iaik.tc.tss.impl.java.tsp
Class TcTpm

java.lang.Object
  iaik.tc.tss.impl.java.tsp.TcAttributes
      iaik.tc.tss.impl.java.tsp.TcWorkingObject
          iaik.tc.tss.impl.java.tsp.TcAuthObject
              iaik.tc.tss.impl.java.tsp.TcTpm

All Implemented Interfaces:

TcIAttributes, TcIAuthObject, TcITpm, TcIWorkingObject

public class TcTpm
extends TcAuthObject
implements TcITpm

TPM class implemented using singleton pattern.

Method Summary

TcBlobData	activateIdentity(TcIRsaKey identityKey, TcBlobData asymCaContentsBlob, TcBlobData symCaAttestationBlob) For general information about this method refer to TcITpm.activateIdentity(TcIRsaKey, TcBlobData, TcBlobData).
TcTpmMigrationkeyAuth	authorizeMigrationTicket(TcIRsaKey migrationKey, long migrationScheme) This method provides the migration ticket required for the migration process.
TcTssValidation	certifySelfTest(TcIRsaKey key, TcTssValidation validation) This method performs a self-test of each internal TPM function and returns an authenticated value (signature) if the test has passed.
void	changeAuth(TcIAuthObject parentObject, TcIPolicy newPolicy) This method changes the authorization data (secret) of an entity (object) and assigns the object to the newPolicy object.
TcTssValidation	checkMaintenancePubKey(TcIRsaKey key, TcTssValidation validationData) This method proofs the maintenance public key.
void	clearOwner(boolean forcedClear) This method clears the TPM ownership.
void	CMKApproveMA(TcIMigData maAuthData) This method creates an authorization ticket, to allow the TPM owner to specify which Migration Authorities they approve and allow users to create certified-migration-keys without further involvement with the TPM owner.
void	CMKCreateTicket(TcIRsaKey verifyKey, TcIMigData sigData) This method uses a public key to verify the signature over a digest.
void	CMKSetRestrictions(long cmkDelegate) This method is used by the owner to globally dictate the usage of a certified migration key with delegated authorization.
TcBlobData	collateIdentityRequest(TcIRsaKey srk, TcIRsaKey caPubKeyRsa, TcBlobData identityLabel, TcIRsaKey identityKey, long algId) Implementation specific notes: This implementation only supports AES for symmetric encryption.
TcTssValidation	createEndorsementKey(TcIRsaKey key, TcTssValidation validationData) This method creates the endorsement key.
java.lang.Object[]	createRevocableEndorsementKey(TcIRsaKey key, TcTssValidation validationData, TcTpmNonce ekResetData) This method creates the revocable endorsement key.
TcBlobData	dirRead(long dirIndex) This method reads a Data Integrity Register.
void	dirWrite(long dirIndex, TcBlobData dirData) This method writes a Data Integrity Register.
TcBlobData	getAttribCallback(long subFlag) Not yet supported.
long	getAttribCallbackUINT32(long subFlag) The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.
TcBlobData	getCapability(long capArea, TcBlobData subCap) This method provides the capabilities of the TPM.
boolean	getCapabilityBoolean(long capArea, TcBlobData subCap) This method is an alternative to TcITpm.getCapability(long, TcBlobData).
void	getCapabilitySigned() The TPM function TPM_GetCapabilitySigned that actually performs this functions was found to contain a vulnerability that makes its security questionable therefore its use unadvised.
long	getCapabilityUINT32(long capArea, TcBlobData subCap) This method is an alternative to TcITpm.getCapability(long, TcBlobData).
TcTssVersion	getCapabilityVersion(long capArea, TcBlobData subCap) This method is an alternative to TcITpm.getCapability(long, TcBlobData).
java.lang.Object[]	getCredentials() This method is a TSP level front end to the TCS getCredentials method.
TcTssPcrEvent	getEvent(long pcrIndex, long eventNumber) This method provides a PCR event for a given PCR index and event number.
int	getEventCount(long pcrIndex) This method is similar to the getEvents method.
TcTssPcrEvent[]	getEventLog() This method provides the whole event log.
TcTssPcrEvent[]	getEvents(long pcrIndex, long startNumber, long eventNumber) This method provides a specific number of PCR events for a given index.
TcIPolicy	getOperatorPolicyObject() This method returns a policy object representing the operator policy currently assigned to the object.
TcIPolicy	getPolicyObject(long policyType) Note: Policy objects are returned by reference.
java.lang.Object[]	getPubEndorsementKey(boolean ownerAuthorized, TcTssValidation validationData) This method returns the public endorsement key.
TcIRsaKey	getPubEndorsementKeyOwner() This method returns the public endorsement key.
TcBlobData	getRandom(long length) This method returns random data obtained from the TPM via the TSS.
TcTssVersion	getRealTpmVersion() This internal method returns the TPM version as reported by using TcTssConstants.TSS_TPMCAP_VERSION_VAL for 1.2 chips and TcTssConstants.TSS_TPMCAP_VERSION for 1.1 chips.
boolean	getStatus(long statusFlag) This method returns the TPM status.
TcBlobData	getTestResult() This method provides manufacturer specific information regarding the results of the self test.
boolean	isOrdinalSupported(long ordinal) This method allows developers to check if a given command ordinal is supported by the TPM the context is connected to.
boolean	isTrousersCompatible()
void	killMaintenanceFeature() This method disables the functionality of creating a maintenance archive.
TcTssValidation	loadMaintenancePubKey(TcIRsaKey key, TcTssValidation validationData) This method loads the public maintenance key into the TPM.
TcIRsaKey	OwnerGetSRKPubKey() This method returns the public part of the SRK.
TcBlobData	pcrExtend(long pcrIndex, TcBlobData data, TcTssPcrEvent pcrEvent) This method extends a PCR register and writes the PCR event log.
TcBlobData	pcrRead(long pcrIndex) This methods reads a PCR register.
void	pcrReset(TcIPcrComposite pcrComposite) This methods resets a PCR register.
TcTssValidation	quote(TcIRsaKey identKey, TcIPcrComposite pcrComposite, TcTssValidation validation) This method quotes a TCG system.
java.lang.Object[]	quote2(TcIRsaKey identKey, boolean addVersion, TcIPcrComposite pcrComposite, TcTssValidation validation) This method quotes a TCG system using TPM_Quote2 which provides the requestor a more complete view of the current platform configuration than TPM_Quote.
TcTpmCounterValue	readCurrentCounter() This method reads the current value of the current active counter register.
TcTpmCurrentTicks	readCurrentTicks() This method reads the current tick out of the TPM.
TcBlobData	readEkCertIfx11() This method is VENDOR SPECIFIC for Infineon 1.1 TPMs.
void	revokeEndorsementKey(TcTpmNonce ekResetData) This method clears the TPM revocable endorsement key pair.
void	selfTestFull() This method performs a self-test of each internal TPM function.
void	setAttribCallback(long subFlag, TcBlobData attrib) Not yet supported.
void	setAttribCallbackUINT32(long subFlag, long attrib) The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.
void	setAttribCredential(long subFlag, TcBlobData credential) This method can be used to set credentials (EK, Platform, ...) that should be used in the collateIdentity method.
void	setOperatorAuth(TcIPolicy operatorPolicy) This function sets the operator authorization value in the TPM.
void	setStatus(long statusFlag, boolean tpmState) This method modifies the TPM status.
void	setTrousersCompatible(boolean trousersCompatible)
void	stirRandom(TcBlobData entropyData) This method adds entropy to the TPM Random Number Generator.
void	takeOwnership(TcIRsaKey srk, TcIRsaKey pubEk) This method takes ownership of the TPM.

