Browse Prior Art Database

Trusted Platform Module with Enhanced Hardware Detection Methods

IP.com Disclosure Number: IPCOM000126403D
Original Publication Date: 2005-Jul-15
Included in the Prior Art Database: 2005-Jul-15
Document File: 3 page(s) / 38K

Publishing Venue

IBM

Abstract

The Trusted Computing Group (TCG) Trusted Platform Module (TPM) is defined so that it is resistant to software-based security and trust attacks. There is only one feature that is intended to resist a hardware attack (physical removal from the system). While it is expensive to protect the TPM against a broad range of hardware attacks, this paper proposes some simple extensions that would provide significant incremental protection over the existing specification. The resulting TPM remains a passive recording device and so does not introduce new system-level concerns about user privacy or platform lock-in.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 42% of the total text.

Page 1 of 3

Trusted Platform Module with Enhanced Hardware Detection Methods

In the current versions of the TCG specifications (TPM V1.1 and V1.2), the TPM is defined to contain a set of Platform Configuration Registers (PCRs). These PCRs hold binary values that represent the state of the hardware and software of the system, including configuration information. Figure 1 illustrates a simplified TPM according to existing specifications. The initial state of each PCR is set to a known value (e.g., zero) at the time of the System Reset signal; external inputs (illustrated as A, B, C, and D) cannot affect the initial value. The PCR registers are populated by values calculated by the CPU, so they can only represent what the CPU reports. If the CPU is attacked, the information recorded in the PCRs could be incorrect. This paper proposes to add a set of general-purpose input-output pins to the TPM and some programmable control logic that together enable the enhanced TPM to measure simple information directly about the system in which it is operating. This allows the TPM to record information independently of the CPU, increasing the likelihood that certain attacks will be detected. The trust level of the system is thus raised above the level provided by the conventional TPM V1.1 or V1.2 specification. The information obtained from the pins is used to modify the values recorded in the PCRs so that the attacks can be detected by an external agent (usually called a "challenger"). The input values of the pins are inserted into selected PCRs to change the initial state of the PCRs, thereby rendering the pin values detectable through existing protocols and methods (V1.1 or V1.2).

TCG Trusted Platform Module

PCR0 == 0

A

B

C

D

Figure 1: PCR0 initial state set to Zeros (0x0)

Figure 2 shows a simple implementation of the proposed change. In this example, the external input values A, B, C, and D are used to set the initial value of PCR0. All future values of PCR0 are derived from the initial value, so the effects of the initial states of A, B, C, and D will always be detectable. A system would be designed such that the normal states of the inputs are all zeros so the initial PCR0 value would be the expected value of zero. Abnormal system conditions (e.g., an opened lid, a disconnected signal wire, etc.) would cause an input value to be a one and perturb the expected value of PCR0, thus signalling an untrustworthy or insecure condition. A challenger system would be able to determine by inspection that the subject system was untrustworthy or insecure and react accordingly.

1

Page 2 of 3

TCG Trusted Platform Module

INPUT FILTER BITS

PCR0

A

B

C

D

Figure 2: Inputs set PCR0 initial state as controlled by Input Filter Bits

As an alternative implementation, shown in Figure 3, the inputs could be designed to affect different PCR registers.

In the example shown in Figure 3, inputs A and B could measure the state of system indicators while inputs C and D could measure the...