This command starts a session that can be used for authorization and/or encryption.
Recall that every command can have one or more input sessions. One
session may provide keying for encryption of the first TPM22B_*
command parameter and/or response parameter. Every entity that requires
authorization also requires an authorization session handle.
Every session has state that gets updated with every command, such as keying material, nonces, etc.
-
TPMI_DH_OBJECT+ tpmKeyThis optional input parameter specifies the handle of a loaded key object to be used for key exchanged with the TPM. The
tpmKeymust be an RSA decryption key (in which case RSA key transport will be used for key exchange) or a ECDH key (in which case ECDH key agreement will be used for key exchange). -
TPMI_DH_ENTITY+ bindThis optional parameter, if given, references a loaded entity whose
authValuewill be used in the session key computation. -
TPM2B_NONCE nonceCallerThis is a nonce chosen by the caller.
-
TPM2B_ENCRYPTED_SECRET encryptedSaltThis optional input parameter is a key exchange message that must be present if
tpmKeyis present.If
tpmKeyis an RSA decryption key thenencryptedSaltmust be an RSA OEAP ciphertext that will be decrypted with thetpmKey. The plaintext will be used to derive symmetric AES-CFB encryption keys.If
tpmKeyis an ECDH key, thenencryptedSaltmust be a public key that will be used to generate a shared secret key from which symmetric AES-CFB encryption keys will be derived. -
TPM_SE sessionType -
TPMT_SYM_DEF+ symmetricThe algorithm and key size for command and response parameter encryption.
-
TPMI_ALG_HASH authHashA hash algorithm for the key derivation function.
-
TPMI_SH_AUTH_SESSION sessionHandle -
TPM2B_NONCE nonceTPMThis is an output parameter that is generated by the TPM, and it is a nonce that is used for key derivation.
The sessionType input parameter must be one of:
TPM_SE_HMACTPM_SE_POLICYTPM_SE_TRIAL
If the session is to be an HMAC session authenticating knowledge of some
entity's authValue, then the bind argument must be provided.
Note that the TPM2_PolicySecret() command can reference another entity
whose authValue will be used to update the the session's keys. This
way the caller can prove knowledge of arbitrarily many authValues.
For policy sessions, the caller should now call one or more
TPM2_Policy*() commands to execute the policy identified by the
authPolicy value of the entity to be accessed via this session.
For trial sessions, the caller should now call one or more
TPM2_Policy*() commands as will be used in future actual policy
sessions, then extract the policyDigest of the
session after the last policy command -- that will be a value
suitablefor use as an authPolicy value for TPM entities.
All sessions can be used for encryption that were created with either or both of the
bindinput parameter and the pair of input parameterstpmKeyandencryptedSaltset.
Encryption sessions are useful for when the path to a TPM is not trused, such as when a TPM is a remote TPM, or when otherwise the path to the TPM is not trusted. This section talks about key exchange for such situations.
For encryption sessions the symmetric parameter should also be set.
Encryption sessions can have a session key derived from either or both
of the authValue of the bind entity or the key exchange represented
by the tpmKey and encryptedSalt inputs. The nonceCaller input and
the nonceTPM output will also salt the key derivation.
The symmetric keys used for TPM command encryption are set at session creation time.
Session keys are derived from the tpmKey and encryptedSalt inputs
(if provided) and the authValue of a loaded entity referred to by
bind (if provided), along with the nonces and other things.
The tpmKey and encryptedSalt inputs can inject a secret either via
RSA key transport or elliptic curve Diffie-Hellman (ECDH).
The key will be derived as follows:
-
if
tpmKeyandencryptedSaltare provided, then the key is recovered (RSA case) or computed (ECDH case)In the RSA case the
encryptedSaltis the ciphertext resulting from RSA PKCS#2 (OEAP) encryption to the public key of the object referred to bytpmKey. The TPM will decrypt theencryptedSaltto recover the secret.In the ECDH case the
encryptedSaltis an ephemeral public key, and the secret will be the ECDH shared secret constructed from that key and the private part of thetpmKey. -
then the internal
KDFa()function will invoked as follows:sessionKey := KDFa(authHash, (bind.authValue || tmpKey.get(encryptedSalt)), "ATH", nonceTPM, nonceCaller, authHash.digestSize)where:
-
bind.authValueis theauthValueof thebindentity (if provided) -
tmpKey.get(encryptedSalt)is the result of RSA decryption ofencryptedSaltiftpmKeyis an RSA key, or the result of ECDH key agreement between the private part oftpmKeyand the public ECDH key inencryptedSaltiftpmKeyis an ECDH key
-
To avoid active attacks, one would use the EK as the tpmKey input
parameter of TPM2_StartAuthSession(). Or one could use a tpmKey
input created with, e.g., TPM2_Create() over another encrypted session
that itself used the EK as its tpmKey input.
A non-null
bindparameter can be used to create a "bound" session that can be used to satisfy HMAC-based authorization for specific objects. We will not cover this in detail here.
Given a computer that has a discrete TPM, how does software running on that computer establish trust in the dTPM?
This is an important question since failure to do this will render the computer vulnerable to certain attacks on it.
Use of encryption sessions is a must. These must be keyed by using a
key exchange with a public key of the dTPM's that is accessible to the
caller. For example, the dTPM's EKpub, or any key object with the
decrypt, fixedTPM, and fixedParent attributes, but not the
stClear attribute, and preferably a primary. The caller must reliably
remember this public key as early as possible. The caller must also
validate the dTPM's EKcert as early as possible (especially before the
endorsement hierarchy is made unavailable).
Unless the caller has a priori knowledge of that public key for the dTPM prior to the first time the caller speaks to the dTPM, then the caller will be vulnerable to the dTPM being replaced.
In an ideal world the BIOS would store this public key in protected (((E)E)P)ROM, the BIOS would always use encrypted sessions for RTM, and the BIOS would make this public key available to applications that wish to use the dTPM. Where this is not available, online attestation protocols can serve to furnish or confirm this key to the application.