1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
|
--
-- ASN.1 extracted from
-- TCG EK Credential Profile
-- For TPM Family 2.0; Level 0
-- Specification Version 2.0
-- Revision 14
-- 4 November 2014
-- https://www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
-- on 2018-10-02, and heavily polished + bug fixed for asn2wrs
TCG DEFINITIONS::=
BEGIN
IMPORTS
-- Additional IMPORT for Wireshark
AlgorithmIdentifier
FROM PKIX1Explicit88 {iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit-88(1)};
-- TCG specific OIDs
-- tcg OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) international-organizations(23) tcg(133) }
-- tcg-tcpaSpecVersion OBJECT IDENTIFIER ::= {tcg 1}
-- tcg-attribute OBJECT IDENTIFIER ::= {tcg 2}
-- tcg-protocol OBJECT IDENTIFIER ::= {tcg 3}
-- tcg-algorithm OBJECT IDENTIFIER ::= {tcg 4}
-- tcg-ce OBJECT IDENTIFIER ::= {tcg 6}
-- tcg-kp OBJECT IDENTIFIER ::= {tcg 8}
-- TCG Spec Version OIDs
-- tcg-sv-tpm12 OBJECT IDENTIFIER ::= { tcg-tcpaSpecVersion 1}
-- tcg-sv-tpm20 OBJECT IDENTIFIER ::= { tcg-tcpaSpecVersion 2}
-- TCG Attribute OIDs
-- tcg-at-tpmManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 1}
-- tcg-at-tpmModel OBJECT IDENTIFIER ::= {tcg-attribute 2}
-- tcg-at-tpmVersion OBJECT IDENTIFIER ::= {tcg-attribute 3}
-- tcg-at-platformManufacturer OBJECT IDENTIFIER ::= {tcg-attribute 4}
-- tcg-at-platformModel OBJECT IDENTIFIER ::= {tcg-attribute 5}
-- tcg-at-platformVersion OBJECT IDENTIFIER ::= {tcg-attribute 6}
-- tcg-at-securityQualities OBJECT IDENTIFIER ::= {tcg-attribute 10}
-- tcg-at-tpmProtectionProfile OBJECT IDENTIFIER ::= {tcg-attribute 11}
-- tcg-at-tpmSecurityTarget OBJECT IDENTIFIER ::= {tcg-attribute 12}
-- tcg-at-tbbProtectionProfile OBJECT IDENTIFIER ::= {tcg-attribute 13}
-- tcg-at-tbbSecurityTarget OBJECT IDENTIFIER ::= {tcg-attribute 14}
-- tcg-at-tpmIdLabel OBJECT IDENTIFIER ::= {tcg-attribute 15}
-- tcg-at-tpmSpecification OBJECT IDENTIFIER ::= {tcg-attribute 16}
-- tcg-at-tcgPlatformSpecification OBJECT IDENTIFIER ::= {tcg-attribute 17}
-- tcg-at-tpmSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 18}
-- tcg-at-tbbSecurityAssertions OBJECT IDENTIFIER ::= {tcg-attribute 19}
-- TCG Algorithm OIDs
-- tcg-algorithm-null OBJECT IDENTIFIER ::= {tcg-algorithm 1}
-- TCG Key Purposes OIDs
-- tcg-kp-EKCertificate OBJECT IDENTIFIER ::= {tcg-kp 1}
-- tcg-kp-PlatformCertificate OBJECT IDENTIFIER ::= {tcg-kp 2}
-- tcg-kp-AIKCertificate OBJECT IDENTIFIER ::= {tcg-kp 3}
-- TCG Certificate Extensions
-- tcg-ce-relevantCredentials OBJECT IDENTIFIER ::= {tcg-ce 2}
-- tcg-ce-relevantManifests OBJECT IDENTIFIER ::= {tcg-ce 3}
-- tcg-ce-virtualPlatformAttestationService OBJECT IDENTIFIER ::= {tcg-ce 4}
-- tcg-ce-migrationControllerAttestationService OBJECT IDENTIFIER ::= {tcg-ce 5}
-- tcg-ce-migrationControllerRegistrationService OBJECT IDENTIFIER ::= {tcg-ce 6}
-- tcg-ce-virtualPlatformBackupService OBJECT IDENTIFIER ::= {tcg-ce 7}
-- TCG Protocol OIDs
-- tcg-prt-tpmIdProtocol OBJECT IDENTIFIER ::= {tcg-protocol 1}
-- tcg specification attributes for tpm and platform
-- tPMSpecification ATTRIBUTE ::= {
-- WITH SYNTAX TPMSpecification
-- ID tcg-at-tpmSpecification }
