The tag tpm and the command requires tpm

Trusted Platform Module Library

TCG Published
Copyright © TCG 2006-2020

TCG

Trusted Computing Group (TCG) grants to the user of the source code in this specification (the “Source Code”) a worldwide, irrevocable, nonexclusive, royalty free, copyright license to reproduce, create derivative works, distribute, display and perform the Source Code and derivative works thereof, and to grant others the rights granted herein.

The TCG grants to the user of the other parts of the specification (other than the Source Code) the rights to reproduce, distribute, display, and perform the specification solely for the purpose of developing products based on such documents.

• •

Any marks and brands contained herein are the property of their respective owners.

Page ii	TCG Published	Family “2.0”

November 8, 2019	Copyright © TCG 2006-2020

5 6
		Introduction ..................................................................................................................................... 2
	4.2

		AuthorizationSize and ParameterSize ............................................................................................ 3
	4.5


	5.2	Command Header Validation .......................................................................................................... 4


	5.5	Session Area Validation .................................................................................................................. 6


	5.8	Parameter Unmarshaling ................................................................................................................ 9


		Tag ................................................................................................................................................ 12
	6.2


	8.2	Pre-processing .............................................................................................................................. 16


		Introduction ................................................................................................................................... 17
	9.2

		TPM2_Shutdown .......................................................................................................................... 27

10Testing ................................................................................................................................................. 31

12.1TPM2_Create................................................................................................................................ 50

Family “2.0”	TCG Published	Page iii
Level 00 Revision 01.59	Copyright © TCG 2006-2020	November 8, 2019

14Asymmetric Primitives ....................................................................................................................... 100

14.1Introduction ................................................................................................................................. 100 14.2TPM2_RSA_Encrypt ................................................................................................................... 100 14.3TPM2_RSA_Decrypt .................................................................................................................. 104 14.4TPM2_ECDH_KeyGen ............................................................................................................... 108 14.5TPM2_ECDH_ZGen ................................................................................................................... 111 14.6TPM2_ECC_Parameters ............................................................................................................ 114 14.7TPM2_ZGen_2Phase ................................................................................................................. 117

17Hash/HMAC/Event Sequences ......................................................................................................... 146

17.1Introduction ................................................................................................................................. 146 17.2TPM2_HMAC_Start .................................................................................................................... 146 17.3TPM2_MAC_Start ....................................................................................................................... 150 17.4TPM2_HashSequenceStart ........................................................................................................ 153 17.5TPM2_SequenceUpdate ............................................................................................................ 156 17.6TPM2_SequenceComplete ......................................................................................................... 160 17.7TPM2_EventSequenceComplete ............................................................................................... 164

Page iv	TCG Published	Family “2.0”
November 8, 2019

Trusted Platform Module Library Part 3: Commands

18.7TPM2_GetTime........................................................................................................................... 187 18.8TPM2_CertifyX509 ..................................................................................................................... 189

21Command Audit ................................................................................................................................. 213

21.1Introduction ................................................................................................................................. 213 21.2TPM2_SetCommandCodeAuditStatus ....................................................................................... 214

Family “2.0”	TCG Published	Page v
Level 00 Revision 01.59	Copyright © TCG 2006-2020	November 8, 2019

Part 3: Commands Trusted Platform Module Library

25.1Introduction ................................................................................................................................. 355 25.2TPM2_DictionaryAttackLockReset ............................................................................................. 355 25.3TPM2_DictionaryAttackParameters............................................................................................ 358

26Miscellaneous Management Functions ............................................................................................. 361

28.1Introduction ................................................................................................................................. 378 28.2TPM2_ContextSave .................................................................................................................... 378 28.3TPM2_ContextLoad .................................................................................................................... 383 28.4TPM2_FlushContext ................................................................................................................... 388 28.5TPM2_EvictControl ..................................................................................................................... 391

29Clocks and Timers ............................................................................................................................. 396

31.1Introduction ................................................................................................................................. 416 31.2NV Counters ............................................................................................................................... 417 31.3TPM2_NV_DefineSpace ............................................................................................................. 418 31.4TPM2_NV_UndefineSpace ......................................................................................................... 424 31.5TPM2_NV_UndefineSpaceSpecial ............................................................................................. 427 31.6TPM2_NV_ReadPublic ............................................................................................................... 430

