Public Page 1 of 54 STMICROELECTRONICS COMMON CRITERIA FOR IT SECURITY EVALUATION TRUSTED PLATFORM MODULES ST33TPHF2X TPM FIRMWARE 1.256,1.257 & 2.256 AND ST33GTPMA TPM FIRMWARE 3.256 & 6.256 SECURITY TARGET Public Page 2 of 54 DOCUMENT REVISION Version Date Author Modifications 01-00 22/07/2019 Olivier Collart First release. 01-01 26/07/2019 Olivier Collart Include evaluator’s comments 01-01p 26/07/2019 Olivier Collart Public release Public Page 3 of 54 Table of Contents 1 INTRODUCTION (ASE_INT) ............................................................................................................... 5 1.1 ST REFERENCE .............................................................................................................................. 5 1.2 PURPOSE ....................................................................................................................................... 5 2 TOE DESCRIPTION............................................................................................................................. 6 2.1 TOE REFERENCE............................................................................................................................ 6 2.2 TARGET OF EVALUATION OVERVIEW................................................................................................. 6 2.2.1 TOE Usage and Security Features....................................................................................... 7 2.3 TOE DESCRIPTION ....................................................................................................................... 10 2.3.1 TOE hardware description.................................................................................................. 10 2.3.2 TOE firmware description ................................................................................................... 12 2.3.3 TOE guidance documentation............................................................................................ 13 2.3.4 Forms of delivery ................................................................................................................ 13 2.4 TOE LIFECYCLE............................................................................................................................ 14 3 CONFORMANCE CLAIM (ASE_CCL) .............................................................................................. 15 3.1 CC CONFORMANCE CLAIM ............................................................................................................ 15 3.2 PP CLAIM..................................................................................................................................... 15 3.3 PACKAGE CLAIM............................................................................................................................ 15 3.4 CONFORMANCE RATIONALE........................................................................................................... 15 3.5 APPLICATION NOTES ..................................................................................................................... 15 4 SECURITY PROBLEM DEFINITION (ASE_SPD)............................................................................. 16 4.1 ASSETS........................................................................................................................................ 16 4.2 THREATS...................................................................................................................................... 16 4.3 ORGANISATIONAL SECURITY POLICIES........................................................................................... 16 4.4 ASSUMPTIONS .............................................................................................................................. 16 5 SECURITY OBJECTIVES.................................................................................................................. 17 5.1 SECURITY OBJECTIVES FOR THE TOE............................................................................................ 17 5.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT ....................................................... 17 5.3 SECURITY OBJECTIVE RATIONALE.................................................................................................. 17 5.4 ANSSI NOTE 6 SECURITY OBJECTIVES EQUIVALENCE .................................................................... 18 6 EXTENDED COMPONENTS DEFINITION (ASE_ECD) ................................................................... 19 7 SECURITY REQUIREMENTS (ASE_REQ)....................................................................................... 20 7.1 SECURITY FUNCTIONAL REQUIREMENTS LISTED BY THE TPM 2.0 PROTECTION PROFILE.................. 20 7.2 SECURITY FUNCTIONAL REQUIREMENTS FOR THE TOE .................................................................. 20 7.2.1 Extended component FCS_RNG.1 .................................................................................... 33 7.3 SECURITY ASSURANCE REQUIREMENTS.......................................................................................... 