Methods inherited from class iaik.tc.tss.impl.java.tsp.TcAuthObject

changeAuthAsym, getUsagePolicyObject

Methods inherited from class iaik.tc.tss.impl.java.tsp.TcAttributes

getAttribData, getAttribUint32, setAttribData, setAttribUint32

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface iaik.tc.tss.api.tspi.TcIAttributes

getAttribData, getAttribUint32, setAttribData, setAttribUint32

Methods inherited from interface iaik.tc.tss.api.tspi.TcIAuthObject

changeAuthAsym, getUsagePolicyObject

Method Detail

isTrousersCompatible

public boolean isTrousersCompatible()

setTrousersCompatible

public void setTrousersCompatible(boolean trousersCompatible)

activateIdentity

public TcBlobData activateIdentity(TcIRsaKey identityKey,
                                   TcBlobData asymCaContentsBlob,
                                   TcBlobData symCaAttestationBlob)
                            throws TcTssException

For general information about this method refer to TcITpm.activateIdentity(TcIRsaKey, TcBlobData, TcBlobData). Implementation note: The following symmetric algorithms are supported:

• TcTssConstants.TSS_ALG_AES (same as AES_128)
• TcTssConstants.TSS_ALG_AES128
• TcTssConstants.TSS_ALG_AES192
• TcTssConstants.TSS_ALG_AES256
• TcTssConstants.TSS_ALG_3DES

Specified by:

activateIdentity in interface TcITpm

Parameters:

identityKey - The identity key object.

asymCaContentsBlob - The blob containing the encrypted ASYM_CA_CONTENTS data structure received from the Privacy CA.

symCaAttestationBlob - The blob containing the encrypted SYM_CA_ATTESTATION data structure received from the Privacy CA.

Returns:

The blob containing the decrypted credential.

Throws:

TcTssException

authorizeMigrationTicket

public TcTpmMigrationkeyAuth authorizeMigrationTicket(TcIRsaKey migrationKey,
                                                      long migrationScheme)
                                               throws TcTssException

Description copied from interface: TcITpm

This method provides the migration ticket required for the migration process.

Specified by:

authorizeMigrationTicket in interface TcITpm

Parameters:

migrationKey - key object representing the migration key.

migrationScheme - Flag indicating the migration scheme to be used.
Valid migrationSchemes are:

• TcTssConstants.TSS_MS_MAINT
• TcTssConstants.TSS_MS_MIGRATE
• TcTssConstants.TSS_MS_REWRAP

Returns:

memory block containing the migration ticket blob.

Throws:

TcTssException

certifySelfTest

public TcTssValidation certifySelfTest(TcIRsaKey key,
                                       TcTssValidation validation)
                                throws TcTssException

Description copied from interface: TcITpm

This method performs a self-test of each internal TPM function and returns an authenticated value (signature) if the test has passed. If the signature scheme of the provided key is not TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1, the return value can either be a BAD_PARAMETER error or success with a vendor specific signature.

Specified by:

certifySelfTest in interface TcITpm

Parameters:

key - Signature key.

validation - ExternalData information required to compute the signature. If not validation data is provided (i.e. this parameter is set to null), validation is done by the TSP.