Page vi	TCG Published	Family “2.0”
November 8, 2019	Copyright © TCG 2006-2020

32.1Introduction ................................................................................................................................. 467 32.2TPM2_AC_GetCapability ............................................................................................................ 468 32.3TPM2_AC_Send ......................................................................................................................... 471 32.4TPM2_Policy_AC_SendSelect ................................................................................................... 475

33Authenticated Countdown Timer ....................................................................................................... 479

Family “2.0”	TCG Published	Page vii

Level 00 Revision 01.59		November 8, 2019

Part 3: Commands

Tables

Page viii	TCG Published	Family “2.0”
November 8, 2019

Table 38 — TPM2_Duplicate Response ..................................................................................................... 87 Table 39 — TPM2_Rewrap Command ....................................................................................................... 91 Table 40 — TPM2_Rewrap Response ....................................................................................................... 91 Table 41 — TPM2_Import Command ......................................................................................................... 96 Table 42 — TPM2_Import Response ......................................................................................................... 96 Table 43 — Padding Scheme Selection ................................................................................................... 100 Table 44 — Message Size Limits Based on Padding ............................................................................... 101 Table 45 — TPM2_RSA_Encrypt Command............................................................................................ 102 Table 46 — TPM2_RSA_Encrypt Response ............................................................................................ 102 Table 47 — TPM2_RSA_Decrypt Command ........................................................................................... 105 Table 48 — TPM2_RSA_Decrypt Response ............................................................................................ 105 Table 49 — TPM2_ECDH_KeyGen Command ........................................................................................ 109 Table 50 — TPM2_ECDH_KeyGen Response ........................................................................................ 109 Table 51 — TPM2_ECDH_ZGen Command ............................................................................................ 112 Table 52 — TPM2_ECDH_ZGen Response ............................................................................................ 112 Table 53 — TPM2_ECC_Parameters Command ..................................................................................... 115 Table 54 — TPM2_ECC_Parameters Response ..................................................................................... 115 Table 55 — TPM2_ZGen_2Phase Command .......................................................................................... 118 Table 56 — TPM2_ZGen_2Phase Response .......................................................................................... 118 Table 57 — Symmetric Chaining Process ................................................................................................ 122 Table 58 — TPM2_EncryptDecrypt Command......................................................................................... 124 Table 59 — TPM2_EncryptDecrypt Response ......................................................................................... 124 Table 60 — TPM2_EncryptDecrypt2 Command....................................................................................... 128 Table 61 — TPM2_EncryptDecrypt2 Response ....................................................................................... 128 Table 62 — TPM2_Hash Command ......................................................................................................... 131 Table 63 — TPM2_Hash Response ......................................................................................................... 131 Table 64 — TPM2_HMAC Command ....................................................................................................... 134 Table 65 — TPM2_HMAC Response ....................................................................................................... 134 Table 66 — TPM2_MAC Command ......................................................................................................... 138 Table 67 — TPM2_MAC Response .......................................................................................................... 138 Table 68 — TPM2_GetRandom Command .............................................................................................. 141 Table 69 — TPM2_GetRandom Response .............................................................................................. 141 Table 70 — TPM2_StirRandom Command .............................................................................................. 144 Table 71 — TPM2_StirRandom Response ............................................................................................... 144 Table 72 — Hash Selection Matrix ........................................................................................................... 146 Table 73 — TPM2_HMAC_Start Command ............................................................................................. 147 Table 74 — TPM2_HMAC_Start Response ............................................................................................. 147 Table 75 — Algorithm Selection Matrix ..................................................................................................... 150 Table 76 — TPM2_MAC_Start Command ................................................................................................ 151

Family “2.0”	TCG Published	Page ix
Level 00 Revision 01.59	Copyright © TCG 2006-2020	November 8, 2019