34 7.4 SECURITY REQUIREMENTS RATIONALE........................................................................................... 35 7.4.1 Sufficiency of SFR .............................................................................................................. 35 7.4.2 Dependency rationale......................................................................................................... 35 7.5 SECURITY ASSURANCE RATIONALE ................................................................................................ 35 8 TOE SUMMARY SPECIFICATION.................................................................................................... 36 8.1 TOE SECURITY FEATURES............................................................................................................ 36 8.1.1 SF_CRY - Cryptographic Support ...................................................................................... 36 8.1.2 SF_I&A - Identification and Authentication ......................................................................... 38 8.1.3 SF_G&T - General and Test............................................................................................... 39 8.1.4 SF_OBH - Object Hierarchy ............................................................................................... 41 8.1.5 SF_TOP - TOE Operation .................................................................................................. 43 8.1.6 Assignment of Security Functional Requirements.............................................................. 45 9 ACRONYMS....................................................................................................................................... 48 APPENDIX A REFERENCES ............................................................................................................... 50 Public Page 4 of 54 List of Tables TABLE 1: TARGET OF EVALUATION: ST33TPHF2X REFERENCE ........................................................................ 6 TABLE 2: TARGET OF EVALUATION: ST33GTPMA REFERENCE ......................................................................... 6 TABLE 3: USER DOCUMENTATION .................................................................................................................. 13 TABLE 4: ANSSI NOTE 6 SECURITY OBJECTIVES RATIONALE .......................................................................... 18 TABLE 5: SECURITY ASSURANCE REQUIREMENTS FOR THE TOE...................................................................... 34 List of Figures FIGURE 1: ST33HTPH/ST33GTPMA0 BLOCK DIAGRAM................................................................................ 10 FIGURE 2: F2X FIRMWARE BLOCK DIAGRAM.................................................................................................... 12 Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 5 of 54 1 INTRODUCTION (ASE_INT) This section contains the necessary information to identify the Security Target (ST). This information may be used to cross-reference this document. 1.1 ST Reference This security target is referenced with the following information: • Filename: ST33TPHF2X_GTPMA_ST • Revision: 01.01p • Internal documentation system reference: SSS_ST33TPHF2X_GTPMA_ST_18_001 • Date: July 26th 2019 This security target is strictly conformant to the TPM Protection Profile PC Client Specific Trusted Platform Module Family 2.0 level 0 Revision 1.38, Version 1.1, [ANSSI-CC-PP- 2018/03] [12]. 1.2 Purpose This document presents the Security Target (ST) of the Target of Evaluation covering both products ST33TPHF2X and ST33GTPMA. The product references and definitions of the TOE are provided in Chapter 2. A list of acronyms is provided in Chapter 9 Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 6 of 54 2 TOE DESCRIPTION 2.1 TOE reference Table 1: Target of evaluation: ST33TPHF2X reference Product Hardware Hardware Version (Ext.Int) Firmware Version Major.Minor1 (decimal2) ST33TPHF2XSPI ST33HTPH A.C 0x00 0x01.0x01 0x00 (decimal 01.256) ST33TPHF2XSPI ST33HTPH A.C 0x00 0x01.0x01 0x01 (decimal 01.257) ST33TPHF2XI2C ST33HTPH A.C 0x00 0x02.0x01 0x00 (decimal 02.256) Table 2: Target of evaluation: ST33GTPMA reference Product Hardware Hardware Version (Ext.Int) Firmware Version Major.Minor3 (decimal4) ST33GTPMASPI ST33G1M2A0 F.G 0x00 0x03.0x01 0x00 (decimal 03.256) ST33GTPMAI2C ST33G1M2A0 F.G 0x00 0x06.0x01 0x00 (decimal 06.256) The chip packaging is not included in the TOE. 2.2 Target of evaluation Overview The products ST33TPHF2XSPI and ST33TPHF2XI2C are TPM 2.0 products targeting PC, server platforms and embedded systems. The products ST33GTPMASPI and ST33GTPMAI2C are also TPM 2.0 products targeting automotive and industrial systems. The product ST33TPHF2XSPI and ST33GTPMASPI implement an SPI interface as defined in [11]. The product ST33TPHF2XI2C and ST33GTPMAI2C implement an I²C interface as defined in [11]. For all products, the product interface is configured by the firmware and is irreversibly locked after the first firmware factory loading. The security target describes the target of evaluation (TOE) named ST33TPHF2X or ST33GTPMA and provides a product summary. 