Returns:

Validation data and the data the validation data was computed from. Calculation of hash value for the validation data: SHA1 hash of the following three concatenated data blobs: ("Test Passed\0" || externalData || ordinal).

Throws:

TcTssException

checkMaintenancePubKey

public TcTssValidation checkMaintenancePubKey(TcIRsaKey key,
                                              TcTssValidation validationData)
                                       throws TcTssException

Description copied from interface: TcITpm

This method proofs the maintenance public key.

Specified by:

checkMaintenancePubKey in interface TcITpm

Parameters:

key - maintenance key object

validationData - externalData information required to compute the signature.

Returns:

validation data and the data the validation data was computed from. Note: If validation is not null, the state of the provided validation object is modified by this method.

Throws:

TcTssException

clearOwner

public void clearOwner(boolean forcedClear)
                throws TcTssException

Description copied from interface: TcITpm

This method clears the TPM ownership. Note on using physical presence for proofing TPM ownership: As the mechanism to determine physical presence is platform dependent you have to consult the manual of your system for further information. On typical PC type platforms, a forced clear can only be done from the systems BIOS.

Specified by:

clearOwner in interface TcITpm

Parameters:

forcedClear - If FALSE, a clear ownership with proof of the TPM owner secret is done. If TRUE, a forced clear ownership with proof of physical access is done.

Throws:

TcTssException

collateIdentityRequest

public TcBlobData collateIdentityRequest(TcIRsaKey srk,
                                         TcIRsaKey caPubKeyRsa,
                                         TcBlobData identityLabel,
                                         TcIRsaKey identityKey,
                                         long algId)
                                  throws TcTssException

Implementation specific notes: This implementation only supports AES for symmetric encryption. Valid algId parameters are:

• TcTssConstants.TSS_ALG_AES (same as AES_128)
• TcTssConstants.TSS_ALG_AES128
• TcTssConstants.TSS_ALG_AES192
• TcTssConstants.TSS_ALG_AES256
• TcTssConstants.TSS_ALG_3DES

Note: If using the jTSS Core Services, the EK credentials of IFX 1.1 and 1.2 TPMs will be automatically included in the collageIdentityReq blob. For IFX 1.1 chips the credential is read from the TPM using vendor specific mechanisms. For IFX 1.2 TPMs the credential is read from the NV storage. The mode of operation is fixed to CBC and the padding is set to PKCS5 (TcTssConstants.TSS_ES_SYM_CBC_PKCS5PAD). For general information about this method refer to TcITpm.collateIdentityRequest(TcIRsaKey, TcIRsaKey, TcBlobData, TcIRsaKey, long).

Specified by:

collateIdentityRequest in interface TcITpm

Parameters:

srk - object (Storage Root Key).

caPubKeyRsa - Key object holding the public key of the CA which signs the certificate of the created identity key.

identityLabel - The identity label which should be a UNICODE string.

identityKey - Identity key object. The template for the identity key to be created. The key parameters must be set up correctly when creating the key object before this method is called..

algId - Symmetric algorithm to use as required by the Privacy CA.

Returns:

A blob containing the certificate request structure of type TPM_IDENTITY_REQ. This structure holds two blob: The symBlob is encrypted with a symmetric session key. The asymBlob holds this symmetric session key encrypted using the public key of the chosen Privacy CA. By that it is ensured that only this Privacy CA can decrypt the request blob.

Throws:

TcTssException

createEndorsementKey

public TcTssValidation createEndorsementKey(TcIRsaKey key,
                                            TcTssValidation validationData)
                                     throws TcTssException,
                                            TcTcsException,
                                            TcTpmException,
                                            TcTddlException

Description copied from interface: TcITpm

This method creates the endorsement key. The key information required for creating the endorsement key must be set in the key object using TcIAttributes.setAttribUint32(long, long, long) and TcIAttributes.setAttribData(long, long, TcBlobData)

Specified by:

createEndorsementKey in interface TcITpm

Parameters:

key - Key object specifying the attributes of the endorsement key to create.

validationData - Provides externalData information required to compute the checksum. If the TSP should compute compute the checksum set this parameter to null.

Returns:

The validation checksum and the data the validation checksum was computed from.

Throws:

TcTssException

TcTcsException

TcTpmException

TcTddlException

createRevocableEndorsementKey

public java.lang.Object[] createRevocableEndorsementKey(TcIRsaKey key,
                                                        TcTssValidation validationData,
                                                        TcTpmNonce ekResetData)
                                                 throws TcTssException,
                                                        TcTcsException,
                                                        TcTpmException,
                                                        TcTddlException

Description copied from interface: TcITpm

This method creates the revocable endorsement key. The key information required for creating the endorsement key must be set in the key object using TcIAttributes.setAttribUint32(long, long, long) and TcIAttributes.setAttribData(long, long, TcBlobData)

Specified by:

createRevocableEndorsementKey in interface TcITpm

Parameters:

key - Key object specifying the attributes of the endorsement key to create.

validationData - Provides externalData information required to compute the checksum. If the TSP should compute compute the checksum set this parameter to null.

ekResetData - The authorization value to be used with RevokeEndorsementKeyPair. Generated by the TPM if null.

Returns:

The returned Object[] contains the following elements:

• 0 ... validation data plus checksum TcTssValidation
• 1 ... authorisation value for resetting the endorsement key (TcTpmNonce

Throws:

TcTssException

TcTcsException

TcTpmException

TcTddlException

revokeEndorsementKey

public void revokeEndorsementKey(TcTpmNonce ekResetData)
                          throws TcTssException,
                                 TcTcsException,
                                 TcTpmException,
                                 TcTddlException

Description copied from interface: TcITpm

This method clears the TPM revocable endorsement key pair.

