Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0058-2018 English PDF (GMT0058-2018)

GM/T 0058-2018 English PDF (GMT0058-2018)

Regular price $605.00 USD
Regular price Sale price $605.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0058-2018 to get it for Purchase Approval, Bank TT...

GM/T 0058-2018: Trusted computing-TCM service module interface specification

This standard specifies the composition and interface standards of the TCM service module, including TSP, TCS, TDDL, which are TCM application layerfaced interface standards. This standard applies to the development of TCM-based application.
GM/T 0058-2018
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Registration number: 62993-2018
GB/T 0058-2018
Trusted computing -
TCM service module interface specification
ISSUED ON: MAY 02, 2018
IMPLEMENTED ON: MAY 02, 2018
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 9
5 Software architecture ... 10
6 TCM application service ... 11
6.1 Definition of class ... 11
6.2 Relationship between class and object ... 13
6.3 Interface ... 15
7 TCM core services ... 146
7.1 Management of TCM core service ... 146
7.2 Trusted cryptographic module management ... 159
7.3 Platform identity and authentication ... 191
7.4 Protection of platform data ... 200
7.5 Integrity measurements and reports ... 227
8 TDDL device driver library ... 230
8.1 TDDL architecture ... 230
8.2 TDDL memory management ... 231
8.3 TDDL error codes and definitions ... 231
8.4 TDDL interface ... 231
Appendix A (Normative) Interface data structure ... 239
A.1 Basic definition ... 239
A.2 Data structure ... 259
A.3 Processing of authorization data ... 265
Trusted computing -
TCM service module interface specification
1 Scope
This standard specifies the composition and interface standards of the TCM service module, including TSP, TCS, TDDL, which are TCM application layer- faced interface standards.
This standard applies to the development of TCM-based application.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 32905-2016 Information security technology SM3 cryptographic hash
algorithm
GB/T 32907-2016 Information security technology - SM4 b1ock cipher
algorithm
GB/T 32918.2-2016 Elliptic curve public - Key cryptography - Part 2: Digital signature algorithm
GB/T 32918.4-2016 Elliptic curve public - Key cryptography algorithm Part 4: Public key encryption algorithm
GM/T 0005-2012 Randomness test specification
GM/T 0009-2012 SM2 cryptography algorithm application specification
GM/T 0015-2012 Digital certificate format based on SM2 cryptographic
algorithm
3 Terms and definitions
The following terms and definitions apply to this document.
Root of trust for measurement
A trusted integrity metric unit that is the basis for trusted metrics within a trusted computing platform.
3.8
Root of trust for storage
A universal security mechanism that is the basis for trusted storage within a trusted computing platform.
3.9
Root of trust for reporting
The cryptographic module key, which is the basis for trusted reporting within the trusted computing platform.
3.10
Trusted cryptography module
The hardware module of the trusted computing platform, which provides
cryptographic computing functions for the trusted computing platform and has a protected storage space.
3.11
TCM service module
The software module inside the cryptographic support platform for trusted computing, which is a software interface for accessing the trusted
cryptographic module outside the platform.
3.12
Trusted party
An organization that provides credible certification, including trusted third parties and authorities.
3.13
tcm endorsement key
Endorsement key of the trusted cryptographic module.
3.14
The hash value obtained after the component is measured.
3.22
Predefined integrity value
The hash value as obtained by measuring the component in a trusted state. This value serves as a basis for the integrity verification.
3.23
Trusted chain
During system startup and operation, the trust transfer method as
established between components by the use of the integrity measurement
method.
4 Abbreviations
The following abbreviations apply to this document.