1 The firmware major and minor versions may be retrieved from the TOE with the command TPM2_GetCapability [8], in the response field TPM_PT_FIRMWARE_VERSION_1 and formatted with the value 0x00 0x01 0x01 0x00/01 or 0x00 0x02 0x01 0x00 according to [10], Table 1. 2 Some tools may report the version in decimal value. In that case, the version retrieved is 1.256/257 or 2.256. 3 The firmware major and minor versions may be retrieved from the TOE with the command TPM2_GetCapability [8], in the response field TPM_PT_FIRMWARE_VERSION_1 and formatted with the value 0x00 0x03 0x01 0x00 or 0x00 0x06 0x01 0x00 according to [10], Table 1. 4 Some tools may report the version in decimal value. In that case, the version retrieved is 3.256 or 6.256. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 7 of 54 The TOE are devices that implement the functions defined in the TCG Trusted Platform Module Library Specification, version 2.0, [6], [7], [8], [9] and the PC Client Specific Platform TPM Profile for TPM 2.0 [10]. The TCG Trusted Platform Module Library specification describes the design principles, the TPM structures, the TPM commands and supporting routines for the commands. The PC Client Specific Platform TPM Profile for TPM 2.0 specification describes the additional features and communication interfaces that must be implemented by a TPM for a PC Client platform. The product line ST33GTPMA is also compliant with the PC Client Specific Platform TPM Profile for TPM 2.0 [10] for the communication interfaces to leverage the drivers and software stacks already available. The TOE consists of • TPM hardware, • TPM firmware, • TPM guidance documentation. The TOE components are described in 2.3 2.2.1 TOE Usage and Security Features The TPM library specification describes the TPM protections in terms of Protected Capabilities and Protected Objects. A Protected Capability is an operation that must be correctly performed for a TPM to be trusted and therefore is in the scope of the CC evaluation as part of the TOE security functionality (TSF). A Protected Object is data that must be protected for a TPM operation to be trusted. The TSF performs all operations with Protected Objects inside the TPM. The TSF protects the confidentiality of Protected Objects when exported from the TPM and checks the integrity of Protected objects when imported into the TPM. The TOE provides physical protection for Protected Objects residing in the TPM. The TPM provides methods for collecting and reporting identities of hardware and software components of a computer system platform. The computer system report generated by the trusted computing base (TCB) the TPM is part of allows determination of expected behaviour and from that expectation of trust in the computer system platform. There are commonly three Roots of Trust in a trusted platform; a root of trust for measurement (RTM), root of trust for reporting (RTR) and root of trust for storage (RTS). In TCG systems roots of trust are components that must be trusted because misbehaviour might not be detected. The RTM is a computing engine capable of making inherently reliable integrity measurements and maintaining an accurate summary of values of integrity digests and the sequence of digests. The RTR is a computing engine capable of reliably reporting information held by the RTM. The RTS provides secure storage for a practically unlimited number of private keys or other data by means of exporting and importing encrypted data. Support for the Root of Trust for Measurement The TPM supports the integrity measurement of the trusted platform by calculation and reporting of measurement digests of measured values. Typically the RTM is controlled by the Core Root of Trust for Measurement (CRTM) as the starting point of the measurement. The measurement values are representations of embedded data or program code scanned and provided to the TPM by the measurement agent. The TPM supports cryptographic hashing of measured values and calculates the measurement digest by extending the value of a PCR with a calculated or provided hash value. The PCRs are shielded locations of the TPM which can be reset by TPM reset or a trusted process, written only through measurement digest extensions and read. Root of Trust for Reporting Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 8 of 54 The EK and the corresponding Endorsement Certificates define the trusted platform identities for RTR. The ST33TPHF2X and ST33GTPMA are shipped with EKs and for each EK, a Certificate of the Authenticity of this EK is also provided. The EK may be bound to the Platform via Platform Certificate, providing assurance from the certification body of the physical binding and connection through a trusted path between the platform (the RTM) and the genuine TPM (the RTR). The attestation of the EK and the Platform Certificates builds the base for attestation of other keys and measurements. Root of Trust for Storage The TPM holds the Storage Primary Seed (SPS) and generates Storage Root Keys (SRK) from SPS. The SRK are roots of Protected Storage Hierarchies associated with a TPM. The storage keys in these hierarchies are used for symmetric encryption and signing of other keys and data together with their