Specified by:

revokeEndorsementKey in interface TcITpm

Parameters:

ekResetData - The authorization value which was set with createRevocableEndorsementKey

Throws:

TcTssException

TcTcsException

TcTpmException

TcTddlException

dirRead

public TcBlobData dirRead(long dirIndex)
                   throws TcTssException

Description copied from interface: TcITpm

This method reads a Data Integrity Register.

Specified by:

dirRead in interface TcITpm

Parameters:

dirIndex - Index of the DIR to read.

Returns:

memory block containing the the DIR data.

Throws:

TcTssException

dirWrite

public void dirWrite(long dirIndex,
                     TcBlobData dirData)
              throws TcTssException

Description copied from interface: TcITpm

This method writes a Data Integrity Register.

Specified by:

dirWrite in interface TcITpm

Parameters:

dirIndex - Index of the DIR to write.

dirData - data to be written to the DIR.

Throws:

TcTssException

getCapability

public TcBlobData getCapability(long capArea,
                                TcBlobData subCap)
                         throws TcTssException

Description copied from interface: TcITpm

This method provides the capabilities of the TPM.

Specified by:

getCapability in interface TcITpm

Parameters:

capArea - Flag indicating the attribute to query.
Valid capAreas are:

• TcTssConstants.TSS_TPMCAP_ORD
• TcTssConstants.TSS_TPMCAP_FLAG
• TcTssConstants.TSS_TPMCAP_ALG
• TcTssConstants.TSS_TPMCAP_PROPERTY
• TcTssConstants.TSS_TPMCAP_VERSION
• TcTssConstants.TSS_TPMCAP_VERSION_VAL
• TcTssConstants.TSS_TPMCAP_NV_LIST
• TcTssConstants.TSS_TPMCAP_NV_INDEX
• TcTssConstants.TSS_TPMCAP_MFR
• TcTssConstants.TSS_TPMCAP_SYM_MODE
• TcTssConstants.TSS_TPMCAP_HANDLE
• TcTssConstants.TSS_TPMCAP_TRANS_ES
• TcTssConstants.TSS_TPMCAP_AUTH_ENCRYPT

subCap - Data indicating the attribute to query.
Valid subCaps are:

• TcTpmOrdinals.TPM_ORD_*
• TcTssConstants.TSS_ALG_*
• TcTpmConstants.TPM_SYM_MODE_*
• TcTssConstants.TSS_RT_*
• TcTssConstants.TSS_ES_*

Returns:

data of the specified attribute

Throws:

TcTssException

getCapabilityBoolean

public boolean getCapabilityBoolean(long capArea,
                                    TcBlobData subCap)
                             throws TcTssException

Description copied from interface: TcITpm

This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as TSS_BOOL (boolean).

Specified by:

getCapabilityBoolean in interface TcITpm

Throws:

TcTssException

getCapabilityUINT32

public long getCapabilityUINT32(long capArea,
                                TcBlobData subCap)
                         throws TcTssException

Description copied from interface: TcITpm

This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as UINT32 (long).

Specified by:

getCapabilityUINT32 in interface TcITpm

Throws:

TcTssException

getCapabilityVersion

public TcTssVersion getCapabilityVersion(long capArea,
                                         TcBlobData subCap)
                                  throws TcTssException

Description copied from interface: TcITpm

This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as TSS_VERSION. Note that on 1.2 TPMs, TSS_TPMCAP_VERSION is fixed to always return 1.1.0.0. To obtain the real TPM version on a 1.2 TPM, TSS_TPMCAP_VERSION_VAL has to be used. TSS_TPMCAP_VERSION_VAL not only retrieves the version but a TcTpmCapVersionInfo structure. This method returns the version field of this structure. To obtain the full TcTpmCapVersionInfo structure, use TcITpm.getCapability(long, TcBlobData).

Specified by:

getCapabilityVersion in interface TcITpm

Parameters:

capArea - Flag indicating the attribute to query
Valid capAreas are:

• TcTssConstants.TSS_TPMCAP_VERSION
• TcTssConstants.TSS_TPMCAP_VERSION_VAL (on 1.2 TPMs)

subCap - Ignored (set to null);

Returns:

The TPM version.

Throws:

TcTssException

getRealTpmVersion

public TcTssVersion getRealTpmVersion()
                               throws TcTssException

This internal method returns the TPM version as reported by using TcTssConstants.TSS_TPMCAP_VERSION_VAL for 1.2 chips and TcTssConstants.TSS_TPMCAP_VERSION for 1.1 chips.

Throws:

TcTssException

getCapabilitySigned

public void getCapabilitySigned()
                         throws TcTssException

Description copied from interface: TcITpm

The TPM function TPM_GetCapabilitySigned that actually performs this functions was found to contain a vulnerability that makes its security questionable therefore its use unadvised.

Specified by:

getCapabilitySigned in interface TcITpm

Throws:

TcTssException

getEvent

public TcTssPcrEvent getEvent(long pcrIndex,
                              long eventNumber)
                       throws TcTssException

Description copied from interface: TcITpm

This method provides a PCR event for a given PCR index and event number.

Specified by:

getEvent in interface TcITpm

Parameters:

pcrIndex - Index of the PCR to request.

eventNumber - Index of the event to request.

Returns:

PCR event data.