TPMSpecification ::= SEQUENCE {
family UTF8String, -- (SIZE (1..STRMAX)),
level INTEGER,
revision INTEGER }
-- tCGPlatformSpecification ATTRIBUTE ::= {
-- WITH SYNTAX TCGPlatformSpecification
-- ID tcg-at-tcgPlatformSpecification }
TCGSpecificationVersion ::= SEQUENCE {
majorVersion INTEGER,
minorVersion INTEGER,
revision INTEGER }
TCGPlatformSpecification ::= SEQUENCE {
version TCGSpecificationVersion,
platformClass OCTET STRING } -- SIZE(4) }
-- tcpa tpm specification attribute (deprecated)
-- tCPASpecVersion ATTRIBUTE ::= {
-- WITH SYNTAX TCPASpecVersion
-- ID tcg-tcpaSpecVersion }
TCPASpecVersion ::= SEQUENCE {
major INTEGER,
minor INTEGER }
-- manufacturer implementation model and version attributes
-- TPMManufacturer ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-tpmManufacturer }
-- TPMModel ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-tpmModel }
-- TPMVersion ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-tpmVersion }
-- PlatformManufacturer ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-platformManufacturer }
-- PlatformModel ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-platformModel }
-- PlatformVersion ATTRIBUTE ::= {
-- WITH SYNTAX UTF8String (SIZE (1..STRMAX))
-- ID tcg-at-platformVersion }
-- tpm and platform tbb security assertions
-- TODO: Wireshark dissection of version could be added
Version ::= INTEGER -- { v1(0) }
-- tPMSecurityAssertions ATTRIBUTE ::= {
-- WITH SYNTAX TPMSecurityAssertions
-- ID tcg—at-tpmSecurityAssertions
-- }
TPMSecurityAssertions ::= SEQUENCE {
version Version DEFAULT v1,
fieldUpgradable BOOLEAN DEFAULT FALSE,
ekGenerationType [0] IMPLICIT EKGenerationType OPTIONAL,
ekGenerationLocation [1] IMPLICIT EKGenerationLocation OPTIONAL,
ekCertificateGenerationLocation [2] IMPLICIT
EKCertificateGenerationLocation OPTIONAL,
ccInfo [3] IMPLICIT CommonCriteriaMeasures OPTIONAL,
fipsLevel [4] IMPLICIT FIPSLevel OPTIONAL,
iso9000Certified [5] IMPLICIT BOOLEAN DEFAULT FALSE,
iso9000Uri IA5String OPTIONAL } -- (SIZE (1..URIMAX)) OPTIONAL }
-- tBBSecurityAssertions ATTRIBUTE ::= {
-- WITH SYNTAX TBBSecurityAssertions
-- ID tcg—at-tbbSecurityAssertions }
TBBSecurityAssertions ::= SEQUENCE {
version Version DEFAULT v1,
ccInfo [0] IMPLICIT CommonCriteriaMeasures OPTIONAL,
fipsLevel [1] IMPLICIT FIPSLevel OPTIONAL,
rtmType [2] IMPLICIT MeasurementRootType OPTIONAL,
iso9000Certified BOOLEAN DEFAULT FALSE,
iso9000Uri IA5String OPTIONAL } -- (SIZE (1..URIMAX)) OPTIONAL }
EKGenerationType ::= ENUMERATED {
internal (0),
injected (1),
internalRevocable(2),
injectedRevocable(3) }
EKGenerationLocation ::= ENUMERATED {
tpmManufacturer (0),
platformManufacturer (1),
ekCertSigner (2) }
EKCertificateGenerationLocation ::= ENUMERATED {
tpmManufacturer (0),
platformManufacturer (1),
ekCertSigner (2) }
-- V1.1 of this specification adds hybrid and physical.
-- Hybrid means the measurement root is capable of static AND dynamic
-- Physical means that the root is anchored by a physical TPM
-- Virtual means the TPM is virtualized (possibly running in a VMM)
-- TPMs or RTMs might leverage other lower layer RTMs to virtualize the
-- the capabilities of the platform.
