1 Scope
This standard describes the functional principles and requirements of the cryptographic support platform for trusted computing, and details the interface specification for applications such as cryptographic algorithm, key management, certificate management, cryptographic protocol, cryptographic service, etc. of the cryptographic support platform for trusted computing.
This standard is applicable to the development, production, assessment and application development of products in relation to cryptographic support platform for trusted computing.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 5271.8 Information Technology—Vocabulary—Part 8: Security (idt ISO/IEC 2382-8:1998)
GM/T 0002 SM4 Block Cipher Algorithm
GM/T 0003 (All parts) Public Key Cryptographic Algorithm SM2 based on Elliptic Curves
GM/T 0004 SM3 Cryptographic Hash Algorithm
GM/T 0005 Randomness Test Specification
GM/T 0009 SM2 Cryptography Algorithm Application Specification
GM/T 0015 Digital Certificate Format based on SM2 Algorithm
3 Terms, Definitions and Abbreviations
3.1 Definitions
For the purposes of this document, the terms and definitions given in GB/T 5271.8 and the following ones apply.
3.1.1
component
hardware and/or software modules in a computing system that can be measured
3.1.2
storage master key
master key used to protect platform identity key and user key
3.1.3
object
various resources in the cryptographic support platform for trusted computing that can be accessed by an entity, including key data, operating environment data, sensitive data, etc.
3.1.4
trusted computing platform
support system built in a computing system to implement trusted computing function
3.1.5
cryptographic support platform for trusted computing
an important part of a trusted computing platform, including cryptographic algorithm, key management, certificate management, cryptographic protocol, cryptographic service, etc., to provide cryptographic support for integrity, identity credibility and data security of the trusted computing platform, which is mainly presented as trusted cryptography module and trusted cryptography service module in terms of product form
3.1.6
root of trust for measurement
trusted integrity measurement unit, which is the basis for trusted measurement in a trusted computing platform
3.1.7
root of trust for storage
storage master key, which is the basis for trusted storage in a trusted computing platform
3.1.8
root of trust for reporting
TCM endorsement key, which is the basis for trusted reporting in a trusted computing platform
3.1.9
trusted cryptography module
hardware module of a trusted computing platform, which provides cryptographic algorithm for the trusted computing platform, and has a protected memory space
3.1.10
TCM service module
software module in the cryptographic support platform for trusted computing, which provides a software interface for accessing the trusted cryptography module outside the platform
Foreword i
Introduction ii
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Definitions
3.2 Abbreviations
4 Functional Principles of Cryptographic Support Platform for Trusted Computing
4.1 Platform Architecture
4.1.1 Relationship between Platform Functionality and Cryptography
4.1.2 Platform Composition
4.1.3 Trusted Cryptography Module (TCM)
4.1.4 TCM Service Module (TSM)
4.2 Cryptographic Algorithm Requirements
4.2.1 SM
4.2.2 SM
4.2.3 HMAC
4.2.4 SM
4.2.5 Random Number
4.3 Functional Principles
4.3.1 Platform Integrity
4.3.2 Platform Identity Credibility
4.3.3 Platform Data Security Protection
5 Functional Interfaces of Cryptographic Support Platform for Trusted Computing
5.1 General
5.2 Context Management
5.2.1 General
5.2.2 Create Context
5.2.3 Close Context
5.2.4 Set Context Attribute (Integer Parameter)
5.2.5 Get Context Attribute (Integer Parameter)
5.2.6 Set Context Attribute (Variable Length Parameter)