Throws:

TcTssException

getEventCount

public int getEventCount(long pcrIndex)
                  throws TcTssException

Description copied from interface: TcITpm

This method is similar to the getEvents method. The only difference is the return value: This method returns the number of entries that would be retrieved when calling the getEvents method. This method is based on the getEvents method of the TSS where the prgPcrEvents parameter is set to 0.

Specified by:

getEventCount in interface TcITpm

Parameters:

pcrIndex - Index of the PCR to request.

Returns:

number of events reported

Throws:

TcTssException

getEventLog

public TcTssPcrEvent[] getEventLog()
                            throws TcTssException

Description copied from interface: TcITpm

This method provides the whole event log.

Specified by:

getEventLog in interface TcITpm

Returns:

The event log.

Throws:

TcTssException

getEvents

public TcTssPcrEvent[] getEvents(long pcrIndex,
                                 long startNumber,
                                 long eventNumber)
                          throws TcTssException

Description copied from interface: TcITpm

This method provides a specific number of PCR events for a given index.

Specified by:

getEvents in interface TcITpm

Parameters:

pcrIndex - Index of the PCR to request.

startNumber - Index of the first event to request.

eventNumber - Number of elements to request.

Returns:

array of PCR event data.

Throws:

TcTssException

getPubEndorsementKey

public java.lang.Object[] getPubEndorsementKey(boolean ownerAuthorized,
                                               TcTssValidation validationData)
                                        throws TcTssException

Description copied from interface: TcITpm

This method returns the public endorsement key. The public key information of the endorsement key can be retrieved via TcIAttributes.getAttribData(long, long).

Specified by:

getPubEndorsementKey in interface TcITpm

Parameters:

ownerAuthorized - Flag determining if owner authorization is required. Note that owner authorization is not required if the ownership of the TPM has not yet been taken. After TPM ownership has been taken, owner authorization is required to obtain the public EK.

validationData - External data that is used by the TPM to compute the checksum. If this parameter is omitted (i.e. it is set to null), the validation is done by the TSP:

Returns:

The returned Object[] contains the following elements:

• 0 ... endorsement key object TcIRsaKey
• 1 ... outgoing validation (TcTssValidation

Throws:

TcTssException

getPubEndorsementKeyOwner

public TcIRsaKey getPubEndorsementKeyOwner()
                                    throws TcTssException

Description copied from interface: TcITpm

This method returns the public endorsement key. The public key information of the endorsement key can be retrieved via TcIAttributes.getAttribData(long, long). This method always tries to read the public EK using owner authorization. If effectively is a shortcut for TcITpm.getPubEndorsementKey(boolean, TcTssValidation) with (true, null) as parameters.

Specified by:

getPubEndorsementKeyOwner in interface TcITpm

Returns:

TcIRsaKey

Throws:

TcTssException

getRandom

public TcBlobData getRandom(long length)
                     throws TcTssException

Description copied from interface: TcITpm

This method returns random data obtained from the TPM via the TSS.

Specified by:

getRandom in interface TcITpm

Parameters:

length - The length of the data to be requested. The maximum length of the random data is 4096.

Returns:

Random data received from the TPM.

Throws:

TcTssException

getStatus

public boolean getStatus(long statusFlag)
                  throws TcTssException

Description copied from interface: TcITpm

This method returns the TPM status.
Valid statusFlags are:

• TcTssConstants.TSS_TPMSTATUS_DISABLEOWNERCLEAR
• TcTssConstants.TSS_TPMSTATUS_DISABLEFORCECLEAR
• TcTssConstants.TSS_TPMSTATUS_DISABLED
• TcTssConstants.TSS_TPMSTATUS_PHYSICALSETDEACTIVATED
• TcTssConstants.TSS_TPMSTATUS_SETTEMPDEACTIVATED
• TcTssConstants.TSS_TPMSTATUS_SETOWNERINSTALL
• TcTssConstants.TSS_TPMSTATUS_DISABLEPUBEKREAD
• TcTssConstants.TSS_TPMSTATUS_ALLOWMAINTENANCE
• TcTssConstants.TSS_TPMSTATUS_PHYSPRES_LIFETIMELOCK
• TcTssConstants.TSS_TPMSTATUS_PHYSPRES_HWENABLE
• TcTssConstants.TSS_TPMSTATUS_PHYSPRES_CMDENABLE
• TcTssConstants.TSS_TPMSTATUS_CEKP_USED
• TcTssConstants.TSS_TPMSTATUS_PHYSPRESENCE
• TcTssConstants.TSS_TPMSTATUS_PHYSPRES_LOCK

Specified by:

getStatus in interface TcITpm

Parameters:

statusFlag - status flag to be read

Returns:

value of status flag

Throws:

TcTssException

getTestResult

public TcBlobData getTestResult()
                         throws TcTssException

Description copied from interface: TcITpm

This method provides manufacturer specific information regarding the results of the self test.

Specified by:

getTestResult in interface TcITpm

Returns:

Memory block containing the TPM manufacturer specific information.

Throws:

TcTssException

killMaintenanceFeature

public void killMaintenanceFeature()
                            throws TcTssException

Description copied from interface: TcITpm

This method disables the functionality of creating a maintenance archive. After disabling the functionality of creating a maintenance archive, this functionality can only be enabled again by releasing the TPM ownership.

