Trusted platform module certification and attestation utilizing an anonymous key system

摘要

This application is directed to trusted platform module certification and attestation utilizing an anonymous key system. In general, TPM certification and TPM attestation may be supported in a device utilizing integrated TPM through the use of anonymous key system (AKS) certification. An example device may comprise at least combined AKS and TPM resources that load AKS and TPM firmware (FW) into a runtime environment that may further include at least an operating system (OS) encryption module, an AKS service module and a TPM Certification and Attestation (CA) module. For TPM certification, the CA module may interact with the other modules in the runtime environment to generate a TPM certificate, signed by an AKS certificate, that may be transmitted to a certification platform for validation. For TPM attestation, the CA module may cause TPM credentials to be provided to the attestation platform for validation along with the TPM and/or AKS certificates.

主权项

1. A device supporting trusted platform module certification and attestation using an anonymous key system, comprising:
communication circuitry to communicate with at least a remote resource; and combined anonymous key system and integrated trusted platform module resources to load an anonymous key system and a trusted platform module firmware module into a runtime environment in the device, the runtime environment further including at least:
operating system encryption circuitry;anonymous key system service circuitry; andinterface circuitry to interact with at least a certification platform in the remote resource via the communication circuitry, wherein the interface circuitry is further to: cause the anonymous key system service circuitry to request an anonymous key system certificate from the trusted platform module firmware module; interact with the operating system encryption circuitry to generate a trusted platform module key handle and to initiate finalization of a trusted platform module certificate based on at least one of the trusted platform module key handle and the anonymous key system certificate; interact with the trusted platform module firmware module to generate the trusted platform module certificate based on at least the trusted platform module key handle and to sign the trusted platform module certificate using the anonymous key system certificate to produce a signed trusted platform module certificate; receive a request for trusted platform module credentials from an attestation platform in the remote resource via the communication circuitry; and cause the operating system encryption circuitry to obtain at least the trusted platform module credentials and the trusted platform module certificate from the trusted platform module firmware module.