high temperatures have been measured at a nominal voltage of 3.3V. Low and high voltage have been measured at ambient temperature (25°C). The nominal operating ranges are:

7.6 Hardness Testing Temperature Ranges

Hardness testing was conducted at the temperature indicated in the table below. Temperature Temperature Type LowTemperature -40°C HighTemperature 105°C Table 27: Hardness Testing Temperatures Public Material

Page 79
8 Non-Invasive Security
8.1 Mitigation Techniques

The Module does not claim support of non-invasive attack mitigation techniques referenced in [140F]. Public Material

Page 80
9 Sensitive Security Parameters Management
9.1 Storage Areas

Storage Persistence Area Description Type Name Volatile memory used to store SSPs between two consecutive Dynamic resets or power-on/power-off sequence of the security module. Dynamic RAM SSPs don't persist after command execution. This area is marked as RAM on the HW block diagram. Volatile memory used to store SSPs between two consecutive Static resets or power-on/power-off sequence of the security module. Static RAM SSPs persist after command execution. This area is marked as RAM on the HW block diagram. Non-volatile memory (flash-based) used to store SSPs and make them persistent to a reset or a power-off/power-on sequence of the NVRAM Static security module. This area is marked as flash memory on the HW block diagram. Table 28: Storage Areas

9.2 SSP Input-Output Methods

SFI or Format Distributio Entry Name From To Algorith Type n Type Type m Input Outside of plaintext Electroni cryptographi NVRAM Plaintext Manual to c c boundary NVRAM Input Outside of protected Encrypte Electroni cryptographi NVRAM Manual KTS to d c c boundary NVRAM Input Outside of Electroni plaintext cryptographi Static RAM Plaintext Manual c to RAM c boundary Input Outside of Encrypte Electroni protected cryptographi Static RAM Manual KTS d c to RAM c boundary Outside of Output Electroni NVRAM cryptographi Plaintext Manual plaintext c c boundary Public Material

Page 81

SFI or Format Distributio Entry Name From To Algorith Type n Type Type m from NVRAM Output Outside of protected Encrypte Electroni NVRAM cryptographi Manual KTS from d c c boundary NVRAM Output Outside of plaintext Electroni Static RAM cryptographi Plaintext Manual from c c boundary RAM Output Outside of protected Encrypte Electroni Static RAM cryptographi Manual KTS from d c c boundary RAM Input asym. Outside of Encrypte Electroni encrypte cryptographi Static RAM Manual KTS-IFC d c d to c boundary RAM Output asym. Outside of Encrypte Electroni encrypte Static RAM cryptographi Manual KTS-IFC d c d to c boundary RAM Table 29: SSP Input-Output Methods Public Material

Page 82
9.3 SSP Zeroization Methods

Zeroization Method Description Rationale Operator Initiation Zeroization of all volatile SSPs. Explicit zeroization indicator provided by TPM2_Init N/A Activation of reset signal service completion status. SSPs linked to an Owner must Zeroization of all contexts associated with an Owner. Explicit zeroization TPM2_Clear not persist if the Owner Send TPM2_Clear command indicator provided by service completion status. changes Zeroization of platformAuth. Explicit zeroization indicator provided by Zeroize platformAuth before TPM2_Startup Send TPM2_Startup command service completion status. its first use after a reset Zeroize the platform primary seed and flush all transient and persistent TPM2_ChangePPS objects in the Platform hierarchy. Explicit zeroization indicator provided Platform hierarchy renewal Send TPM2_ChangePPS command by service completion status. Zeroize the endorsement primary seed and flush all transient and Endorsement hierarchy TPM2_ChangeEPS persistent objects in the Endorsement hierarchy. Explicit zeroization Send TPM2_ChangeEPS command renewal indicator provided by service completion status. Zeroize an object from NVRAM. Explicit zeroization indicator provided Method required to zeroize a TPM2_EvictControl Send TPM2_EvictControl command by service completion status. dedicated object in NVRAM Zeroize an object from RAM. Explicit zeroization indicator provided by Method required to zeroize a TPM2_FlushContext Send TPM2_FlushContext command service completion status. dedicated object in RAM Zeroize SSPs at the end of a command processing. Implicit zeroization Method for limited life cycle Automatic No, zeroization is automatic. indication. SSPs TPM2_NV_UndefineSpace Zeroize a NV index. Explicit zeroization indicator provided by service Method required to flush NV Send TPM2_NV_UndefineSpace command. Send TPM2_NV_UndefineSpaceSpecial completion status. indices from NVRAM TPM2_NV_UndefineSpaceSpecial command Zeroize the endorsement key provisioned. Explicit zeroization indicator Mandatory zeroization method TPM2_VendorCmdZeroizeEK Send TPM2_VendorCmdZeroizeEK command provided by service completion status. for EK SSPs TPM2_SequenceComplete Zeroize a hash or HMAC sequence. Explicit zeroization indicator Method required to flush Send TPM2_SequenceComplete command. Send TPM2_EventSequenceComplete provided by service completion status. sequences from RAM TPM2_EventSequenceComplete command Table 30: SSP Zeroization Methods

9.4 SSPs

All usage of these SSPs by the Module are described in the services detailed in section 4. Next table lists the SSPs used as keys: Established Name Description Size - Strength Type - Category Generated By Used By By KBKDF nullProof Proof (secret value) of the null hierarchy 512 - 256 Symmetric key - CSP DRBG MAC phProof Proof (secret value) of the platform hierarchy 512 - 256 Symmetric key - CSP DRBG MAC ehProof Proof (secret value) of the endorsement hierarchy 512 - 256 Symmetric key - CSP DRBG MAC KBKDF shProof Proof (secret value) of the storage hierarchy 512 - 256 Symmetric key - CSP DRBG MAC shProofForReseed Random value 512 - 256 Entropy source - CSP ENT-ESV DRBG