Specified by:

killMaintenanceFeature in interface TcITpm

Throws:

TcTssException

loadMaintenancePubKey

public TcTssValidation loadMaintenancePubKey(TcIRsaKey key,
                                             TcTssValidation validationData)
                                      throws TcTssException

Description copied from interface: TcITpm

This method loads the public maintenance key into the TPM. The maintenance public key can only be loaded once. Subsequent calls to Tspi_TPM_LoadMaintenancePubKey will fail.

Specified by:

loadMaintenancePubKey in interface TcITpm

Parameters:

key - maintenance key object

validationData - externalData information required to compute the signature. If validationData != NULL: The caller has to proof the digest by its own. If validationData == NULL: The TSS Service Provider proofs the digest got from the TPM internally.

Returns:

validation data and the data the validation data was computed from. Calculation of hash value for the validation data: SHA1 hash of the concatenated data of ||

Throws:

TcTssException

pcrExtend

public TcBlobData pcrExtend(long pcrIndex,
                            TcBlobData data,
                            TcTssPcrEvent pcrEvent)
                     throws TcTssException

Description copied from interface: TcITpm

This method extends a PCR register and writes the PCR event log. If no pcrEvent parameter is supplied, the pcrEventData parameter is expected to be a SHA-1 hash that is directly extended into the specified PCR register. In this case, the provided pcrEventData value is not touched by the TSP. If however a pcrEvent is provided, then the value that is extended into the specified PCR is computed as follows: SHA-1(pcrIndex || pcrEventData || pcrEvent.eventType || pcrEvent).

Specified by:

pcrExtend in interface TcITpm

Parameters:

pcrIndex - Index of the PCR to extend.

data - Data blob for the PCR extend operation.

pcrEvent - Contains the info for an event entry. If this object is null no event entry is created and the method only executes an TPM extend operation

Returns:

Memory block containing the PCR data after the extend operation.

Throws:

TcTssException

pcrRead

public TcBlobData pcrRead(long pcrIndex)
                   throws TcTssException

Description copied from interface: TcITpm

This methods reads a PCR register.

Specified by:

pcrRead in interface TcITpm

Parameters:

pcrIndex - Index of the PCR to read.

Returns:

The PCR data read from the TPM.

Throws:

TcTssException

pcrReset

public void pcrReset(TcIPcrComposite pcrComposite)
              throws TcTssException

Description copied from interface: TcITpm

This methods resets a PCR register. Whether or not is succeeds may depend on the locality executing the command. PCRs can be defined in a platform specific specification to allow reset of certain PCRs only for certain localities. The one exception is PCR 16 which can always be reset in a 1.2 implementation. This is to allow for software testing.

Specified by:

pcrReset in interface TcITpm

Parameters:

pcrComposite - Indices of the PCR to read.

Throws:

TcTssException

quote

public TcTssValidation quote(TcIRsaKey identKey,
                             TcIPcrComposite pcrComposite,
                             TcTssValidation validation)
                      throws TcTssException

Description copied from interface: TcITpm

This method quotes a TCG system. Which PCRs should be quoted must be set in the PcrComposite object before calling this method.
If structure type other than TcTssConstants.TSS_PCRS_STRUCT_INFO is used in the PcrComposite a TcTssException with error code TcTssErrors.TSS_E_INVALID_OBJ_ACCESS is thrown. The returned signature is computed over the TcTpmQuoteInfo structure.

Specified by:

quote in interface TcITpm

Parameters:

identKey - Signature key.

pcrComposite - PCR composite object. Will be used as input only.

validation - Provides externalData information required to compute the signature. If this parameter is omitted (set to null), the TSP will generate external data and do the validation.
An important use of TPM_Quote is to provide a digital signature on arbitrary data, where the signature includes the PCR values of the platform at the time of signing. Hence, the externalData is not just for anti-replay purposes although it is used for that purpose in an integrity challenge. If the validation parameter is omitted (set to null), the TSP will generate anti-replay data that is validated upon receiving the response from the TPM.

Returns:

The validation data and the data the validation data was computed from.

Throws:

TcTssException

quote2

public java.lang.Object[] quote2(TcIRsaKey identKey,
                                 boolean addVersion,
                                 TcIPcrComposite pcrComposite,
                                 TcTssValidation validation)
                          throws TcTssException

Description copied from interface: TcITpm

This method quotes a TCG system using TPM_Quote2 which provides the requestor a more complete view of the current platform configuration than TPM_Quote. The required information about which PCRs should be quoted must be set in the PcrComposite object before calling this method.
If structure type other than TcTssConstants.TSS_PCRS_STRUCT_INFO_SHORT is used in the PcrComposite a TcTssException with error code TcTssErrors.TSS_E_INVALID_OBJ_ACCESS is thrown. The returned signature is computed over the TcTpmQuoteInfo structure.

Specified by:

quote2 in interface TcITpm

Parameters:

identKey - Signature key.

addVersion - If true, the TPM version is added to the output otherwise it is omitted.

pcrComposite - PCR composite object. Will be used as input only.

validation - Provides externalData information required to compute the signature. If this parameter is omitted (set to null), the TSP will generate external data and do the validation.
An important use of TPM_Quote is to provide a digital signature on arbitrary data, where the signature includes the PCR values of the platform at the time of signing. Hence, the externalData is not just for anti-replay purposes although it is used for that purpose in an integrity challenge. If the validation parameter is omitted (set to null), the TSP will generate anti-replay data that is validated upon receiving the response from the TPM.

Returns:

The returned Object[] contains the following elements:

• 0 ... outgoing validation (TcTssValidation
• 1 ... TPM version as reported by TcTpmConstants.TPM_CAP_VERSION_VAL. If addVersion is false, this element is null (TcTpmCapVersionInfo.