5.2.7 Get Context Attribute (Variable Length Parameter)
5.2.8 Connect Context
5.2.9 Release Context
5.2.10 Get Context Default Policy
5.2.11 Create Object
5.2.12 Close Object
5.2.13 Get Platform Functionality
5.2.14 Get TCM Object Handle
5.2.15 Load Key by Key Attribute
5.2.16 Load Key by Key ID
5.2.17 Register Key
5.2.18 Unregister Key
5.2.19 Get Key by Key ID
5.2.20 Get Key by Public Key
5.2.21 Get Registered Key by ID
5.2.22 Set Transport Session Encryption Key
5.2.23 Close Transport Session
5.3 Policy Management
5.3.1 Set Policy Attribute (Integer Parameter)
5.3.2 Get Context Attribute (Integer Parameter)
5.3.3 Set Context Attribute (Variable Length Parameter)
5.3.4 Get Context Attribute (Variable Length Parameter)
5.3.5 Set Policy Authorization
5.3.6 Clear Policy Authorization
5.3.7 Bind Policy Object
5.4 Trusted Cryptography Module (TCM) Management
5.4.1 General
5.4.2 Create Platform Identity and Certificate Request
5.4.3 Activate Platform Identity and Get PIK Certificate
5.4.4 Create PEK Request
5.4.5 Get PEK Certificate
5.4.6 Import PEK Key
5.4.7 Create Irrevocable TCM Endorsement Key
5.4.8 Get Public Key of TCM Endorsement Key
5.4.9 Create Revocable TCM Endorsement Key
5.4.10 Revoke TCM Endorsement Key
5.4.11 Create Cryptographic Module Owner
5.4.12 Clear TCM Owner
5.4.13 Set Operator Authorization
5.4.14 Set TCM Status
5.4.15 Query TCM Status
5.4.16 Get TCM Features
5.4.17 Complete TCM Self-test
5.4.18 Get TCM Self-test Result
5.4.19 Get Random Number generated by TCM
5.4.20 Get a Single TCM Event
5.4.21 Get a Set of TCM Events
5.4.22 Get TCM Event Log
5.4.23 TCM PCR Extension
5.4.24 Read TCM PCR Value
5.4.25 Reset TCM PCR
5.4.26 Cite PCR
5.4.27 Read TCM Counter
5.4.28 Read Current Clock in TCM
5.4.29 Get TCM Audit Digest Value
5.4.30 Set TCM Command Audit Status
5.5 Key Management
5.5.1 General
5.5.2 Change Entity Authorization Data
5.5.3 Get Policy Object
5.5.4 Set Key Attribute (Integer Parameter)
5.5.5 Get Key Attribute (Integer Parameter)
5.5.6 Set Key Attribute (Variable Length Parameter)
5.5.7 Get the Set Key Attribute (Variable Length Parameter)
5.5.8 Load Key
5.5.9 Uninstall Key
5.5.10 Get Key Public Key
5.5.11 Sign Key
5.5.12 Create Key
5.5.13 Seal Key
5.5.14 Create Migration Authorization
5.5.15 Create Migration Key Data Block
5.5.16 Import Migration Key Data Block
5.6 Data Encryption and Decryption
5.6.1 Change Entity Authorization
5.6.2 Get Policy Object
5.6.3 Get Data Attribute (Integer Parameter)
5.6.4 Set Data Attribute (Variable Length Parameter)
5.6.5 Get Data Attribute
5.6.6 Data Encryption
5.6.7 Data Decryption
5.6.8 Data Sealing
5.6.9 Data Unsealing
5.6.10 Digital Envelope Sealing
5.6.11 Digital Envelope Decryption
5.7 PCR Management
5.7.1 General
5.7.2 Set PCR Locality Attribute
5.7.3 Get PCR Locality Attribute
5.7.4 Get PCR Digest
5.7.5 Set PCR Value
5.7.6 Get PCR Value
5.7.7 Select PCR Index
5.8 Nonvolatile Storage Management
5.8.1 Set Nonvolatile Storage Area Attribute (Integer Parameter)
5.8.2 Get Nonvolatile Storage Area Attribute (Integer Parameter)
5.8.3 Get Nonvolatile Storage Area Attribute (Variable Length Parameter)
5.8.4 Create Nonvolatile Storage Space
5.8.5 Release Nonvolatile Storage Space
5.8.6 Data Writing to Nonvolatile storage Area
5.8.7 Read Data from Nonvolatile Storage Area
5.9 Hash Operation
5.9.1 Set Hash Object Attribute (Integer Parameter)
5.9.2 Get Hash Object Attribute (Integer Parameter)
5.9.3 Set Hash Object Attribute (Variable Length Parameter)
5.9.4 Hash User Data
5.9.5 Set Hash Value
5.9.6 Get Hash Value
5.9.7 Update Hash Value
5.9.8 Sign Hash Value
5.9.9 Verify Hash Value Signature
5.9.10 Time Stamping to Hash Class
5.10 Key Negotiation
5.10.1 Create Session
5.10.2 Get Session Key
5.10.3 Release Session
Annex A (Normative) Interface Specification—Data Structure
Annex B (Normative) Digital Certificate Format
Annex C (Normative) Motherboard Application Interface
Bibliography