512 - 128 to 256 (depending on the underlying Authentication value / KBKDF

platformAuth Authentication value for the platform hierarchy hash algorithm used) Symmetric key - CSP MAC

512 - 128 to 256 (depending on the underlying Authentication value / KBKDF

endorsementAuth Authentication value for the endorsement hierarchy hash algorithm used) Symmetric key - CSP MAC Public Material

Page 83

Established Name Description Size - Strength Type - Category Generated By Used By By

512 - 128 to 256 (depending on the underlying Authentication value / KBKDF

ownerAuth Authentication value for the storage hierarchy hash algorithm used) Symmetric key - CSP MAC

512 - 128 to 256 (depending on the underlying Authentication value / KBKDF

lockoutAuth Authentication value for the lockout hierarchy hash algorithm used) Symmetric key - CSP MAC Data, Symmetric key - DRBG KBKDF objSeed Seed value for object generation 512 - 128 to 256 CSP KBKDF SHA Authentication value / KBKDF objAuth Object's authorization value 112 to 512 - 112 to 256 Symmetric key - CSP MAC AESENC objSymKey Encryption key of object private part 256 - 256 Symmetric key - CSP KBKDF AESDEC objHmacKey Integrity key of object private part 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC AESENC KeyGen AES2048, 3072, 4096 (RSA) 128, 192, 256 (AES) Symmetric or asymmetric KBKDF DEC objSens Object private part 256, 384, 521 (ECC) 112 to 1024 (HMAC) - 112 private key - CSP CKG SigGen to 256 KAS-KeyGen KAS KBKDF MAC SigVer 2048, 3072, 4096 (RSA) 2*256, 2*384, 2*521 Asymmetric public key - KeyGen KAS objPub Object public part (ECC) - 112 to 256 PSP KAS-KeyGen KTSIFC Authentication value / KBKDF nvAuth Authorization of NV index 112 to 512 - 112 to 256 KTS Symmetric key - CSP MAC sesSalt Salt for keys diversification 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP N/A KAS KBKDF KBKDF sesHmacKey HMAC session key 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC AESENC sesSymKey Encrypted session key 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF AESDEC contextKey Derivation key for context protection 128 - 128 Symmetric key - CSP DRBG KBKDF AESENC contextEncKey Wrapping key for context protection 256 - 256 Symmetric key - CSP KBKDF AESDEC AESENC dupInSymKey Wrapping key for duplicated object 128, 192, 256 - 128 to 256 Symmetric key - CSP DRBG AESDEC DRBG dupSeed Seed for protection keys derivation 160 to 512 - 128 to 256 Symmetric key - CSP KAS KBKDF KAS AESdupOutSymKey Encryption key for duplicated objects 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF ENC Public Material

Page 84

Established Name Description Size - Strength Type - Category Generated By Used By By AESDEC dupOutHmacKey HMAC key for duplicated objects 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC creSeed Seed for credential keys derivation 160 to 512 - 128 to 256 Symmetric key - CSP KAS KBKDF AESENC creSymKey Encryption key for credentials 128, 192, 256 - 128 to 256 Symmetric key - CSP KBKDF AESDEC creHmacKey HMAC key for credentials 160, 256, 384, 512 - 128 to 256 Symmetric key - CSP KBKDF MAC ephSensEccKey ECC ephemeral private key 256, 384, 521 - 128 to 256 ECC private key - CSP KAS-KeyGen KAS ephPubEccKey ECC ephemeral public key 512, 768, 1056 - 128 to 256 ECC public key - PSP KAS-KeyGen KAS Input during KTSekRsa Provisioned RSA endorsement key 2048 - 112 RSA private key - CSP manufacturing IFC Input during ekEcc Provisioned ECC endorsement key 256, 384 - 128 to 192 ECC private key - CSP KAS manufacturing Input during fuSigECCKey Field upgrade ECC signature verification key 384 - 192 ECC public key - PSP SigVer manufacturing Input during fuSigLMSKey Field upgrade LMS signature verification key 32 - 128 LMS public key - PSP SigVer manufacturing Authentication value / KBKDF seqAuth Authorization value for hash or HMAC sequence 112 to 512 - 112 to 256 N/A Symmetric key - CSP MAC nullSeed Seed of the null hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG phSeed Seed of the platform hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG ehSeed Seed of the endorsement hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG shSeed Seed of the storage hierarchy 512 - 256 Seed - CSP ENT-ESV DRBG Internal state (V and C secret values) of the DRBG (based on drbgState 256 - 256 State - CSP DRBG DRBG SHA256) drbgSeed Seed value for the DRBG 512 - 256 Seed - CSP ENT-ESV DRBG Internal state (V and C secret values) of the transient DRBG tdrbgState (based on SHA256) used to generate prime numbers for primary 256 - 256 State - CSP DRBG DRBG RSA keys Input during fuSymSeed Seed used for field upgrade symmetric key derivation 256 - 256 Symmetric key - Neither KBKDF manufacturing AESfuSymKey field upgrade symmetric key 256 - 256 Symmetric key - Neither KBKDF DEC Input during diagSymSeed Seed used for diagnostic symmetric key derivation 256 - 256 Symmetric key - Neither KBKDF manufacturing AESdiagSymKey diagnostic symmetric key 256 - 256 Symmetric key - Neither KBKDF ENC Table 31: SSP Table 1 Name Input - Output Storage Storage Duration Zeroization Related SSPs drbgState:Generates nullProof Static RAM:Plaintext Until next reset TPM2_Init contextEncKey:Derived From drbgState:Generates phProof NVRAM:Plaintext After Use TPM2_ChangePPS contextEncKey:Derived From Public Material

