1. Field
The present invention relates generally to provisioning an endorsement primary seed (EPS) and an endorsement key certificate for a firmware trusted platform module (fTPM).
2. Background
An EPS is a fixed-size random value fixed/bound to a particular trusted platform module (TPM). The EPS value is a secret. The endorsement key (EK) is an asymmetric key pair (e.g., RSA/ECCkey) generated using the EPS. The private component of this asymmetric key is a secret. A corresponding EK certificate (EKCert) is generated and signed by a Certificate Authority that vouches for the corresponding EK. The manufacturer of each TPM (a hardware module) provisions a unique EPS and corresponding EKCert into each TPM.
For a firmware TPM (fTPM), nonvolatile (NV) storage is not available until an original equipment manufacturer (OEM) boots up the device using the TPM. Thus, the TPM manufacturer has no way to provision the EPS and corresponding EKCert in the factory. Storing the fTPM's unique EPS and EKCert (signature) in fuses would require hardware changes.
During device initialization (or when needed) the TPM uses the EPS to generate the EK. The TPM can present the corresponding stored EKCert to another entity, and that entity can determine with certainty that they are communicating with a specific TPM. The EPS and private EK are security sensitive and should not be leaked during and after provisioning to the TPM.
For such hardware-based TPMs, when the hardware is created, the EK and certificate pairs are generated on the factory floor and fused inside the TPM's emmc/fuses/ROM that is only accessible to the TPM. The TPM, by design, is not supposed to leak the private information.
A problem with the fTPM is that it is software running in a secure kernel (TrustZone or other such environments) and it loads and runs on a standard CPU. Since it is all in software, device unique keys cannot be provisioned in the software. Also, it is especially challenging due to time-consuming secure generation of the EPS, EK, and EKCert, and to provision these when the final device (e.g., mobile phone, tablet, or other such device) is made in the factory.
There is therefore a need for a technique for provisioning an EKCert for an fTPM.