Using TPM for attestation

We can use the Trusted Platform Module (TPM) to perform attestation. The method for doing this is as follows:

1. Provision the TPM: Ensure you have enabled/configured TPM and generated an Attestation Key (AK).

• Provisioning AK is tricky. Refer 6.6 Owner Creation of an LAK Certificate based on a Platform Certificate in the TPM spec.
• Alternatively, the hypervisor could inject the AK into the vTPM during boot as a NVRAM object.
• This process results in a model where the Certificate Authority (CA) is the root of trust and signs the AK certificate. When issuing the AK certificate, the CA verifies that the AK and EK would be be in the same TPM.
• Dionna is working on implementing single-service attestation in Coconut-SVSM, which will be an alternative to the above. Single-service bind the AK to the firmware that generated it.

2. Generate a TPM quote.

• We can use the "tpm2_quote" command in Linux to generate it.
• TPM generates the quote as a TPM2B_ATTEST/TPMS_ATTEST structure
• We can specify the PCRs to measure with this command
• The supplied nonce will be the "extraData" in the TPMS_ATTEST structure
• https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-2-Structures-01.38.pdf

3. Dispatch the quote to a verifier with the AK to validate the integrity of the evidence and confirm the PCR values. The verifier verifies both the AK and the quote.

We must register a media type for the TPM2B_ATTEST structure to convey the evidence to the verifier.

We could use the TPM event logs along with the TPM quote. In this case, the verifier should replay the log and compute the PCR values from the entries in the log. The computed PCRs must match the ones in the quote.

Note the difference between AK and AK certificates. AK refers to both public and private keys. An AK certificate relates only to a certificate with the public key; the TPM retains the private key as a secret and never exposes it.