BS ISO/IEC 11889-2:2009

1 Scope
   1.1 Key words
   1.2 Statement Type
2 Normative references
3 Abbreviated Terms
4 Conformance
   4.1 Introduction
   4.2 Threat
   4.3 Protection of functions
   4.4 Protection of information
   4.5 Side effects
   4.6 Exceptions and clarifications
5 TPM Architecture
   5.1 Interoperability
   5.2 Components
        5.2.1 Input and Output
        5.2.2 Cryptographic Co-Processor
        5.2.3 Key Generation
        5.2.4 HMAC Engine
        5.2.5 Random Number Generator
        5.2.6 SHA-1 Engine
        5.2.7 Power Detection
        5.2.8 Opt-In
        5.2.9 Execution Engine
        5.2.10 Non-Volatile Memory
   5.3 Data Integrity Register (DIR)
   5.4 Platform Configuration Register (PCR)
6 Endorsement Key Creation
   6.1 Controlling Access to PRIVEK
   6.2 Controlling Access to PUBEK
7 Attestation Identity Keys
8 TPM Ownership
   8.1 Platform Ownership and Root of Trust for Storage
9 Authentication and Authorization Data
   9.1 Dictionary Attack Considerations
10 TPM Operation
   10.1 TPM Initialization & Operation State Flow
        10.1.1 Initialization
   10.2 Self-Test Modes
        10.2.1 Operational Self-Test
   10.3 Startup
   10.4 Operational Mode
        10.4.1 Enabling a TPM
        10.4.2 Activating a TPM
        10.4.3 Taking TPM Ownership
        10.4.4 Transitioning Between Operational States
   10.5 Clearing the TPM
11 Physical Presence
12 Root of Trust for Reporting (RTR)
   12.1 Platform Identity
   12.2 RTR to Platform Binding
   12.3 Platform Identity and Privacy Considerations
   12.4 Attestation Identity Keys
        12.4.1 AIK Creation
        12.4.2 AIK Storage
13 Root of Trust for Storage (RTS)
   13.1 Loading and Unloading Blobs
14 Transport Sessions and Authorization Protocols
   14.1 Authorization Session Setup
   14.2 Parameter Declarations for OIAP and OSAP Examples
        14.2.1 Object-Independent Authorization Protocol (OIAP)
        14.2.2 Object-Specific Authorization Protocol (OSAP)
   14.3 Authorization Session Handles
   14.4 Authorization-Data Insertion Protocol (ADIP)
   14.5 AuthData Change Protocol (ADCP)
   14.6 Asymmetric Authorization Change Protocol (AACP)
15 ISO/IEC 19790 Evaluations
   15.1 TPM Profile for successful ISO/IEC 19790 evaluation
16 Maintenance
   16.1 Field Upgrade
17 Proof of Locality
18 Monotonic Counter
19 Transport Protection
   19.1 Transport encryption and authorization
        19.1.1 MGF1 parameters
        19.1.2 HMAC calculation
        19.1.3 Transport log creation
        19.1.4 Additional Encryption Mechanisms
   19.2 Transport Error Handling
   19.3 Exclusive Transport Sessions
   19.4 Transport Audit Handling
        19.4.1 Auditing of wrapped commands
20 Audit Commands
   20.1 Audit Monotonic Counter
21 Design Section on Time Stamping
   21.1 Tick Components
   21.2 Basic Tick Stamp
   21.3 Associating a TCV with UTC
   21.4 Additional Comments and Questions
22 Context Management
23 Eviction
24 Session pool
25 Initialization Operations
26 HMAC digest rules
27 Generic authorization session termination rules
28 PCR Grand Unification Theory
   28.1 Validate Key for use
29 Non Volatile Storage
   29.1 NV storage design principles
        29.1.1 NV Storage use models
   29.2 Use of NV storage during manufacturing
30 Delegation Model
   30.1 Table Requirements
   30.2 How this works
   30.3 Family Table
   30.4 Delegate Table
   30.5 Delegation Administration Control
        30.5.1 Control in Phase 1
        30.5.2 Control in Phase 2
        30.5.3 Control in Phase 3
   30.6 Family Verification
   30.7 Use of commands for different states of TPM
   30.8 Delegation Authorization Values
        30.8.1 Using the authorization value
   30.9 DSAP description
31 Physical Presence
   31.1 Use of Physical Presence
32 TPM Internal Asymmetric Encryption
        32.1.1 TPM_ES_RSAESOAEP_SHA1_MGF1
        32.1.2 TPM_ES_RSAESPKCSV15
        32.1.3 TPM_ES_SYM_CTR
        32.1.4 TPM_ES_SYM_OFB
   32.2 TPM Internal Digital Signatures
        32.2.1 TPM_SS_RSASSAPKCS1v15_SHA1
        32.2.2 TPM_SS_RSASSAPKCS1v15_DER
        32.2.3 TPM_SS_RSASSAPKCS1v15_INFO
        32.2.4 Use of Signature Schemes
33 Key Usage Table
34 Direct Anonymous Attestation
   34.1 TPM_DAA_JOIN
   34.2 TPM_DAA_Sign
   34.3 DAA Command summary
        34.3.1 TPM setup
        34.3.2 JOIN
        34.3.3 SIGN
35 General Purpose IO
36 Redirection
37 Structure Versioning
38 Certified Migration Key Type
   38.1 Certified Migration Requirements
   38.2 Key Creation
   38.3 Migrate CMK to a MA
   38.4 Migrate CMK to a MSA
39 Revoke Trust
40 Mandatory and Optional Functional Blocks
41 1.1a and 1.2 Differences
42 Bibliography

Describes the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general.