EK: TCM Endorsement Key
HMAC: The keyed-hash message authentication code
NV: Non-Volatility
PCR: Platform Configuration Register
PEK: Platform Encryption Key
PIK: Platform Identity Key
SMK: Storage Master Key
TCM: Trusted Cryptography Module
TSM: TCM service module
TSP: TCM Service Provider
TCS: TCM Core Services
TDD: TCM Device Driver
TDDL: TCM Device Driver Library
TDDLI: TCM Device Driver Library Interface
The execution of a TSM requires a TSP:
1) They are responsible for protecting the transmission of information and data between applications;
2) Provide a C language interface or a generic interface that can be called by various platforms, as well as a dynamic link or static connection to the application;
3) TSM running on Windows operating system can also provide COM
interface.
b) TCM Core Services (TCS)
The TCS is located between the TSM Service Provider (TSP) layer and the TCM Device Driver Library (TDDL) layer, in a form of system services. It provides functional interfaces such as TCM usage and key management for upper-layer applications such as TSP.
TCS can be divided into the following based on different functions:
Basic information management, key management, key cache management,
event management, authorization operation, integrity operation, migration operation, cryptographic operation, identity certificate operation, device operation, key exchange, totally 11 modules, of which basic information management, key management, event management belong to the TCS
manager; the key cache management, authorization operations, integrity
operations, migration operations, cryptographic operations, identity
certificate operations, device operations are all TCM operations.
c) TCM Device Driver Library (TDDL)
TDDL is located between the TCM Core Service (TCS) layer and the TCM
Device Driver (TDD) layer. The main purpose is to provide a standard
interface on top of TDD, shield the difference of I/O control information of each device, complete the transfer of information in user software and kernel software.
This standard makes explanation using the C language as an example to
compile relevant functions and interfaces.
6 TCM application service
6.1 Definition of class
The TCM application service defines the following classes:
Table 4 -- Description of attributes
Attributes Sub-attributes Attribute value
TSM_TCSCAP_ALG TSM_ALG_XX: represents the name of supported algorithm
If BOOL returns TRUE, it means the
system service supports the algorithm; if
it returns FALSE, it means not support
TSM_TCSCAP_VERSION Get TSM_VERSION structure description data from system service TSM_TCSCAP_CACHING TSM_TCSCAP_PROP_KEY-CACHE
If BOOL returns TRUE, it means the
system service supports the key cache; if
it returns FALSE, it means not support
TSM_TCSCAP_CACHING TSM_TCSCAP_PROP_AUTH-CACHE
If BOOL returns TRUE, it means the
system service supports authorized
protocol cache; if it returns FALSE, it
means not support
TSM_TCSCAP_PERSSTORAGE
If BOOL returns TRUE, it means the
system service supports permanent
storage; if it returns FALSE, it means not
support
TSM_TSPCAP_ALG TSM_ALG_DEFAULT Return the default algorithm
TSM_TSPCAP_ALG TSM_ALG_DEFAULT_SIZE Return the default key length
TSM_TSPCAP_ALG TSM_ALG_XX: represents the name of supported algorithm
If BOOL returns TRUE, it means it
supports this algorithm; if it returns
FALSE, it means not support
TSM_TSPCAP_VERSION Get TSM version
TSM_TSPCAP_PERSSTORAGE
If BOOL returns TRUE, it means it
supports permanent storage; if it returns
FALSE, it means not support
TSM_TCSCAP_MANUFACTUR-ER TSM_TCSCAP_PROP_MANU-FACTURER_ID
UINT32 returns the description of system
service provider
TSM_TCSCAP_PROP_MANU-FACTURER_STR
It returns the name of system service
provider
TSM_TSPCAP_MANUFACTUR-
ER
TSM_TSPCAP_PROP_MANU-
FACTURER_ID
UINT32 returns the description of TSM
vendor
TSM_TSPCAP_PROP_MANU-FACTURER_STR It returns the TSM vendor name
TSM_TSPCAP_RETURNVALUE_INFO TSM_TSPCAP_PROP_RETURN-VALUE_INFO
0: It means using the ASN.1 code
1: It means using the byte stream
Description of output parameter:
- pulRespDataLength: Return the length of the attribute parameter of the query. - prgbRespData: Return the memory address of attribute data of the query. Return value:
- ulPekLabelLength: The number of bytes of the rgbPekLabelData parameter. - rgbPekLabelData: Point to the memory pointer of identity, which points to the string which has a content of TSM_UNICODE type.