Throws:

TcTssException

selfTestFull

public void selfTestFull()
                  throws TcTssException

Description copied from interface: TcITpm

This method performs a self-test of each internal TPM function.

Specified by:

selfTestFull in interface TcITpm

Throws:

TcTssException

setStatus

public void setStatus(long statusFlag,
                      boolean tpmState)
               throws TcTssException

Description copied from interface: TcITpm

This method modifies the TPM status.

Specified by:

setStatus in interface TcITpm

Parameters:

statusFlag - determines the flag to be set.
Valid statusFlags are:

• TcTssConstants.TSS_TPMSTATUS_DISABLEOWNERCLEAR, tpmState is ignored
• TcTssConstants.TSS_TPMSTATUS_DISABLEFORCECLEAR, tpmState is ignored
• TcTssConstants.TSS_TPMSTATUS_OWNERSETDISABLE
• TcTssConstants.TSS_TPMSTATUS_PHYSICALDISABLE
• TcTssConstants.TSS_TPMSTATUS_PHYSICALSETDEACTIVATED
• TcTssConstants.TSS_TPMSTATUS_SETTEMPDEACTIVATED, tpmState is ignored
• TcTssConstants.TSS_TPMSTATUS_SETOWNERINSTALL
• TcTssConstants.TSS_TPMSTATUS_DISABLEPUBEKREAD, tpmState is ignored

tpmState - the new value of the flag

Throws:

TcTssException

stirRandom

public void stirRandom(TcBlobData entropyData)
                throws TcTssException

Description copied from interface: TcITpm

This method adds entropy to the TPM Random Number Generator.

Specified by:

stirRandom in interface TcITpm

Parameters:

entropyData - The entropy data.

Throws:

TcTssException

takeOwnership

public void takeOwnership(TcIRsaKey srk,
                          TcIRsaKey pubEk)
                   throws TcTssException

Description copied from interface: TcITpm

This method takes ownership of the TPM. The process of taking ownership is the procedure whereby the owner inserts a shared secret into the TPM. The owner of the TPM has the right to perform special operations. As part of this command, the owner password is set and a new SRK key pair is created.

Specified by:

takeOwnership in interface TcITpm

Parameters:

srk - The storage root key object.

pubEk - The public endorsement key object. The public endorsement key is required for encryption of the SRK and EK secret sent to the TPM. The pubEk parameter can be set to null. In this case, the takeOwnership method will query the TPM for the public endorsement key.s

Throws:

TcTssException

getPolicyObject

public TcIPolicy getPolicyObject(long policyType)
                          throws TcTssException

Description copied from class: TcAuthObject

Note: Policy objects are returned by reference. Keep that in mind when modifying a policy. For general documentation of this method refer to TcIAuthObject.getPolicyObject(long).

Specified by:

getPolicyObject in interface TcIAuthObject

Overrides:

getPolicyObject in class TcAuthObject

Parameters:

policyType - The policy type to be returned (TSS_POLICY_*)

Returns:

Policy object currently assigned to the object.

Throws:

TcTssException

getOperatorPolicyObject

public TcIPolicy getOperatorPolicyObject()
                                  throws TcTssException

This method returns a policy object representing the operator policy currently assigned to the object. It is based on the getPolicy method of the TSS with TSS_POLICY_OPERATOR as parameter. Note: Policy objects are returned by reference. Keep that in mind when modifying a policy.

Returns:

Operator policy object.

Throws:

TcTssException

TSS Spec. 1.2 Errata A, page number:

182

TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:

73

getCredentials

public java.lang.Object[] getCredentials()
                                  throws TcTssException

This method is a TSP level front end to the TCS getCredentials method. It calls down to the TCS to obtain the endorsement, platform and conformance certificates. Note that this TSP level method is not standardized by the TSS specification and therefore is not part TcITpm interface. Note that if a certificate is not available on the system, null is returned for this certificate.

Returns:

The return value array contains the following elements:

• 0 ... endorsement credential (TcBlobData)
• 1 ... platform credential (TcBlobData)
• 2 ... conformance credential (TcBlobData)

Throws:

{@link - TcTssException}

TcTssException

readEkCertIfx11

public TcBlobData readEkCertIfx11()
                           throws TcTssException

This method is VENDOR SPECIFIC for Infineon 1.1 TPMs. It reads the EK certificate contained in such chips and returns it. If the TPM is not an IFX 1.1 TPM, a TcTspException will be thrown. This obviously is not available in all TSSs and therefore not standardized in the TcITpm.

Returns:

EK certificate blob read from the TPM chip.

Throws:

{@link - TcTssException}

TcTssException

isOrdinalSupported

public boolean isOrdinalSupported(long ordinal)
                           throws TcTssException

This method allows developers to check if a given command ordinal is supported by the TPM the context is connected to. This is useful in cases where developers e.g. want to sued optional or commands that are not part of all versions of the TPM specification. The same functionality can be achieved using the getCapability functionality to check for supported ordinals. This method however, is simpler to use and additionally provides caching of the results. In cases where the same ordinal is queried more than once, this method avoids the calls to the TCS and TPM.

Parameters:

ordinal - The TPM command ordinal to be checked.

Returns:

Returns true if the ordinal is supported, false otherwise.