Page 85

Name Input - Output Storage Storage Duration Zeroization Related SSPs TPM2_ChangeEPS drbgState:Generates ehProof NVRAM:Plaintext After Use TPM2_Clear contextEncKey:Derived From drbgState:Generates shProof NVRAM:Plaintext After Use TPM2_Clear contextEncKey:Derived From shProofForReseed NVRAM:Plaintext After Use TPM2_Clear tdrbgState:Reseeded From sesHmacKey:Derived from, Protects Input plaintext to RAM platformAuth Static RAM:Plaintext Until next reset TPM2_Init (Integrity) Input protected to RAM sesSymKey:Encrypts Input plaintext to sesHmacKey:Derived from, Protects NVRAM TPM2_Clear (Integrity) endorsementAuth NVRAM:Plaintext After Use Input protected to TPM2_ChangeEPS sesSymKey:Derived from, Protects NVRAM (Encrypts) Input plaintext to sesHmacKey:Derived from, Protects NVRAM (Integrity) ownerAuth NVRAM:Plaintext After Use TPM2_Clear Input protected to sesSymKey:Derived from, Protects NVRAM (Encrypts) Input plaintext to sesHmacKey:Derived from, Protects NVRAM (Integrity) lockoutAuth NVRAM:Plaintext After Use TPM2_Clear Input protected to sesSymKey:Derived from, Protects NVRAM (Encrypts) Input protected to RAM TPM2_Init tdrbgState:Derived From Input plaintext to RAM TPM2_Clear drbgState:Derived From Output protected from Static RAM:Plaintext Until object zeroization, shift to TPM2_ChangePPS objSymKey:Derived From objSeed RAM NVRAM:Plaintext NVRAM or next reset TPM2_ChangeEPS objHmacKey:Derived From Output protected from TPM2_EvictControl sesHmacKey:Protects (Integrity) NVRAM TPM2_FlushContext sesSymKey:Protects (Encrypts) Input plaintext to RAM TPM2_Init Input protected to RAM TPM2_Clear sesHmacKey:Derived from, Protects Output protected from Static RAM:Plaintext Until object zeroization, shift to TPM2_ChangePPS objAuth (Integrity) RAM NVRAM:Plaintext NVRAM or next reset TPM2_ChangeEPS sesSymKey:Derived from, Encrypts Output protected from TPM2_EvictControl NVRAM TPM2_FlushContext objAuth:Encrypted by objSens:Encrypted by Dynamic platformAuth:Encrypted by objSymKey RAM:Plaintext After Use Automatic endorsementAuth:Encrypted by NVRAM:Plaintext ownerAuth:Encrypted by lockoutAuth:Encrypted by objAuth:Protected by (Integrity) objSens:Protected by (Integrity) Dynamic platformAuth:Protected by (Integrity) objHmacKey RAM:Encrypted After Use Automatic endorsementAuth:Protected by NVRAM:Plaintext (Integrity) ownerAuth:Protected by (Integrity) lockoutAuth:Protected by (Integrity) Input plaintext to RAM TPM2_Init tdrbgState:Generates Input protected to RAM Static RAM:Plaintext Until object zeroization, shift to TPM2_Clear drbgState:Generates objSens Output protected from NVRAM:Plaintext NVRAM or next reset TPM2_ChangePPS objSeed:Derives RAM TPM2_ChangeEPS objSymKey:Encrypts Public Material

Page 86

Name Input - Output Storage Storage Duration Zeroization Related SSPs Output protected from TPM2_EvictControl objHmacKey:Protects (Integrity) NVRAM TPM2_FlushContext objPub:Paired With TPM2_Init Input plaintext to RAM TPM2_Clear Output plaintext from Static RAM:Plaintext Until object zeroization, shift to TPM2_ChangePPS objPub NVRAM objSens:Paired With NVRAM:Plaintext NVRAM or next reset TPM2_ChangeEPS Output plaintext from TPM2_EvictControl RAM TPM2_FlushContext Input plaintext to sesHmacKey:Derived from, Protects NVRAM TPM2_NV_UndefineSpace nvAuth NVRAM:Plaintext After Use (Integrity) Input protected to TPM2_NV_UndefineSpaceSpecial sesSymKey:Encrypts NVRAM Input asym. encrypted to Dynamic sesHmacKey:Derived From sesSalt After Use Automatic RAM RAM:Plaintext objPub:Encrypts nvAuth:Protected by (Integrity) contextKey:Encrypts contextEncKey:Encrypts platformAuth:Protected by (Integrity) endorsementAuth:Protected by Input protected to RAM Dynamic (Integrity) sesHmacKey Output protected from After Use Automatic RAM:Plaintext ownerAuth:Protected by (Integrity) RAM lockoutAuth:Protected by (Integrity) objAuth:Protected by (Integrity) seqAuth:Derives; Protected by (Integrity) dupInSymKey:Protected by (Integrity) sesHmacKey:Derives platformAuth:Derives; Encrypts endorsementAuth:Derives; Encrypts ownerAuth:Derives; Encrypts Dynamic sesSymKey After Use Automatic lockoutAuth:Derives; Encrypts RAM:Plaintext objAuth:Derives; Encrypts seqAuth:Derives; Encrypts nvAuth:Derives; Encrypts dupInSymKey:Encrypted by drbgState:Generates contextKey Static RAM:Plaintext Until next reset TPM2_Init contextEncKey:Derived From contextKey:Derives nullProof:Derives Dynamic contextEncKey After Use Automatic phProof:Derives RAM:Plaintext ehProof:Derives shProof:Derives Input plaintext to RAM Input protected to RAM sesSymKey:Encrypts Output plaintext from Dynamic dupInSymKey After Use Automatic sesHmacKey:Protects (Integrity) RAM RAM:Plaintext objSens:Encrypted by Output protected from RAM Public Material

