1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31

docs / tpm_quick_ref.md [blame]

# TPM Quick ref

TODO: this page looks very outdated. glossary.md does not exist,
git.chromium.org does not exist. Delete it?

This page is meant to help keep track of TPM use across the system. It may not
be up to date at any given point, but it's a wiki so you know what to do.

## Details

*   [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.tpm)
*   TPM_Clear is done (as in vboot_reference) but in the firmware code itself on
    switch between dev and verified modes and in recovery.  (TODO: link code)
*   [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=HEAD#l861)
    (triggered at sign-in by chrome):
*   [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/tpm_bootmode.c)
    (no active use elsewhere):
*   [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index.c)
*   [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.lockbox)
*   [Tamper-evident storage for avoiding runtime device management mode changes](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/ash/login/enrollment/enterprise_enrollment_screen.cc)
*   [User key/passphrase and cached data protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs)
*   A TPM in a Chrome device has an EK certificate that is signed by an
    intermediate certificate authority that is dedicated to the specific TPMs
    allocated for use in Chrome devices. OS-level self-validation of the
    platform TPM should be viable with this or chaining any other trust
    expectations.
*   TPM is used for per-user certificate storage (NSS+PKCS#11) using
    opencryptoki but soon to be replaced by chaps. Update links here when chaps
    stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure
    it is tied to the local user account). This functionality includes VPN and
    802.1x-related keypairs.