Page x	TCG Published	Family “2.0”
November 8, 2019

Trusted Platform Module Library Part 3: Commands

Table 116 — TPM2_PCR_Allocate Command ......................................................................................... 228 Table 117 — TPM2_PCR_Allocate Response ......................................................................................... 228 Table 118 — TPM2_PCR_SetAuthPolicy Command ............................................................................... 231 Table 119 — TPM2_PCR_SetAuthPolicy Response ............................................................................... 231 Table 120 — TPM2_PCR_SetAuthValue Command ............................................................................... 234 Table 121 — TPM2_PCR_SetAuthValue Response ................................................................................ 234 Table 122 — TPM2_PCR_Reset Command ............................................................................................ 237 Table 123 — TPM2_PCR_Reset Response ............................................................................................. 237 Table 124 — TPM2_PolicySigned Command .......................................................................................... 253 Table 125 — TPM2_PolicySigned Response ........................................................................................... 253 Table 126 — TPM2_PolicySecret Command ........................................................................................... 258 Table 127 — TPM2_PolicySecret Response ............................................................................................ 258 Table 128 — TPM2_PolicyTicket Command ............................................................................................ 262 Table 129 — TPM2_PolicyTicket Response ............................................................................................ 262 Table 130 — TPM2_PolicyOR Command ................................................................................................ 266 Table 131 — TPM2_PolicyOR Response ................................................................................................. 266 Table 132 — TPM2_PolicyPCR Command .............................................................................................. 270 Table 133 — TPM2_PolicyPCR Response .............................................................................................. 270 Table 134 — TPM2_PolicyLocality Command ......................................................................................... 274 Table 135 — TPM2_PolicyLocality Response .......................................................................................... 274 Table 136 — TPM2_PolicyNV Command ................................................................................................. 278 Table 137 — TPM2_PolicyNV Response ................................................................................................. 278 Table 138 — TPM2_PolicyCounterTimer Command ............................................................................... 282 Table 139 — TPM2_PolicyCounterTimer Response ................................................................................ 282 Table 140 — TPM2_PolicyCommandCode Command ............................................................................ 286 Table 141 — TPM2_PolicyCommandCode Response ............................................................................. 286 Table 142 — TPM2_PolicyPhysicalPresence Command ......................................................................... 289 Table 143 — TPM2_PolicyPhysicalPresence Response ......................................................................... 289 Table 144 — TPM2_PolicyCpHash Command......................................................................................... 292 Table 145 — TPM2_PolicyCpHash Response ......................................................................................... 292 Table 146 — TPM2_PolicyNameHash Command.................................................................................... 296 Table 147 — TPM2_PolicyNameHash Response .................................................................................... 296 Table 148 — TPM2_PolicyDuplicationSelect Command .......................................................................... 300 Table 149 — TPM2_PolicyDuplicationSelect Response .......................................................................... 300 Table 150 — TPM2_PolicyAuthorize Command ...................................................................................... 304 Table 151 — TPM2_PolicyAuthorize Response ....................................................................................... 304 Table 152 — TPM2_PolicyAuthValue Command ..................................................................................... 308 Table 153 — TPM2_PolicyAuthValue Response ..................................................................................... 308 Table 154 — TPM2_PolicyPassword Command ...................................................................................... 311

Family “2.0”	TCG Published	Page xi
Level 00 Revision 01.59		November 8, 2019

Page xii	TCG Published	Family “2.0”
November 8, 2019		Level 00 Revision 01.59

Trusted Platform Module Library Part 3: Commands

Family “2.0”	TCG Published	Page xiii
Level 00 Revision 01.59		November 8, 2019

Page xiv	TCG Published	Family “2.0”

November 8, 2019	Copyright © TCG 2006-2020	Level 00 Revision 01.59

The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this TPM 2.0 Part 3 is normative but does not fully describe the behavior of a TPM. The combination of this TPM 2.0 Part 3 and TPM 2.0 Part 4 is sufficient to fully describe the required behavior of a TPM.

The code in parts 3 and 4 is written to define the behavior of a compliant TPM. In some cases (e.g., firmware update), it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in TPM 2.0 Part 3 would be compliant.

For the purposes of this document, the symbols and abbreviated terms given in TPM 2.0 Part 1 apply.

Family “2.0”	TCG Published	Page 1

Level 00 Revision 01.59	Copyright © TCG 2006-2020	November 8, 2019

For the purposes of this document, the notation given in TPM 2.0 Part 1 applies.

Command and response tables use various decorations to indicate the fields of the command and the allowed types. These decorations are described in this clause.

A Type decoration – When appended to a value in the Type column of a command, this symbol indicates that the parameter is allowed to use the “null” value of the data type (see in TPM 2.0 Part 2, Conditional Types). The null value is usually TPM_RH_NULL for a handle or
TPM_ALG_NULL for an algorithm selector.

NOTE This decoration is not appended to response parameters.

+PP

+{PP}

{NV}

NOTE	Any command that uses authorization may cause a write to NV if there is an authorization failure. A TPM may use the occasion of command execution to update the NV copy of clock.