Page 87

Name Input - Output Storage Storage Duration Zeroization Related SSPs Input asym. encrypted to objPub:Encrypts RAM Dynamic dupSeed After Use Automatic dupOutSymKey:Derived from Output asym. encrypted RAM:Plaintext dupOutHmacKey:Derived from to RAM dupSeed:Derives Dynamic objSens:Encrypted by dupOutSymKey After Use Automatic RAM:Plaintext objAuth:Encrypted by objSeed:Encrypted by dupSeed:Derives Dynamic objSens:Protects (Integrity) dupOutHmacKey After Use Automatic RAM:Plaintext objAuth:Protects (Integrity) objSeed:Protects (Integrity) Input asym. encrypted to creSymKey:Derives RAM Dynamic creSeed After Use Automatic creHmacKey:Derives Output asym. encrypted RAM:Plaintext objPub:Encrypts to RAM Dynamic creSymKey After Use Automatic creSeed:Derived From RAM:Plaintext Dynamic creHmacKey After Use Automatic creSeed:Derived From RAM:Plaintext Dynamic ephSensEccKey After Use Automatic drbgState:Generates RAM:Plaintext Input plaintext to RAM Dynamic ephPubEccKey Output plaintext from After Use Automatic ephSensEccKey:Derives RAM:Plaintext RAM ekRsa NVRAM:Plaintext After Use TPM2_VendorCmdZeroizeEK objSens:Derived From ekEcc NVRAM:Plaintext After Use TPM2_VendorCmdZeroizeEK objSens:Derived From fuSigECCKey NVRAM:Plaintext After Use N/A fuSigLMSKey NVRAM:Plaintext After Use N/A Input plaintext to RAM Input protected to RAM Dynamic Until use of zeroization command or TPM2_SequenceComplete sesSymKey:Derived From seqAuth Output protected from RAM:Plaintext next reset TPM2_EventSequenceComplete sesHmacKey:Derived From RAM nullSeed Static RAM:Plaintext Until next reset TPM2_Init tdrbgState:Instantiated with phSeed NVRAM:Plaintext After Use TPM2_ChangePPS tdrbgState:Instantiated with ehSeed NVRAM:Plaintext After Use TPM2_ChangeEPS tdrbgState:Instantiated with shSeed NVRAM:Plaintext After Use TPM2_Clear tdrbgState:Instantiated with TPM2_Init drbgState Static RAM:Plaintext Until next reset or use of TPM2_Clear drbgSeed:Instantiates TPM2_Clear Dynamic drbgSeed After Use Automatic drbgState:Instantiated with RAM:Plaintext nullSeed:Instantiates Dynamic phSeed:Instantiates tdrbgState After Use Automatic RAM:Plaintext ehSeed:Instantiates shSeed:Instantiates fuSymSeed NVRAM:Plaintext After Use N/A fuSymKey:Derived From Dynamic fuSymKey After Use Automatic fuSymSeed:Derives RAM:Plaintext Public Material

Page 88

Name Input - Output Storage Storage Duration Zeroization Related SSPs diagSymSeed NVRAM:Plaintext After Use N/A diagSymKey:Derived From Dynamic diagSymKey After Use Automatic diagSymSeed:Derives RAM:Plaintext Table 32: SSP Table 2 Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration Derived from Proof (secret drbgState KBKDF nullProof value) of the 512 256 Symmetric key DRBG N/A - Static RAM Until next reset TPM2_Init CSP contextEncKey null hierarchy MAC can be derived from nullProof Derived from Proof (secret drbgState value) of the phProof 512 256 Symmetric key DRBG N/A MAC - NVRAM After use TPM2_ChangePPS CSP contextEncKey platform hierarchy can be derived from phProof Proof (secret Derived from value) of the drbgState TPM2_ChangeEPS ehProof endorsement 512 256 Symmetric key DRBG N/A MAC - NVRAM After use CSP contextEncKey hierarchy TPM2_Clear can be derived from ehProof Proof (secret Derived from value) of the drbgState KBKDF shProof storage 512 256 Symmetric key DRBG N/A - NVRAM After use TPM2_Clear CSP contextEncKey hierarchy MAC can be derived from shProof tdrbgState is shProofForRes reseeded with Random value 512 256 Entropy source ENT-ESV N/A DRBG - NVRAM After use TPM2_Clear CSP eed shProofForRes eed sesHmacKey can be derived Input from protected platformAuth

128 to 256 to RAM

Authentication New input (depending on Authentication KBKDF or value for the platformAuth platformAuth 512 the underlying value / N/A N/A Static RAM Until next reset TPM2_Init CSP platform MAC Input value can be hash algorithm Symmetric key hierarchy plaintext to wrapped by used) RAM sesSymKey and integrity protected by sesHmacKey Public Material

Page 89

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration sesHmacKey and sesSymKey can Input be derived protected from

