Naturally using Open Source Software, one of our goals is to contribute back into the community to improve and broaden the usability of these OSS projects. One of these projects is Google's Go-TPM library for handling Trusted Platform Modules. We're using the Go-TPM library in our Converged Security Suite and had plenty of opportunities to push commits into the project.

For TPM 1.2 we pushed several commits related to NV RAM operations. NVReadValue was already implemented but we couldn't define our indices nor writing to it. Also, we missed some functions about general TPM information like supported hash algorithms, already defined NV indices, and the permanent flags which give information about the state of the TPM.

TPM1.2 Additions

  • Added GetPermanentFlags
  • Added GetNVList
  • Added GetAlgs
  • Added GetNVIndex
  • Added NVDefineSpace
  • Added NVWriteValue
  • Added NVReadValueAuth, NVWriteValueAuth
  • Improved NVReadValue-Function
  • Improved data structures all over TPM1.2

For TPM 2.0 we saw the need of introducing policy session handling and assertion for our Converged-Security-Suite provisioning tools. The concept behind this is that the TPM generates a hash value when beginning the authentication session. The hash value will be modified in a certain way, depending on which policy command is executed next. This allows the user to generate a policy inside the TPM which can be read and bound to an object in the TPM, lets say an NV index. Now every time you want to read, write or delete the index, you need to make sure, that the session policy matches the hash value bound to the index. The actions are bound to attributes of the NV index. So you can build a policy for writing, a different for deleting, and merge them via a hash operation. Depending on the operation one wants to execute, one needs to satisfy at least the part of the policy bound the action. How cool that is you ask? Well, Intel is using this for their Trusted Execution Technology (TXT), Boot Guard (BtG) together also known as Converged Boot Guard and Trusted Execution Technology (CBnT).

TPM2.0 Additions

  • Added PolicyCommandCode
  • Added NVDefineSpaceSpecial
  • Added PolicyOr

We will continue to contribute to Google's Go-TPM library because it's enabling us to build solutions for our customers with our motto in mind:
Security meets Usability.

If you want to know more about our firmware and security work please feel free to contact us at cybersecurity@9elements.com