The last decade has seen the emergence of trusted computing platforms based on a trusted secure hardware device known as a Trusted Platform Module (TPM). The Trusted Computing Group (TCG) develops specifications in this area, for example the “TCG TPM Specification” Version 1.2, which is published on the TCG website <https://www.trustedcomputinggroup.org/>. A description of trusted computing principles, of a TPM, and of example trusted platforms is given in the Appendix hereto with reference to FIGS. 1 to 8 of the accompanying drawings.
The TCG integrity measurement/reporting solution is based on an integrity measurement chain. The root of the chain is the TPM, which records in internal registers (called platform configuration registers or “PCRs”) a number of integrity metrics that are the cryptographic hash values of every component code in the chain. The TPM is arranged to report PCR values to a local or remote user (also called a “verifier”) who can then check the integrity of the components of the chain as currently loaded on the computing platform by checking the reported PCR values against know reference values. The PCR-value reports are signed by the TPM to enable the verifier to check, by verifying the signature, that the report comes from the platform's TPM.
The existing TCG usage model was originally intended for single systems with the TPM as the sole repository for integrity measurements and reporting. Recently, virtualization has become an increasingly popular technology to achieve more and more complicated security requirements on computing platforms. In essence, virtualization enables simple consolidation and isolation of multiple virtual platforms on the same computing platform. As a result, virtualization has brought new challenges to integrity measurement. More specifically, an integrity measurement service now needs to retain more information about the state of the platform and keep track of complex trust dependencies between platform components.
Unfortunately, the TCG integrity measurement approach is fundamentally limited by the fact that the TPM contains only a small number of PCRs (typically 16). Hence, it is not feasible to store individual measurements for a large number of virtualized platform components.
Published European patent application EP-A-1980970 discloses a software component providing measurement/reporting support to the TPM functionality. This software component (called the ‘base component’) is part of the platform trusted computing base and securely stores integrity metrics provided by virtual trusted entities that monitor software components outside of the trusted computing base. When a verifier wishes to check the integrity of the platform, the TPM and base component cooperate to provide a signed report with both the TPM and the base component individually signing elements of the report using respective signing keys.
A problem arises as to how to provide the base component with its signing key in a trustable manner and such that the same key is used each time the computing platform is started.