- algID: Type of symmetric key algorithm, which is used to identify the encrypted PEK as well as the symmetric key algorithm of the request information of its certificate.
- ulPekParamsLength: rgbPekParams data length (in bytes).
- rgbPekParams: PEK key parameter, pointing to the TCM_KEY_PARMS
structure data.
Description of output parameter:
- pulTCMPekReqLength: Receive the buffer byte size of prgbTCMPekReq.
- prgbTCMPekReq: Point to the TCM_PEK_REQ structure data used to request the PEK and its certificate.
Return value:
TSM_SUCCESS
TSM_E_INVALID_HANDLE
TSM_E_BAD_PARAMETER
TSM_E_INTERNAL_ERROR
6.3.4.4 Tspi_TCM_ActivatePEKCert
Function description:
This function verifies the authenticity of the PEK certificate and returns the decrypted certificate.
Interface definition:
Table 9 -- Description of attributes
Attributes Status value of FTcmState Description
TSM_TCMSTATUS_
DISABLE-OWNERCLEAR Ignored
Permanently prohibit the TCM owners from performing ClearOwner
operations
At this point, the fForcedClear parameter in the method ClearOwner()
will no longer allow to take FALSE value
This setting requires owner?€?s authorization
TSM_TCMSTATUS_
DISABLE-FORCECLEAR Ignored
Temporarily prohibit TCM owner's forced cleanup operation (this
prohibition is only valid when the system is running, it will be canceled the next time the system is restarted).
At this point, the fForcedClear parameter in the method ClearOwner()
will not be allowed to take TRUE value temporarily (until the next system restart)
TSM_TCMSTATUS_
OWNERSET-DISABLE TSM_BOOL
fTCMState = TRUE: Indicates that the state of the TCM is set to
Disabled. This command requires authorization from the TCM owner
TSM_TCMSTATUS_
PHYSICALDISABLE TSM_BOOL
fTCMState = TRUE: Indicates that the state of the TCM is set to
Disabled. The command must be physically local
TSM_TCMSTATUS_PHY-
SICALSETDEACTIVATED TSM_BOOL
fTCMState = TRUE: Indicates that the state of the TCM is set to
Deactived. The command must be physically local
TSM_TCMSTATUS_
SETTEMPDEACTIVATED Ignored
Temporarily set the status of TCM to Deactived (until the next system
restart)
TSM_TCMSTATUS_
SETOWNERINSTALL TSM_BOOL
fTCMState = TRUE: Indicates that the TakeOwnership() method is
allowed to obtain the owner relationship of TCM
This operation requires physical locality
TSM_TCMSTATUS_
DISABLEPUBEKREAD TSM_BOOL
Permanently prohibit the operation of reading the EK public key
information without the authorization of the TCM owner. After setting
this attribute, the TCM owner must authorize to read the EK public key
information. After setting this attribute, the fOwnerAuthorized parameter in the GetPubEndorsementKey() method takes the FALSE value and is
no longer valid
Setting this attribute value requires the owner to authorize
TSM_TCMSTATUS_
DISABLED TSM_BOOL Set TCM to available or unavailable
TSM_TCMSTATUS_
DEACTIWTED TSM_BOOL Set TCM to active or inactive
Description of output parameter:
None.