128 to 256 to NVRAM endorsementA

Authentication uth (depending on Authentication KBKDF or endorsementA value for the TPM2_Clear

512 the underlying value / N/A N/A NVRAM After use CSP New input

uth endorsement MAC Input TPM2_ChangeEPS hash algorithm Symmetric key endorsementA hierarchy plaintext to used) uth value can NVRAM be wrapped by sesSymKey and integrity protected by sesHmacKey sesHmacKey and sesSymKey can Input be derived protected from

128 to 256 to NVRAM

Authentication ownerAuth (depending on Authentication KBKDF or value for the New input ownerAuth 512 the underlying value / N/A N/A NVRAM After use TPM2_Clear CSP storage MAC Input ownerAuth hash algorithm Symmetric key hierarchy plaintext to value can be used) NVRAM wrapped by sesSymKey and integrity protected by sesHmacKey sesHmacKey and sesSymKey can Input be derived protected from

128 to 256 to NVRAM

Authentication lockoutAuth (depending on Authentication KBKDF or value for the New input lockoutAuth 512 the underlying value / N/A N/A NVRAM After use TPM2_Clear CSP lockout MAC Input lockoutAuth hash algorithm Symmetric key hierarchy plaintext to value can be used) NVRAM wrapped by sesSymKey and integrity protected by sesHmacKey tdrbgState can Seed of the nullSeed 512 256 Seed ENT-ESV N/A DRBG - Static RAM Until next reset TPM2_Init CSP be instantiated null hierarchy by nullSeed Seed of the tdrbgState can phSeed platform 512 256 Seed ENT-ESV N/A DRBG - NVRAM After use TPM2_ChangePPS CSP be instantiated hierarchy by phSeed Public Material

Page 90

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration Seed of the tdrbgState can ehSeed endorsement 512 256 Seed ENT-ESV N/A DRBG - NVRAM After use TPM2_ChangeEPS CSP be instantiated hierarchy by ehSeed Seed of the tdrbgState can shSeed storage 512 256 Seed ENT-ESV N/A DRBG - NVRAM After use TPM2_Clear CSP be instantiated hierarchy by shSeed can be derived from tdrbgState for Input primary protected objects, from to RAM drbgState for Input ordinary TPM2_Clear plaintext to objects TPM2_ChangePPS Seed value for SHA RAM Until object Data, DRBG Static RAM TPM2_ChangeEPS can be objSeed object 512 128 to 256 N/A zeroization, shift to CSP Symmetric key KBKDF KBKDF Output NVRAM TPM2_EvictControl protected by generation NVRAM or next reset protected TPM2_FlushContext sesHmacKey from RAM TPM2_Init and sesSymKey Output protected objSymKey from and NVRAM objHmacKey are derived from objSeed Input protected to RAM can be protected by Input sesHmacKey TPM2_Clear plaintext to and TPM2_ChangePPS Object’s Authentication MAC RAM Until object sesSymKey Static RAM TPM2_ChangeEPS objAuth authorization 112 to 512 112 to 256 value / N/A N/A zeroization, shift to CSP KBKDF Output NVRAM TPM2_EvictControl sesHmacKey value Symmetric key NVRAM or next reset protected TPM2_FlushContext and from RAM TPM2_Init sesSymKey can Output be derived protected from objAuth from NVRAM can wrap platformAuth / Encryption key AES-ENC, AES- Dynamic RAM endorsementAu objSymKey of object 256 256 Symmetric key KBKDF N/A - After use Automatic CSP DEC NVRAM th / ownerAuth private part / lockoutAuth / objAuth/objSens can protect platformAuth / Integrity key of 160, 256, 384, Dynamic RAM endorsementAu objHmacKey object private 128 to 256 Symmetric key KBKDF N/A MAC - After use Automatic CSP

512 NVRAM th / ownerAuth

part / lockoutAuth / objAuth/objSens Public Material

Page 91

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration can be generated from tdrbgState for Input primary protected objects, from to RAM drbgState for ordinary Input objects and 2048, 3072, plaintext to AES-ENC, AES- TPM2_Clear derived from

4096 (RSA) CKG RAM

DEC, TPM2_ChangePPS objSeed of its 128, 192, 256 Symmetric or KBKDF Object private KBKDF Static RAM Until object TPM2_ChangeEPS parent for objSens (AES) 112 to 256 asymmetric N/A Output CSP part KAS-KeyGen MAC NVRAM zeroization, shift to TPM2_EvictControl derived 256, 384, 512, private key protected KAS NVRAM or next reset TPM2_FlushContext objects 521, (ECC) KeyGen from RAM SigGen (RSA, TPM2_Init

112 to 1024 objSymKey

ECDSA), (HMAC) Output encrypts protected objSens from objHmacKey NVRAM can integrity protect objSens objPub: Paired With Input plaintext to RAM TPM2_Clear 2048, 3072, KeyGen Output TPM2_ChangePPS Object public 4096 (RSA) Asymmetric KAS, KTS-IFC, Static RAM Until object TPM2_ChangeEPS objSens: objPub 112 to 256 (ECDSA, RSA) N/A plaintext PSP part 2*256, 2*384, public key SigVer (RSA, NVRAM zeroization, shift to TPM2_EvictControl Paired With from RAM 2*521 (ECC) KAS-KeyGen ECDSA), NVRAM or next reset TPM2_FlushContext Output TPM2_Init plaintext from NVRAM sesHmacKey can be derived from nvAuth Input protected TPM2_NV_UndefineS New input Authentication to NVRAM nvAuth value Authorization KBKDF pace nvAuth 112 to 512 112 to 256 value / N/A N/A Input NVRAM After use CSP can be of NV index MAC TPM2_NV_UndefineS Symmetric key plaintext to wrapped by paceSpecial NVRAM sesSymKey and integrity protected by sesHmacKey Input asym. sesHmacKey is Salt for keys 160, 256, 384, encrypted sesSalt 128 to 256 Symmetric key N/A KAS KBKDF Dynamic RAM After use Automatic CSP derived from diversification 512 to RAM sesSalt Public Material

