Trusted Platform Module - Xilinx Zynq-7000 Application Note
Programmable soc
Hide thumbs
Also See for Zynq-7000:
- User manual (678 pages) ,
- Design manual (78 pages) ,
- Getting started manual (50 pages)
Table of Contents
Advertisement
Trusted Platform Module
Trusted Platform Module
Documentation on TPM functionality is provided by the Trusted Computing Group (TCG),
beginning with the TPM Main Specification
in 2016. The Infineon OPTIGA SLB9670 TPM supports TPM 1.2 and 2.0. TPMs are very small,
cost-efficient devices that provide root of trust for reporting (RTR) and root of trust for storage
(RTS) security. This application note focuses on the RTR in which the measurement log file held
in the TPM's PCRs is reported to the server.
In addition to support for RTR, TPMs provide capability that might be useful in Zynq-7000 SoC
applications. TPMs provide re-programmable non-volatile memory. The TPM hardened
cryptographic functions allow a key to be securely transmitted to the Zynq-7000 device on
demand. TPMs provide a random number generator (RNG). RNGs can be used to generate keys.
The TPM RTR support operates within the IMA framework, providing significant security
enhancements. When a TPM is added, the server's remote attestation of a client is based on a
quote. A quote is measurement or evidence on the partitions booted. In TPM 1.2, an SHA-1
digest is used as the measurement for partitions loaded. In TPM 2.0, an SHA-2 digest is used as
the measurement log for partitions loaded. The SHA digests are stored in the PCRs.
shows the server-client communication for remote attestation.
X-Ref Target - Figure 8
The flow in
1. The strongSwan attestation server requests a quote from the client. When requesting the
quote, the server sends a nonce, which is a random number used to protect against
playback attacks.
2. The client or Zynq-7000 SoC/TPM generates the evidence for the partitions loaded. The
SHA-1 hashes are stored in the TPM PCRs. The SHA-1 of the BootROM code is stored in
PCR[0], and the SHA-1 digest of the FSBL is stored in PCR[4].
3. The Zynq-7000 SoC/TPM client sends the quote to the server. This includes signed evidence
and includes the original nonce.
4. The strongSwan server appraises the quote and, based on the results, follows a policy setup
by the system administrator.
XAPP1309 (v1.0) March 7, 2017
Server
Attestation
Figure 8: Remote Attestation Using a TPM
Figure 8
is outlined below.
[Ref
4]. TPM 1.2 was the most commonly used TPM
Quote Request, Including Nonce
Quote – Signed Evidence, with Nonce
www.xilinx.com
Figure 8
Client
Zynq-7000 AP
SoC
TPM
X18729-020317
10
- Quick Links:
- Zynq 7000 Soc-Tpm Interface
Hide quick links:
Advertisement
Table of Contents