MeasurementRootType ::= ENUMERATED {
static (0),
dynamic (1),
nonHost (2),
hybrid (3),
physical (4),
virtual (5) }
-- common criteria evaluation
CommonCriteriaMeasures ::= SEQUENCE {
version IA5String, -- (SIZE (1..STRMAX)), “2.2” or “3.1”; future syntax defined by CC
assurancelevel EvaluationAssuranceLevel,
evaluationStatus EvaluationStatus,
plus BOOLEAN DEFAULT FALSE,
strengthOfFunction [0] IMPLICIT StrengthOfFunction OPTIONAL,
profileOid [1] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
profileUri [2] IMPLICIT URIReference OPTIONAL,
targetOid [3] IMPLICIT OBJECT IDENTIFIER OPTIONAL,
targetUri [4] IMPLICIT URIReference OPTIONAL }
EvaluationAssuranceLevel ::= ENUMERATED {
levell (1),
level2 (2),
level3 (3),
level4 (4),
level5 (5),
level6 (6),
level7 (7) }
StrengthOfFunction ::= ENUMERATED {
basic (0),
medium (1),
high (2) }
URIReference ::= SEQUENCE {
uniformResourceIdentifier IA5String, -- (SIZE (1..URIMAX)),
hashAlgorithm AlgorithmIdentifier OPTIONAL,
hashValue BIT STRING OPTIONAL }
EvaluationStatus ::= ENUMERATED {
designedToMeet (0),
evaluationInProgress (1),
evaluationCompleted (2) }
-- fips evaluation
FIPSLevel ::= SEQUENCE {
version IA5String, -- (SIZE (1..STRMAX)), “140-1” or “140-2”
level SecurityLevel,
plus BOOLEAN DEFAULT FALSE }
SecurityLevel ::= ENUMERATED {
level1 (1),
level2 (2),
level3 (3),
level4 (4) }
-- aik certificate label from tpm owner
--TPMIdLabel OTHER-NAME ::= {UTF8String IDENTIFIED BY {tcg-at-tpmIdLabel} }
-- the following are deprecated but may be present for compatibility with TCPA
-- TPMProtectionProfile ATTRIBUTE ::= {
-- WITH SYNTAX ProtectionProfile
-- ID tcg-at-tpmProtectionProfile }
-- TPMSecurityTarget ATTRIBUTE ::= {
-- WITH SYNTAX SecurityTarget
-- ID tcg-at-tpmSecurityTarget }
--
-- TBBProtectionProfile ATTRIBUTE ::= {
-- WITH SYNTAX ProtectionProfile
-- ID tcg-at-tbbProtectionProfile }
-- TBBSecurityTarget ATTRIBUTE ::= {
-- WITH SYNTAX SecurityTarget
-- ID tcg-at-tbbSecurityTarget }
ProtectionProfile ::= OBJECT IDENTIFIER
SecurityTarget ::= OBJECT IDENTIFIER
-- V1.1 addition for enabling references to other credentials or
-- XML-based Reference Manifests. These data objects are included
-- in X.509 extensions using the new tcg-ce-[relevantCredentials,
-- relevantManifests] OIDs.
HashAlgAndValue ::= SEQUENCE {
hashAlg AlgorithmIdentifier,
hashValue OCTET STRING }
HashedSubjectInfoURI ::= SEQUENCE {
documentURI IA5String, -- (SIZE (1..URIMAX)),
documentAccessInfo OBJECT IDENTIFIER OPTIONAL,
documentHashInfo HashAlgAndValue OPTIONAL }
-- Use of SubjectInfoURIList is not specified anywhere, therefore commented out for Wireshark in cnf file
SubjectInfoURIList ::=
SEQUENCE -- SIZE (1..REFMAX) -- OF HashedSubjectInfoURI
TCGRelevantCredentials::=
SEQUENCE -- SIZE (1..REFMAX) -- OF HashedSubjectInfoURI
TCGRelevantManifests::=
SEQUENCE -- SIZE (1..REFMAX) -- OF HashedSubjectInfoURI
-- V1.2 addition of virtualization oriented credential extensions.
-- This extension indicates how a remote challenger can contact the (deep) attestation service below the current credential holder in order to attest the layer below.
-- Using this model allows the credential of each virtualization layer to reference the attestation service for the layer below it.
-- A remote challenger could traverse the layer hierarchy using this extension until reaching the physical trusted platform rooted attestation.
-- The following URI is optionally included in a certificate for a virtual machine associated with the tcg-ce-virtualPlatformAttestationService extension OID.
-- These URI are associated with the tcg-ce-[virtualPlatformAttestationService,
-- migrationControllerAttestationService, migrationControllerRegistrationService, virtualPlatformBackupService] OIDs respectively:
VirtualPlatformAttestationServiceURI ::= IA5String -- (SIZE (1..URIMAX)
MigrationControllerAttestationServiceURI ::= IA5String -- (SIZE (1..URIMAX)
MigrationControllerRegistrationServiceURI ::= IA5String -- (SIZE (1..URIMAX)
VirtualPlatformBackupServiceURI ::= SEQUENCE {
restoreAllowed BOOLEAN DEFAULT FALSE,
backupServiceURI IA5String }
END
|