security attributes. The resulting encrypted file, which contains header information in addition to the data or the key, is called a BLOB (Binary Large Object) and is output by the TPM and can be loaded in the TPM when needed. The private keys generated on the TPM can be stored outside the TPM (encrypted) in a way that allows the TPM to use them later without ever exposing such keys in the clear outside the TPM. The TPM uses symmetric cryptographic algorithms to encrypt data and keys and may implement cryptographic algorithms of equivalent strength. Platform Key Hierarchy The TPM may hold a Platform Primary Seed (PPS) and generate Platform Keys from PPS. The platform key hierarchy is controlled by the Platform Firmware. The PPS is generated by the TOE. Other Security Services and Features The TOE provides cryptographic services for hashing, asymmetric encryption and decryption, asymmetric signing and signature verification, symmetric encryption and decryption, symmetric signing and signature verification by means of and key generation. Hash functions SHA-1, SHA-256, SHA_384, SHA3_256 and SHA3_384 are provided as cryptographic service to external entities for measurements and used internally for user authentication, signing and key derivation. A TOE is required to implement asymmetric algorithms, where the current specification supports RSA with 2048 bits for digital signature, secret sharing and encryption and ECC algorithms with P-256, P-384 and BN-256 curves for digital signatures and secret sharing. The TOE provides symmetric encryption and decryption of AES-128 192 and 256 in CFB, CTR, OFB, CBC and ECB modes. The TOE implements symmetric signing and signature verification by means of HMAC. The TOE generates two types of keys: Ordinary keys are generated using the random number generator to seed the key computation. Primary Keys are derived from a Primary Seed and key parameters by means of a key derivation function. The TPM stores persistent state associated with the TPM in NV memory and provides NV memory as a shielded location for data of external entities. The platform and entities authorised by the TPM owner controls allocation and use of the provided NV memory. The access control may include the need for authentication of the user, delegations, PCR values and other controls. The TSF also includes random number generation, self-test and physical protection. Generation and import of the Endorsement key pair and certificate The Endorsement Key (EK) and associated EK certificate (EK credential) are stored in the TPM during the manufacturing process at the TOE lifecycle phase “Manufacturing”. Each TOE supports three Endorsement keys • One 2048-bit RSA key pair • One 256-bit ECC key pair generated with curve TPM_ECC_NIST_P256. • One 384-bit ECC key pair generated with curve TPM_ECC_NIST_P384 Each Endorsement key is generated by a HSM (Hardware Security Module) and then stored encrypted on a key server. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 9 of 54 The Endorsement Key certificate is generated also by a HSM that stores the STMicroelectronics intermediate CA (Certification Authority) keys. The certificates are stored on a certificate server. CA keys are stored outside the HSM in backup encrypted with a 3- DES key. This backup key is generated under dual control by 3 different security officers. The RSA EK are certified by an intermediate CA 2048-bit key. The ECC_NIST_P256 EKs and ECC_NIST_P384 EKs are certified by two specific intermediate CAs using a NIST_P384 key. Both certificates comply with the templates defined in the TCG specification for TPM 2.0 EK certificates [46]. The importation of the EK and EK certificate in the TOE is done by the personalization infrastructure that requests EK and EK certificate to the key and certificate servers. The personalization infrastructure decrypts the EK private key and writes it encrypted on the chip with the EK certificate. The key server, certificate server, HSM and the personalization infrastructure are all located within the secure production area of the TOE. The STMicroelectronics intermediate certificates are described in the document TPM EK Certificate – Chip and EK authenticity verification [44]. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 10 of 54 2.3 TOE Description 2.3.1 TOE hardware description The TOE includes two hardware platforms based on the same architecture: • ST33HTPH • ST33G1M2A0 The ST33HTPH and ST33G1M2A0 are a serial access microcontrollers designed for Trusted Platform Module applications that incorporates the generation of ARM processors for embedded secure systems. Its SecurCore® SC300™ 32-bit RISC core is built on the Cortex™ M3 core with additional security features to help to protect against advanced forms of attacks. Figure 1: ST33HTPH/ST33GTPMA0 block diagram Both hardware support an SPI interface compliant with [11] for integration with controllers and system drivers. Both hardware include general purpose Input/Output pins to support a driver implementation compliant with the I²C interface and the protocol defined in the TCG standard [11]. Both hardware include the following security features: • Active shield • Memory protection unit (MPU) • Monitoring of environmental parameters through security sensors • Code/Data Signature for Protection against fault attacks • ISO 3309 CRC calculation block • AIS-31 Class PTG2 compliant true random generator (TRNG) Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 11 of 54 • the EDES peripheral provides a secure DES (Data Encryption Standard) algorithm implementation, • the AES peripheral provides a secure AES (Advanced Encryption Standard) algorithm implementation, and • the NESCRYPT crypto-processor efficiently supports the public key algorithm. • Three timers for TPM Clock and TPM Time management • The ST ROM is located in non-volatile memory protected by a firewall. This ST firmware includes: • A test program used to validate the TOE production (OST) • A set of boot and flash management services Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 12 of 54 2.3.2 TOE firmware description The firmware architecture “F2X” is common to all products included in the TOE. The FW is composed of three independent blocks: • A non-upgradable code block located in ROM & flash memories (orange box) • Core memory loader (CML) in charge of verifying integrity of the TPM instance to be executed. • Two independent code blocks upgradable via secure field upgrade mechanism (TPM instances #1 and #2). They are composed of: • TPM2.0 commands code • TPM2.0 core • Memory management and low-level services • Cryptographic library (NesLib 6.3.3 for ST33) From the two code block instances, only one is executed. The two-instance code architecture provides two resilience features. • Fault tolerant firmware upgrade: if the firmware loading process is interrupted, the loading instance remains fully functional. The TPM doesn’t enter any limited mode. • Self recovery: in case of firmware integrity error of one instance, the second instance becomes active. Figure 2: F2X firmware block diagram Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 13 of 54 2.3.3 TOE guidance documentation The following documents must be used by the TOE user in order to configure and operate the TOE. Table 3: User Documentation User Documentation Version Date Ref TPM Library Part 1: Architecture, Specification Version 2.0, Revision 1.38 Revision 1.38 September 2016 [6] TPM Library Part 2: Architecture, Specification Version 2.0, Revision 1.38 Revision 1.38 September 2016 [7] TPM Library Part 3: Architecture, Specification Version 2.0, Revision 1.38 Revision 1.38 September 2016 [8] TPM Library Part 4: Architecture, Specification Version 2.0, Revision 1.38 Revision 1.38 September 2016 [9] Errata version 1.4 for TCG TPM library version 2.0 revision 1.38 version 1.4 January 2018 [10] TCG PC Client Specific Platform TPM Profile for TPM 2.0 (PTP), Family “2.0”, Level 00 Revision 1.03 Revision 1.03 May 2017 [11] Errata version 1.1 for TCG PC Client Specific Platform TPM Profile for TPM 2.0 version 1.03 1.1 May 2017 [48] TCG EK credential profile for TPM Family 2.0 Level 0. Specification Version 2.1 Revision 13, Revision 13 December 10 2018 [46] ST33TPHF2XSPI datasheet: Flash-based TPM 2.0 device with an SPI interface V2 April 2019 [39] ST33TPHF2XSPI datasheet: Flash-based TPM 2.0 device with an SPI interface V3 July 2019 [39] ST33TPHF2XI2C datasheet: Flash-based TPM 2.0 device with an I2C interface V1 July 2019 [40] ST33GTPMASPI datasheet: Flash-based TPM 2.0 device with an SPI interface V3 July 2019 [42] ST33GTPMAI2C datasheet: Flash-based TPM 2.0 device with an I2C interface V3 July 2019 [43] TPM EK Certificate – Chip and EK authenticity verification (2.0) 2.0 March 2016 [44] ST TPM 2.0 - Security recommendations 1.2 October 2016 [45] 2.3.4 Forms of delivery The TOE is delivered in form of complete chips which include the hardware, the firmware, the Endorsement Primary Keys and certificates, and the guidance documentation. The TOE is finished and the extended test features are removed. The TOE is delivered in different packages (e.g. TSSOP and VQFN). The product behaviour and the ordering codes are described in the product datasheets [39], [40], [42] and [43]. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 14 of 54 2.4 TOE lifecycle The life cycle of the TOE as part of this evaluation includes • phase 1 “Development” and • phase 2 “Manufacturing” as defined in the PP [12]. The phase 1 that includes TPM development involves the sites of • ST ROUSSET (FRANCE) • ST ANGMO KIO (SINGAPORE) for the hardware development activities and • ST ROUSSET (FRANCE) • ST RENNES (FRANCE) • ST ZAVENTEM (BELGIUM) for the embedded software development activities. The phase 2 that includes the die manufacturing and the EK and EK certificate injections involves the sites of • ST CROLLES (FRANCE) (Manufacturing) • ST ROUSSET (FRANCE) (Test Manufacturing and EK/EK certificate injection) • ST TOA PAYOH (SINGAPORE) (Test Manufacturing and EK/EK certificate injection) The phase 2 ends with the delivery of the TOE. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 15 of 54 3 CONFORMANCE CLAIM (ASE_CCL) 3.1 CC Conformance Claim This security target is conformant to the Common Criteria version 3.1 R5. This security target claims to be Common Criteria version 3.1 R5 • Part 1 conformant, • Part 2 extended and • Part 3 conformant. The extended Security Function Requirement is the one defined in the protection profile. 