Provided by: tpm-quote-tools_1.0.4-1build1_amd64 bug

NAME
       tpm_quote_tools - an overview of TPM Quote Tools


PROGRAMS
       tpm_mkuuid,  tpm_mkaik,  tpm_loadkey,  tpm_unloadkey,  tpm_getpcrhash,  tpm_updatepcrhash,  tpm_getquote,
       tpm_verifyquote


DESCRIPTION
       TPM Quote Tools is a collection of programs that provide support for TPM based attestation using the  TPM
       quote operation.

       A  TPM  contains a set of Platform Configuration Registers (PCRs).  In a well configured machine, some of
       these registers are set to known values during the boot up process or at other times.  For example, a PCR
       might contain the hash of a boot loader in memory before it is run.

       The  TPM quote operation is used to authoritatively verify the contents of a TPM's Platform Configuration
       Registers (PCRs).  During provisioning, a composite hash of a selected set of PCRs is computed.  The  TPM
       quote operation produces a composite hash that can be compared with the one computed while provisioning.

       To use the TPM quote operation, keys must be generated.  During provisioning, an Attestation Identity Key
       (AIK) is generated for each TPM, and the public part of the  key  is  made  available  to  entities  that
       validate quotes.

       The  TPM  quote operation returns signed data and a signature.  The data that is signed contains the PCRs
       selected for the operation, the composite hash for the selected PCRs, and a nonce provided as input,  and
       used  to  prevent  replay attacks.  At provisioning time, the data that is signed is stored, not just the
       composite hash.  The signature is discarded.

       An entity that wishes to evaluate a machine generates a nonce, and sends it along with  the  set  of  PCR
       used  to  generate the composite PCR hash at provisioning time.  For this use of the TPM quote operation,
       the signed data is ignored, and the signature returned is used to validate the state of the  TPM's  PCRs.
       Given  the  signature,  the  evaluating  entity  replaces  the  nonce  in  the  signed  data generated at
       provisioning time, and checks to see if the signature is valid for the data.  If so, this  check  ensures
       the selected PCRs contain values that match the ones measured during provisioning.

       A  typical  scenario for an enterprise using these tools follows.  The tools expect AIKs to be referenced
       via one enterprise-wide Universally Unique Identifier (UUID).  The program tpm_mkuuid creates one.

       For each machine being checked, an AIK is created using tpm_mkaik.  The key blob produced is bound to the
       UUID  on  its  machine using tpm_loadkey.  The public key associated with the AIK is sent to the entities
       that verify quotes.  Finally, the expected PCR composite hash is obtained using tpm_getpcrhash.  When the
       expected PCR values change, a new hash can be generated with tpm_updatepcrhash.

       The  program  to  obtain  a  quote,  and thus measure the current state of the PCRs is tpm_getquote.  The
       program that verifies the quote describes the same PCR  composite  hash  as  was  measured  initially  is
       tpm_verifyquote.


SEE ALSO
       tpm_mkuuid(8),  tpm_mkaik(8),  tpm_loadkey(8), tpm_unloadkey(8), tpm_getpcrhash(8), tpm_updatepcrhash(8),
       tpm_getquote(8), tpm_verifyquote(8)

                                                    Oct 2010                                  TPM QUOTE TOOLS(8)