Page 92

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration objPub wraps sesSalt protects nvAuth / platformAuth / endorsementAu th / ownerAuth / lockoutAuth / Input objAuth / protected seqAuth / HMAC session 160, 256, 384, KBKDF to RAM sesHmacKey 128 to 256 Symmetric key KBKDF N/A Dynamic RAM After use Automatic CSP dupInSymKey key 512 MAC Output derived from protected seqAuth from RAM contextKey and contextEncKey keys can wrap sesHmacKey derived from and encrypts sesHmacKey and AES-ENC, AES- platformAuth / Encrypted sesSymKey 128, 192, 256 128 to 256 Symmetric key KBKDF N/A DEC Dynamic RAM After use Automatic CSP endorsementA session key uth / ownerAuth / lockoutAuth / objAuth / seqAuth generated from Derivation key drbgState contextKey for context 128 128 Symmetric key DRBG N/A KBKDF - Static RAM Until next reset TPM2_Init CSP protection contextEncKey is derived from contextKey derived from contextKey Wrapping key AES-ENC, AES- and nullProof / contextEncKey for context 256 256 Symmetric key KBKDF N/A DEC - Dynamic RAM After use Automatic CSP phProof / protection ehProof / shProof Input plaintext to can be RAM wrapped by Input sesSymKey Wrapping key protected AES-ENC, AES- and protected dupInSymKey for duplicated 128, 192, 256 128 to 256 Symmetric key DRBG N/A to RAM Dynamic RAM CSP DEC After use Automatic by object Output sesHmacKey plaintext from RAM Encrypts Output objSens protected from RAM Public Material

Page 93

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration encrypted by objPub key Input asym. (KTS-IFC or encrypted Seed for KAS) DRBG to RAM dupSeed protection 160 to 512 128 to 256 Symmetric key KAS KBKDF Output Dynamic RAM After use Automatic CSP dupOutSymKe keys derivation KAS asym. y and encrypted dupOutHmacK from RAM ey are derived from dupSeed derived from Encryption key dupSeed dupOutSymKe AES-ENC, AESfor duplicated 128, 192, 256 128 to 256 Symmetric key KBKDF N/A DEC - Dynamic RAM After use Automatic CSP wraps objSens, y objects objAuth, objSeed derived from dupSeed MAC key for dupOutHmacK 160, 256, 384, protects duplicated 128 to 256 Symmetric key KBKDF N/A MAC - Dynamic RAM After use Automatic CSP ey 512 objSens, objects objAuth, objSeed Input asym. creSymKey encrypted and Seed for to RAM creHmacKey KAS creSeed credential keys 160 to 512 128 to 256 Symmetric key N/A Output Dynamic RAM CSP are derived KBKDF After use Automatic derivation asym. from creSeed encrypted Encrypted by from RAM objPub derived from AES-ENC, AEScreSymKey 128, 192, 256 128 to 256 Symmetric key KBKDF N/A Dynamic RAM CSP creSeed Encryption key DEC - After use Automatic for credentials HMAC key for 160, 256, 384, derived from creHmacKey 128 to 256 Symmetric key KBKDF N/A MAC - Dynamic RAM After use Automatic CSP credentials 512 creSeed ephSensEccKe ECC ephemeral ECC private derived from 256, 384, 521 128 to 256 KAS-KEYGEN N/A KAS - Dynamic RAM After use Automatic CSP y private key key drbgState Input plaintext to generated ECC ephemeral RAM from ephPubEccKey 512, 768, 1056 128 to 256 ECC public key KAS-KEYGEN N/A KAS Output Dynamic RAM After use Automatic PSP public key ephSensEccKe plaintext y from RAM Provisioned Other

Page 94

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration Provisioned Other

Page 95

Inputs / Temporary Storage Name Description Size (bits) Strength Type Generated by Established by Used by Storage Zeroization Category Related SSPs Outputs Duration Seed used for Other

Page 96

Next table gives the security strength of a key depending on the underlying algorithm used and its size: Algorithm* Underlying algorithm Key size (bits) Security strength (bits) size ≥ 128 128 SHA-1 size < 128 Key size size ≥ 192 192 KBKDF SHA2-256 size < 192 Key size SHA2-384 size ≥ 256 256 SHA2-512 size < 256 Key size size ≥ 128 128 SHA-1 size < 128 Key size size ≥ 192 192 HMAC SHA2-256 size < 192 Key size SHA2-384 size ≥ 256 256 SHA2-512 size < 256 Key size DRBG SHA2-256 - 256 AES - 128 / 192 / 256 128 / 192 / 256 RSA - 2048 / 3072 / 4096 112 / 128 / 142 ECC - 256 / 384 / 521 128 / 192 / 256 Table 33

9.5 Transitions

The module only supports the use of SHA-1 in the Approved mode of operation for non-digital signature applications as permitted by SP800-131Ar2. The module only permits the use of SHA-1 for the purposes of digital signatures in the non-Approved mode.