{F}

{E}

EXAMPLE 1 EXAMPLE 2	{NV E} TPM2_Clear() will flush all contexts associated with the Storage hierarchy and the Endorsement hierarchy.

Page 2	TCG Published	Family “2.0”

	Part 3: Commands

Auth Index:

A Description modifier – When a handle has a “@” decoration, the “Description” column will contain an “Auth Index:” entry for the handle. This entry indicates the number of the authorization session. The authorization sessions associated with handles will occur in the session area in the order of the handles with the “@” modifier. Sessions used only for encryption/decryption or only for audit will follow the handles used for authorization.

Auth Role:

When either ADMIN or DUP role is selected, a policy command that selects the command being authorized is required to be part of the policy.

EXAMPLE

Table 2 — Separators


4.4


	the values immediately following are in the handle area
	the values immediately following are in the parameter area

	TCG Published	Page 3
Level 00 Revision 01.59	Copyright © TCG 2006-2020	November 8, 2019

For the RC_FMT1 return codes that may add a parameter, handle, or session number, the prefix TPM_RCS_ is an alias for TPM_RC_.

TPM_RC_n is added, where n is the parameter, handle, or session number. In addition, TPM_RC_H is added for handle, TPM_RC_P for parameter, and TPM_RC_S for session errors.

By convention, the number to be added is of the form RC_CommandName_ParameterName where CommmandName is the name of the command with the TPM2_ prefix removed. The parameter name alone is insufficient because the same parameter name could be in a different position in different commands.

EXAMPLE 2	TPM2_HMAC_Start with parameters that result in TPM_ALG_NULL as the hash algorithm will returns TPM_RC_VALUE plus the parameter number. Since hashAlg is the second parameter, This code results:
EXAMPLE 2	#define RC_HMAC_Start_hashAlg

This clause defines the command validations that are required of any implementation and the response code returned if the indicated check fails. Unless stated otherwise, the order of the checks is not normative and different TPM may give different responses when a command has multiple errors.

In the description below, some statements that describe a check may be followed by a response code in parentheses. This is the normative response code should the indicated check fail. A normative response code may also be included in the statement.

Trusted Platform Module Library Part 3: Commands

The following mode checks shall be performed in the order listed:

If the TPM is in Failure mode, then the commandCode is TPM_CC_GetTestResult or TPM_CC_GetCapability (TPM_RC_FAILURE) and the command tag is TPM_ST_NO_SESSIONS (TPM_RC_FAILURE).

There may be failures where a TPM cannot record that it received TPM2_Startup(). In those cases, a TPM in failure mode may process TPM2_GetTestResult(), TPM2_GetCapability(), or the field upgrade commands. As a side effect, that TPM may process TPM2_GetTestResult(), TPM2_GetCapability() or the field upgrade commands before TPM2_Startup().

This is a corner case exception to the rule that TPM2_Startup() must be the first command.

The TPM shall successfully unmarshal the number of handles required by the command and validate that the value of the handle is consistent with the command syntax. If not, the TPM shall return TPM_RC_VALUE.

NOTE 2 The TPM may unmarshal a handle and validate that it references an entity on the TPM before unmarshaling a subsequent handle.

For all handles in the handle area of the command, the TPM will validate that the referenced entity is present in the TPM.

1) If the handle references a transient object, the handle shall reference a loaded object (TPM_RC_REFERENCE_H0 + N where N is the number of the handle in the command).

NOTE 4

i)

iii) if the handle references a persistent object that is associated with the endorsement hierarchy, that the endorsement hierarchy is not disabled (TPM_RC_HANDLE); and

NOTE 5	The reference implementation keeps an internal attribute, passed down from a primary key to its descendents, indicating the object's hierarchy.

iii) If the command requires write access to the index data then TPMA_NV_WRITELOCKED is not SET (TPM_RC_NV_LOCKED)

iv) If the command requires read access to the index data then TPMA_NV_READLOCKED is not SET (TPM_RC_NV_LOCKED)

5.5 Session Area Validation

If the tag is TPM_ST_SESSIONS and the command requires TPM_ST_NO_SESSIONS, the TPM will return TPM_RC_AUTH_CONTEXT.

Page 6	TCG Published	Family “2.0”
November 8, 2019		Level 00 Revision 01.59

Over 10 Million Study Resources Now at Your Fingertips