Return value:
Table 11 -- Descriptions of attribute
Attributes Sub-attributes Description
TSM_TCMCAP_ORD Command code
Return a Boolean value
TRUE indicates that the TCM supports the command,
FALSE indicates that the TCM does not support this
command
TSM_TCMCAP_FLAG Ignored Permanent and volatile bit flags
TSM_TCMCAP_ALG TSM_ALG_XX
Return a Boolean value (the ID value of the TSM
algorithm)
TRUE indicates that TCM supports the algorithm, FALSE
indicates that TCM does not support this algorithm
TSM_TCMCAP_
PROPERTY
TSM_TCMCAP_PROP_PCR UINT32 value Return the number of PCR registers supported by TCM TSM_TCMCAP_PROP_PCRMAP Return the bit flag of TCM_PCR_ATTRIBUTES
TSM_TCMCAP_PROP_
MANUFACTURER
UINT32 value
Return the TCM manufacturer's identifier
TSM_TCMCAP_PROP_SLOTS
or TSM_TCMCAP_PROP_KEYS
UINT32 value
Return the maximum number of 256-bit ECC keys that the
TCM can load.
Can change with time and circumstances
TSM_TCMCAP_PROP_
OWNER
The Boolean value
Returning TRUE means that TCM successfully creates an
owner
TSM_TCMCAP_PROP_
MAXKEYS
UINT32 value
Return the maximum number of 256-bit ECC keys
supported by TCM, excluding EK
TSM_TCMCAP_PROP_
AUTHSESSIONS
UINT32 value
Number of available authorization sessions, which can
change over time and circumstances
TSM_TCMCAP_PROP_
MAXAUTHSESSIONS
UINT32 value
Return the maximum number of loadable authorization
sessions supported by TCM, which can change over time
and circumstances
TSM_TCMCAP_PROP_
TRANSESSIONS
UINT32 value
Return the number of available transport sessions, which
can change over time and circumstances
TSM_TCMCAP_PROP_
MAXTRANSESSIONS
UINT32 value
Return the maximum number of loadable transport
sessions supported by TCM
TSM_TCMCAP_PROP_
SESSIONS
UINT32 value
Return the number of available sessions in the session
pool. Sessions in the session pool include authorization
sessions and transport sessions, which can change over
time and circumstances
- hObject: Object handle whose attribute needs to be set.
- attribFlag: Attribute that needs to be set.
- subFlag: The sub-attributes that need to be set.
- ulAttrib: The value set for the attribute.
The attributes of input parameter are as shown in Table 12.
Table 12 -- Description of attributes
Attribute flag Sub-attribute flag Attribute value Description
TSM_TSPATTRIB_
KEYREGISTER
0 TSM_TSPATTRIB_ KEYREGISTER_USER Key is registered in the TSP
0 TSM_TSPATTRIB_ KEYREGISTER_SYTEM Key is registered in the TCS
0 TSM_TSPATTRIB_ KEYREGISTER_NO Key is not registered in TSM
TSM_TSPATTRIB_
KEY_INFO
TSM_TSPATTRIB_
KEYINFO_USAGE TSM_KEYUSAGE_XX
TSM key usage value, indicating
the type of key used
See the definition of attribute sub-
flag for the key object
TSM_TSPATTRIB_
KEYINFO_MIGRATABLE Boolean value If TRUE, the key is migratable
TSM_TSPATTRIB_
KEYINFO_VOLATILE Boolean value If TRUE, the key is volatile
TSM_TSPATTRIB_
KEYINFO_AUTHDATAUSAGE Boolean value
If TRUE, the usage of key needs
authorization
TSM_TSPATTRIB_
KEYINFO_ALGORITHM TSM_ALG_XX
TSM algorithm ID, representing the
key algorithm
See the definition of algorithm ID
TSM_TSPATTRIB_
KEYINFO_ENCSCHEME
TSM_KEY_ENCSCH
EME_XX
TSM encryption scheme, see the
definition of key encryption
scheme
TSM_TSPATTRIB_
KEYINFO_SIGSCHEME
TSM_KEY_SIGSCH
EME_XX
TSM signature scheme, see the
definition of key signature scheme
TSM_TSPATTRIB_
KEYINFO_SIZE Bit length of key
TSM_TSPATTRIB_
KEYINFO_KEYFLAGS Flag information of key
TSM_TSPATTRIB_
KEYINFO_AUTHUSAGE
Directly set the authDataUsage in
KeyParams
Description of the output parameters:
None.
