From 8d690aa48c5dd5ed23de4724aa8a302e6ae9a4de Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Sat, 26 Oct 2024 10:14:43 -0500 Subject: [PATCH 1/7] Clarified signing and verification procedures for TPM attestation --- index.bs | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 0a94cf0ed..9e66bd4d0 100644 --- a/index.bs +++ b/index.bs @@ -6536,8 +6536,11 @@ engine. setting the `extraData` parameter to the digest of |attToBeSigned| using the hash algorithm corresponding to the "alg" signature algorithm. (For the "RS256" algorithm, this would be a SHA-256 digest.) - Set the |pubArea| field to the public area of the credential public key, the |certInfo| field to the output parameter of the - same name, and the |sig| field to the signature obtained from the above procedure. + Set the |pubArea| field to the public area of the credential public key (the TPMT_PUBLIC structure), the |certInfo| field (the TPMS_ATTEST structure) + to the output parameter of the same name, and the |sig| field to the signature obtained from the above procedure. + + Note: If the |pubArea| is read from the TPM using the TPM2_ReadPublic command, that command returns a TPM2B_PUBLIC structure. TPM2B_PUBLIC + is two bytes of length followed by the TPMT_PUBLIC structure. The two bytes of length must be removed prior to putting this into the |pubArea|. : Verification procedure :: Given the [=verification procedure inputs=] |attStmt|, |authenticatorData| and |clientDataHash|, the [=verification procedure=] is @@ -6552,13 +6555,15 @@ engine. Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|. Validate that |certInfo| is valid: + Note: |certInfo| is a TPMS_ATTEST structure. - Verify that `magic` is set to `TPM_GENERATED_VALUE`. - Verify that `type` is set to `TPM_ST_ATTEST_CERTIFY`. - Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg". - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[!TPMv2-Part2]] section 10.12.3, whose `name` field contains a valid Name for |pubArea|, as computed using the procedure specified in [[!TPMv2-Part1]] - section 16. Note that the hash algorithm is included within the attested `name` field of the TPMS_CERTIFY_INFO structure. + section 16 using the nameAlg in the |pubArea|. Note that the hash algorithm is also included within the attested `name` + field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. - Verify that |x5c| is present. - Note that the remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored. From e51255db9de99e86544b02771940b7b471a7c3f7 Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Sat, 26 Oct 2024 10:29:38 -0500 Subject: [PATCH 2/7] Minor formatting fixes --- index.bs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 9e66bd4d0..ef267c8c0 100644 --- a/index.bs +++ b/index.bs @@ -6562,10 +6562,13 @@ engine. - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[!TPMv2-Part2]] section 10.12.3, whose `name` field contains a valid Name for |pubArea|, as computed using the procedure specified in [[!TPMv2-Part1]] - section 16 using the nameAlg in the |pubArea|. Note that the hash algorithm is also included within the attested `name` - field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. + section 16 using the nameAlg in the |pubArea|. + + Note: that the hash algorithm is also included within the attested `name` + field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. - Verify that |x5c| is present. - - Note that the remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] + + Note: that the remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored. These fields MAY be used as an input to risk engines. From 4d5c9ea96b0a81692436b9f535a4d2f2d0420ffc Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Sat, 26 Oct 2024 10:54:52 -0500 Subject: [PATCH 3/7] Add note that qualifiedSigner, clockInfo, and firmwareVersion may be obfuscated. --- index.bs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index ef267c8c0..61dcff7c9 100644 --- a/index.bs +++ b/index.bs @@ -6564,14 +6564,15 @@ engine. as computed using the procedure specified in [[!TPMv2-Part1]] section 16 using the nameAlg in the |pubArea|. - Note: that the hash algorithm is also included within the attested `name` + Note: The hash algorithm is also included within the attested `name` field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. - - Verify that |x5c| is present. - Note: that the remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] + Note: The remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored. - These fields MAY be used as an input to risk engines. + Depending on the properties of the |aikCert| key used, these fields may be obfuscated. + If valid, these MAY be used as an input to risk engines. + - Verify that |x5c| is present. - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |aikCert| with the algorithm specified in |alg|. - Verify that |aikCert| meets the requirements in [[#sctn-tpm-cert-requirements]]. From 73435ba83e68f4d669c52beeff2db69d168203d1 Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Sat, 26 Oct 2024 11:00:04 -0500 Subject: [PATCH 4/7] Change verify to check sig of certInfo before processing it --- index.bs | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 61dcff7c9..230c8e860 100644 --- a/index.bs +++ b/index.bs @@ -6554,6 +6554,14 @@ engine. Concatenate |authenticatorData| and |clientDataHash| to form |attToBeSigned|. + Verify integrity of |certInfo| + - Verify that |x5c| is present. + - Verify that |aikCert| meets the requirements in [[#sctn-tpm-cert-requirements]]. + - If |aikCert| contains an extension with OID `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) verify that the value of this + extension matches the [=authData/attestedCredentialData/aaguid=] in |authenticatorData|. + - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |aikCert| with the + algorithm specified in |alg|. + Validate that |certInfo| is valid: Note: |certInfo| is a TPMS_ATTEST structure. - Verify that `magic` is set to `TPM_GENERATED_VALUE`. @@ -6572,12 +6580,6 @@ engine. Depending on the properties of the |aikCert| key used, these fields may be obfuscated. If valid, these MAY be used as an input to risk engines. - - Verify that |x5c| is present. - - Verify the |sig| is a valid signature over |certInfo| using the attestation public key in |aikCert| with the - algorithm specified in |alg|. - - Verify that |aikCert| meets the requirements in [[#sctn-tpm-cert-requirements]]. - - If |aikCert| contains an extension with OID `1.3.6.1.4.1.45724.1.1.4` (`id-fido-gen-ce-aaguid`) verify that the value of this - extension matches the [=authData/attestedCredentialData/aaguid=] in |authenticatorData|. - If successful, return implementation-specific values representing [=attestation type=] [=AttCA=] and [=attestation trust path=] |x5c|. From 96e5e072fa1cfcf22fcaca25af3a5997b2f06460 Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Sun, 27 Oct 2024 16:35:23 -0500 Subject: [PATCH 5/7] Disallow HardwareModuleName in attestation certificate's SAN. Update referece to EK-Profile to current version. --- index.bs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 230c8e860..ba3504f60 100644 --- a/index.bs +++ b/index.bs @@ -6568,9 +6568,7 @@ engine. - Verify that `type` is set to `TPM_ST_ATTEST_CERTIFY`. - Verify that `extraData` is set to the hash of |attToBeSigned| using the hash algorithm employed in "alg". - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[!TPMv2-Part2]] section 10.12.3, - whose `name` field contains a valid Name for |pubArea|, - as computed using the procedure specified in [[!TPMv2-Part1]] - section 16 using the nameAlg in the |pubArea|. + whose `name` field contains a valid Name for |pubArea|, as computed using the procedure specified in [[!TPMv2-Part1]] section 16 using the nameAlg in the |pubArea|. Note: The hash algorithm is also included within the attested `name` field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. @@ -6593,6 +6591,11 @@ TPM [=attestation certificate=] MUST have the following fields/extensions: - The Subject Alternative Name extension MUST be set as defined in [[!TPMv2-EK-Profile]] section 3.2.9. + Note: Previous versions of [[!TPMv2-EK-Profile]] allowed the inclusion of an optional attribute, + called HardwareModuleName, that contains the TPM serial number in the EK certificate. + HardwareModuleName SHOULD NOT be placed in in the [=attestation certificate=] + Subject Alternatieve Name. + - The Extended Key Usage extension MUST contain the OID `2.23.133.8.3` ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)"). @@ -9417,7 +9420,7 @@ for their contributions as our W3C Team Contacts. "TPMv2-EK-Profile": { "title": "TCG EK Credential Profile for TPM Family 2.0", "publisher": "Trusted Computing Group", - "href": "https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf" + "href": "https://trustedcomputinggroup.org/wp-content/uploads/TCG-EK-Credential-Profile-V-2.5-R2_published.pdf" }, "FIDOAuthnrSecReqs": { From 1314870b7b60a00ceee1a1f3598c3b8085b7d70c Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Wed, 30 Oct 2024 06:01:11 -0500 Subject: [PATCH 6/7] Correct spelling --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index ba3504f60..b9cd36e27 100644 --- a/index.bs +++ b/index.bs @@ -6594,7 +6594,7 @@ TPM [=attestation certificate=] MUST have the following fields/extensions: Note: Previous versions of [[!TPMv2-EK-Profile]] allowed the inclusion of an optional attribute, called HardwareModuleName, that contains the TPM serial number in the EK certificate. HardwareModuleName SHOULD NOT be placed in in the [=attestation certificate=] - Subject Alternatieve Name. + Subject Alternative Name. - The Extended Key Usage extension MUST contain the OID `2.23.133.8.3` ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)"). From 9618b97762365855aa2d52e1992a1ab66cc1f8dc Mon Sep 17 00:00:00 2001 From: Monty Wiseman Date: Wed, 13 Nov 2024 09:45:01 -0600 Subject: [PATCH 7/7] Further clarification of nameAlg in TPMS_CERTIFY_INFO structure and PublicArea --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 775383c41..617589894 100644 --- a/index.bs +++ b/index.bs @@ -6590,8 +6590,8 @@ engine. - Verify that `attested` contains a `TPMS_CERTIFY_INFO` structure as specified in [[!TPMv2-Part2]] section 10.12.3, whose `name` field contains a valid Name for |pubArea|, as computed using the procedure specified in [[!TPMv2-Part1]] section 16 using the nameAlg in the |pubArea|. - Note: The hash algorithm is also included within the attested `name` - field of the TPMS_CERTIFY_INFO structure and will also match nameAlg in |pubArea| when returned by the TPM. + Note: The TPM will always return TPMS_CERTIFY_INFO structure with the same nameAlg in the `name` as the nameAlg + in |pubArea|. Note: The remaining fields in the "Standard Attestation Structure" [[!TPMv2-Part1]] section 31.2, i.e., `qualifiedSigner`, `clockInfo` and `firmwareVersion` are ignored.