9.6 Additional Information

N/A Public Material

Page 97
10 Self-Tests
10.1 Pre-Operational Self-Tests

The Module performs self-tests to ensure the proper operation of the Module. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. Pre-operational self–tests are available on demand by power cycling the Module. The Module performs the following pre-operational self-tests in the table below: Algorithm or Test Test Properties Test Type Indicator Details Test Method Firmware SW/FW Successful execution of TPM2_Startup command FW integrity is verified by computing an EDC (CRC-16 [ISO13239]) and comparing it to CRC 16 EDC integrity test Integrity indicates tests have been run reference values. HW registers Critical Successful execution of TPM2_Startup command HW integrity is guaranteed via check of HW sensors. If failure is detected during boot HW integrity KAT verification Function indicates tests have been run sequence, status is set to FAIL, and error is returned. Table 34: Pre-Operational Self-Tests

10.2 Conditional Self-Tests

The Module performs the following conditional self-tests in the table below. The bit index indicated in the “Indicator” column corresponds to the index in the algos_status field in the TPM2_GetTestResult response. Algorithm or Test Test Properties Test Method Indicator Details Conditions Test Type AES-ENC AES-128-CBC KAT CAST Bit #7 clear AES CBC 128 encryption of known data compared to a reference value. Power On (A5356) AES-DEC AES CBC 128 decryption of known encrypted data and comparison to the expected AES-128-CBC KAT CAST Bit #7 clear Power On (A5356) plaintext data ECDSA KeyGen Depending on the key purpose (signing or key establishment) an ECDSA signature is Key creation Upon ECC Key (FIPS186-4) P-256, P-384, P-521 PCT PCT generated (k fixed and the message varies) and verified with pairwise consistency test as failure Generation (A5358) defined by [56Ar3] or a scalar multiplication is done and compared to the public key. ECDSA SigGen ECDSA signature generation on known data with known key and k. Output of signature (FIPS186-4) NIST P-256 KAT CAST Bit #10 clear Power On is compared to a reference signature. (A5358) ECDSA SigVer (FIPS186-4) NIST P-256 KAT CAST Bit #10 clear ECDSA signature verification on known signature with known key and k. Power On (A5358) [90B] Health- AIS31 and [90B] (RCT and APT) start-up health tests on ESV #E41 output sequence. If At each random Entropy RCT and APT CAST Bit #1 clear Test test fails, test status is set to FAIL, and error is returned bits generation Error returned on Signature SW/FW Upon firmware Firmware loading ECDSA P-384 and LMS FW loading Verification of chained digest and signature to ensure authentication of the FW Verification Load load command Instantiate then Reseed are seeded with a known seed value (64 bytes). Random is then Hash DRBG SHA2-256 KAT CAST Bit #1 clear generated with Generate API to output a 32-bytes value compared to a reference value Power On (A5351) (single test sequence done in accordance with §11.3 of [90A]) HMAC-SHA-1 HMAC on known data and known key. Comparison of output to an expected MAC value HMAC-SHA1 KAT CAST Bit #5 clear Power On (A5355) (20 bytes) KAS-ECC Primitive "Z" Computation and key derivation are implemented: a known private key d Sp800-56Ar3 NIST P-256 KAT CAST Bit #9 clear Power On is used with a known point P of NIST P-256 curve to compute Q = dP. Key derivation (A5358) Public Material

Page 98

Algorithm or Test Test Properties Test Method Indicator Details Conditions Test Type of Q performed with SHA-1 underlying algorithm to output a key of 20 bytes that is compared to a refence value KDF SP800-108 KDF on known data and known label. Comparison of output to an expected derivation N/A KAT CAST Bit #6 clear Power On (A5354) value (32 bytes) LMS SigVer LMOTS_SHA256_N32_W4 KAT CAST Bit #8 clear LMS signature verification of known signature with known data and known key. Power On (A5360) LMS_SHA256_M32_H10 RSA SigGen RSA signature generation on known data with a known key. Output of signature is (FIPS186-5) RSASSA-PKCS1-v1_5 KAT CAST Bit #12 clear Power On compared to a reference signature (covers also KTS-IFC functionality) (A5357) RSA SigVer RSA signature verification on a known signature with a known key (covers also KTS(FIPS186-5) RSASSA-PKCS1-v1_5 KAT CAST Bit #12 clear Power On IFC functionality) (A5357) RSA KeyGen Key creation Depending on the key purpose (signing or encrypting) indicated in sign attribute of the Upon RSA Key (FIPS186-5) 2048, 3072 or 4096-bit PCT PCT failure key, encryption/decryption or signing/verification is done on known data Generation (A5357) Bit #2 clear Bit Hash of known data and comparison of output to an expected digest. SHA-1, SHA2-256, SHA1, SHA2-256, SHA2-512, SHS KAT CAST #3 clear Bit #4 SHA2-512 are tested twice to cover each of the two implementations covered by CAVP Power On SHA3-256 clear Cert. #A5352 and #A5353. Table 35: Conditional Self-Tests Public Material

Page 99
10.3 Periodic Self-Test Information

Algorithm or Periodic Test Method Test Type Period Test Method Firmware SW/FW EDC On demand Manually integrity test Integrity HW integrity KAT Critical Function On demand Manually Table 36: Pre-Operational Periodic Information Algorithm or Periodic Test Method Test Type Period Test Method AES-ENC KAT CAST On Demand Manually (A5356) AES-DEC KAT CAST On Demand Manually (A5356) ECDSA KeyGen (FIPS186-4) PCT PCT N/A Manually (A5358) ECDSA SigGen (FIPS186-4) KAT CAST On Demand Manually (A5358) ECDSA SigVer (FIPS186-4) KAT CAST On Demand Manually (A5358) [90B] HealthEntropy CAST On Demand Manually Test Firmware Signature SW/FW Load On Demand Manually loading Verification Hash DRBG KAT CAST On Demand Manually (A5351) HMAC-SHA-1 KAT CAST On Demand Manually (A5355) KAS-ECC Sp800-56Ar3 KAT CAST On Demand Manually (A5358) KDF SP800-108 KAT CAST On Demand Manually (A5354) LMS SigVer KAT CAST On Demand Manually (A5360) RSA SigGen (FIPS186-5) KAT CAST On Demand Manually (A5357) RSA SigVer (FIPS186-5) KAT CAST On Demand Manually (A5357) Public Material