Table 13 -- Description of attributes
Attribute flag Sub-attribute flag Attribute value Description
TSM_TSPATTRIB_
KEYREGISTER
0 TSM_TSPATTRIB_ KEYREGISTER_USER Key is registered in the TSP
0 TSM_TSPATTRIB_ KEYREGISTER_SYTEM Key is registered in the TCS
0 TSM_TSPATTRIB_ KEYREGISTER_NO Key is not registered in TSM
TSM_TSPATTRIB_
KEY_INFO
TSM_TSPATTRIB_
KEYINFO_USAGE TSM_KEYUSAGE_XX
TSM key usage value, indicating
the type of key used
See the definition of attribute sub-
flag for the key object
TSM_TSPATTRIB_
KEYINFO_MIGRATABLE Boolean value If TRUE, the key is migratable
TSM_TSPATTRIB_
KEYINFO_VOLATILE Boolean value If TRUE, the key is volatile
TSM_TSPATTRIB_
KEYINFO_AUTHDATAUSAGE Boolean value
If TRUE, the usage of key needs
authorization
TSM_TSPATTRIB_
KEYINFO_ALGORITHM TSM_ALG_XX
TSM algorithm ID, representing the
key algorithm
See the definition of algorithm ID
TSM_TSPATTRIB_
KEYINFO_ENCSCHEME
TSM_KEY_ENCSCH
EME_XX
TSM encryption scheme, see the
definition of key encryption
scheme
TSM_TSPATTRIB_
KEYINFO_SIGSCHEME
TSM_KEY_SIGSCH
EME_XX
TSM signature scheme, see the
definition of key signature scheme
TSM_TSPATTRIB_
KEYINFO_KEYFLAGS Flag information of key
TSM_TSPATTRIB_
KEYINFO_AUTHUSAGE
Return the content of
authDataUsage
TSM_TSPATTRIB_
KEYINFO_KEYSTRUCT TSM_KEY_STRUCT_XX
Structure type of key. See the
definition of structure type of key
TSM_TSPATTRIB_
KEYINFO_SIZE Bit length of key
TSM_TSPATTRIB_
KEY_PCR
TSM_TSPATTRIB_KEYPCR_
LOCALITY_ATCREATION
Locality modifier when
creating blob
TSM_TSPATTRIB_KEYPCR_
LOCALITY_ATRELEASE
Locality modifier as
required for the use of key
Description of output parameter:
- pulAttrib: Point to the attribute value of the query.
Return value:
- pulAttribDataSize: The size of the prgbAttribData parameter returned (in bytes).
- prgbAttribData: The command returns successfully. This parameter points to a buffer that holds the value of the specified attribute.
Return value:
TSM_SUCCESS
TSM_E_INVALID_HANDLE
TSM_E_INVALID_ATTRIB_FLAG
TSM_E_INVALID_ATTRIB_SUBFLAG
TSM_E_INVALID_ATTRIB_DATA
TSM_E_BAD_PARAMETER
TSM_E_INTERNAL_ERROR
6.3.5.7 Tspi_Key_LoadKey
Function description:
Load the host's key into the TCM. The TCM is responsible for decrypting the key and caching it in the TCM. Only after the LoadKey is loaded can the key be used for encryption, decryption, signature.
Call logic:
a) For the key object, the key information set through Tspi_SetAttribData (); b) Before using this method, the policy objects of hKey and hUnwrappingKey must be set correctly.
c) The protection key for this key as specified by hUnwrappingKey needs to be loaded into the TCM beforehand.
d) When the key is loaded, the TCM will return the session handle of the key in the TCM. When using this key. When using this handle, use this handle to use this key (due to limited TCM resources, it may provide cache
mechanism to the core servi...

View full details