Throws:

{@link - TcTssException}

TcTssException

changeAuth

public void changeAuth(TcIAuthObject parentObject,
                       TcIPolicy newPolicy)
                throws TcTssException

Description copied from interface: TcIAuthObject

This method changes the authorization data (secret) of an entity (object) and assigns the object to the newPolicy object. All classes using secrets provide this method for changing their authorization data. To change the TPM owner authorization, this method has to be called on the TPM object. The parent has to be set to null. To change the SRK authorization, this method has to be called on the SRK key object and the parent has to be set to the TPM object.

Specified by:

changeAuth in interface TcIAuthObject

Parameters:

parentObject - The parent object wrapping this object.

newPolicy - Policy object providing the new authorization data.

Throws:

TcTssException

setAttribCallbackUINT32

public void setAttribCallbackUINT32(long subFlag,
                                    long attrib)
                             throws TcTssException

The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.

Throws:

TcTssException

getAttribCallbackUINT32

public long getAttribCallbackUINT32(long subFlag)
                             throws TcTssException

The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.

Throws:

TcTssException

setAttribCallback

public void setAttribCallback(long subFlag,
                              TcBlobData attrib)
                       throws TcTssException

Not yet supported.

Throws:

TcTssException

getAttribCallback

public TcBlobData getAttribCallback(long subFlag)
                             throws TcTssException

Not yet supported.

Throws:

TcTssException

setAttribCredential

public void setAttribCredential(long subFlag,
                                TcBlobData credential)
                         throws TcTssException

This method can be used to set credentials (EK, Platform, ...) that should be used in the collateIdentity method. Credentials set via this method have precedence over credentials that are internally obtained by the TSS.

Parameters:

subFlag - Sub flag indicating the attribute to set. Valid subFlags are:

• TcTssConstants.TSS_TPMATTRIB_EKCERT
• TcTssConstants.TSS_TPMATTRIB_TPM_CC
• TcTssConstants.TSS_TPMATTRIB_PLATFORM_CC
• TcTssConstants.TSS_TPMATTRIB_PLATFORMCERT

credential - The credential blob to set.

Throws:

{@link - TcTssException}

TcTssException

TSS Spec. 1.2 Errata A, page number:

240

readCurrentTicks

public TcTpmCurrentTicks readCurrentTicks()
                                   throws TcTssException

Description copied from interface: TcITpm

This method reads the current tick out of the TPM.

Specified by:

readCurrentTicks in interface TcITpm

Returns:

Current value of tick counter in the TPM

Throws:

TcTssException

readCurrentCounter

public TcTpmCounterValue readCurrentCounter()
                                     throws TcTssException

Description copied from interface: TcITpm

This method reads the current value of the current active counter register.

Specified by:

readCurrentCounter in interface TcITpm

Returns:

Current value of the counter

Throws:

TcTssException

OwnerGetSRKPubKey

public TcIRsaKey OwnerGetSRKPubKey()
                            throws TcTssException

Description copied from interface: TcITpm

This method returns the public part of the SRK. Can be used to initialize the system persistent storage with the SRK without the need to take ownership again.

Specified by:

OwnerGetSRKPubKey in interface TcITpm

Returns:

A key object containing only the public part of the storage root key (SRK).

Throws:

TcTssException

CMKApproveMA

public void CMKApproveMA(TcIMigData maAuthData)
                  throws TcTssException

Description copied from interface: TcITpm

This method creates an authorization ticket, to allow the TPM owner to specify which Migration Authorities they approve and allow users to create certified-migration-keys without further involvement with the TPM owner.

Specified by:

CMKApproveMA in interface TcITpm

Parameters:

maAuthData - Migration data properties object to transfer the input and output data blob during the migration process. For this command the object calculates the digest of the selected MSA (Migration Selection Authority) which are imported into this object.

Throws:

TcTssException

CMKCreateTicket

public void CMKCreateTicket(TcIRsaKey verifyKey,
                            TcIMigData sigData)
                     throws TcTssException

Description copied from interface: TcITpm

This method uses a public key to verify the signature over a digest. The output ticket data can be used to prove the same TPM for signature verification. This operation requires owner authorization which can be delegated.

Specified by:

CMKCreateTicket in interface TcITpm

Parameters:

verifyKey - The Key object containing the public key used to check the signature value.

sigData - Migration data properties object to transfer the input and output data blob during the migration process. For this command the object includes the data proper to be signed and the signature value to be verified. The caller can access the ticket/signature data via GetAttribData().

Throws:

TcTssException

CMKSetRestrictions

public void CMKSetRestrictions(long cmkDelegate)
                        throws TcTssException

Description copied from interface: TcITpm

This method is used by the owner to globally dictate the usage of a certified migration key with delegated authorization. This command can't be owner delegated.

Specified by:

CMKSetRestrictions in interface TcITpm

Parameters:

cmkDelegate - Bit mask to determine the restrictions on certified-migration-keys Valid Flags are:

• TcTssConstants.TSS_CMK_DELEGATE_BIND
• TcTssConstants.TSS_CMK_DELEGATE_LEGACY
• TcTssConstants.TSS_CMK_DELEGATE_MIGRATE
• TcTssConstants.TSS_CMK_DELEGATE_SIGNING
• TcTssConstants.TSS_CMK_DELEGATE_STORAGE

Throws:

TcTssException

setOperatorAuth

public void setOperatorAuth(TcIPolicy operatorPolicy)
                     throws TcTssException

Description copied from interface: TcITpm

This function sets the operator authorization value in the TPM.

Specified by:

setOperatorAuth in interface TcITpm

Parameters:

operatorPolicy - the policy object holding the new operator authorization value.

Throws:

TcTssException