Page 100

Algorithm or Periodic Test Method Test Type Period Test Method RSA KeyGen (FIPS186-5) PCT PCT N/A Manually (A5357) SHS KAT CAST On Demand Manually Table 37: Conditional Periodic Information

10.4 Error States

Recovery Name Description Conditions Indicator Method The Module fails a Outputs return code of KAT, PCT, FW or The Module Reboot/Power TPM_RC_FAILURE, ES1 HW integrity enters the cycle the otherwise it indicates verification, [90B] failure state module successful completion by health test TPM_RC_SUCCESS Return code different from The Module fails a The Module TPM_RC_SUCCESS sent on ES2 firmware loading returns to None firmware upgrade start test normal state command Table 38: Error States All cryptographic functions are inhibited while the module is in an error state. Successful completion of self-tests can be verified through use of TPM2_GetTestResult command. The first 4 bytes of response indicate self-tests status. If they are equal to 0, self-tests completed successfully. If not, the subsequent 4 bytes indicate the list of algorithms not fully self-tested. Public Material

Page 101
11 Life-Cycle Assurance
11.1 Installation, Initialization, and Startup Procedures

Installation and Initialization: The following steps must be performed in order to securely install, initialize, and start up the Module in the FIPS 140-3 Approved mode of operation:

Page 102

Signature with HMAC key (one of the proofs) TPM2_PolicyTicket Message Authentication Code generated by TPM2_PolicySigned or TPM2_PolicySecret authValue of bound entity is used as KDK Bound session Message Authentication Code generated from KBKDF in session key derivation Table 39

11.2 Administrator Guidance

No specific initialization procedure is required.

11.3 Non-Administrator Guidance

No initialization procedures are required.

11.4 Design and Rules

Rules of Operation

  1. The Module provides two operator roles: the Cryptographic Officer and the User role. Each role is associated with a set of services as detailed in Section 4.3.
  2. The Module, evaluated at FIPS 140-3 Level 2, requires authentication to access some of the services as detailed in Section 4.1.
  3. The Module allows the operator to initiate power-up self-tests by power cycling or resetting the Module.
  4. Power up self-tests do not require any operator action.
  5. Data output is inhibited during key generation, self-tests, zeroisation, firmware loading, and error states.
  6. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the Module.
  7. The Module does not support concurrent operators.
  8. The Module does not support a maintenance interface or role.
  9. The Module does not support manual key entry method. Public Material – May be reproduced only in its original entirety (without revision).
Page 103
  1. The Module does not have any proprietary external input/output devices used for entry/output of data.
  2. The Module does not output intermediate key values.
  3. The Module does not provide bypass services or ports/interfaces.
  4. The Module does not support a self-initiated cryptographic output capability.
  5. For all zeroisation methods, the module must be in direct control of the operator.
11.5 Maintenance Requirements
11.6 End of Life

End-of-life of the product requires the following zeroisation commands to be executed to remove all CSPs from the memory of the module:

Page 104
12 Mitigation of Other Attacks

The Module does not implement any mitigation method against other attacks. Public Material

Page 105

References and Definitions The following standards are referred to in this Security Policy. Abbreviation* Full Specification Name [TPM2.0 Part1] TPM2.0 Main, Part 1, Architecture, rev 1.59, TCG [TPM2.0 Part2] TPM2.0 Main, Part 2, Structures, rev 1.59, TCG [TPM2.0 Part3] TPM2.0 Main, Part 3, Commands, rev 1.59, TCG [TPM2.0 Part4] TPM2.0 Main, Part 4, Supporting routines, rev 1.59, TCG [PTP 1.06] TCG PC Client Platform TPM Profile (PTP) Specification, rev. 1.06 [FIPS TCG] TCG FIPS 140-3 guidance for TPM 2.0, version 1.0, rev. 1, January 30, 2024 [ISO19790] International Standard, ISO/IEC 19790, Information technology

Page 106

Abbreviation* Full Specification Name [133] NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation, Revision 2, June 2020 [135] National Institute of Standards and Technology, Recommendation for Existing ApplicationSpecific Key Derivation Functions, Special Publication 800-135rev1, December 2011 [186] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-5, Feb 2023 [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197-upd1, May, 2023 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August 2015 [202] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA-3 Standard: PermutationBased Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 [208] National Institute of Standards and Technology, Recommendation for Stateful Hash-Based Signature Schemes, October 2020 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 [56Ar3] NIST Special Publication 800-56A Revision 3, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 [56Br2] NIST Special Publication 800-56B Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Finite Field Cryptography, March 2019 [90A] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, Revision 1, June 2015 [90B] National Institute of Standards and Technology, Recommendation for the Entropy Sources Used for Random Bit Generation, Special Publication 800-90B, January 2018 Table 40

Page 107

Acronym* Definition SSP Sensitive Security Parameter TCG Trusted Computing Group TPM Trusted Platform Module Table 41