3.2 PP Claim This security target is in strict conformance to the PC Client Specific Trusted Platform Module Family 2.0 level 0 Revision 1.38, Version 1.1, released by the Trusted Computing Group dated 13 June 2018. The protection profile is registered and certified by the “Agence Nationale de la Sécurité des Systèmes d’Information” (ANSSI) under the reference [ANSSI-CC-PP-2018/03]. 3.3 Package claim This security target does not claim conformance to a package of the PP [12]. This ST is conforming to assurance package EAL4 augmented with • ALC_FLR.1 and • AVA_VAN.5 defined in CC Part 3. 3.4 Conformance Rationale This security target claims strict conformance to only one PP. The Target of Evaluation (TOE) is a complete solution implementing the TCG Trusted Platform Module main specifications Version 2.0 level 0 revision 1.38 ([6], [7] ,[8] and [9]) and the TCG PC Client Specific Platform TPM Profile Specification, Version 1.03 [11][12] as defined in the PP [12] section 2.2.1. So the TOE is consistent with the TOE type in the PP [12]. The security problem definition of this security target is consistent with the statement of the security problem definition in the PP [12], as the security target claims strict conformance to the PP [12] and no other threats, organizational security policies and assumptions are added. The security objectives of this security target are consistent with the statement of the security objectives in the PP as the security target claims strict conformance to the PP and no other security objectives are added. The security requirements of this security target are consistent with the statement of the security requirements in the PP [12] as the security target claims strict conformance to the PP [12]. All assignments and selections of the security functional requirements are done in the PP [12] and in this security target section 7.2. 3.5 Application notes The evidences that the PP [12] is compliant with the application note [38] released by the ANSSI (French CC Certification scheme) and defining security requirements for post-delivery code loading are provided in this security target. The functional requirement FCS_RNG.1 is a refinement of the FCS_RNG.1 defined in the PP [12] according to ―Anwendungshinweise und Interpretationen zum Schema (AIS) respectively - Functionality classes for random number generators [36]. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 16 of 54 4 SECURITY PROBLEM DEFINITION (ASE_SPD) The contents of the PP [12] applies to this chapter without any restriction or addition. 4.1 Assets The assets of the TOE are defined in the PP [12] section 4.1 Assets. These assets have to be protected while being executed as well as when the TOE is not in operation. 4.2 Threats The threats to security are defined in the PP [12], section 4.2 Threats. No other threats are added. 4.3 Organisational Security Policies The organisational security policies are defined in the PP [12], section 4.3 Organisational Security Policies, no other organisational security policies are added 4.4 Assumptions The TOE environment is highly variable. In general, the TOE is assumed to be in an uncontrolled environment with no guarantee of the TOE’s physical security. The TOE assumptions to the IT environment are defined in the PP [12], section 4.4 Assumptions, no other assumptions are added. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 17 of 54 5 SECURITY OBJECTIVES This section shows the security objectives which are relevant for the TOE. For this section the PP [12] can be applied completely. 5.1 Security Objectives for the TOE The security objectives of the TOE are defined and described in the PP [12], section 5.1 Security Objectives for the TOE. The security objectives from the Note 6, “Security requirements for post-delivery code loading” [38] released by ANSSI are also included in the TOE security objectives. 5.2 Security Objectives for the Operational Environment The security objectives for the operational environment are described in the PP [12], section 5.2 Security Objectives for the Operational Environment, no other security objectives for the operational environment are added 5.3 Security Objective Rationale The security objectives rationale is described in the PP [12], section 5.3 Security Objective Rationale. The ANSSI Note 6 security objectives rationale is described in 5.4 Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 18 of 54 5.4 ANSSI note 6 Security Objectives Equivalence Table 4: ANSSI Note 6 Security objectives rationale Objectives Note 6 Description Security Objective or SFR equivalence O.Secure_Load_ACode The Loader of the Initial TOE shall check an evidence of authenticity and integrity of the loaded Additional Code. The Loader enforces that only the allowed version of the Additional Code can be loaded on the Initial TOE. The Loader shall forbid the loading of an Additional Code not intended to be assembled with the Initial TOE. Covered by SFR FDP_ACF.1.2/States, iteration 2 from PP [12] Covered by SFR FDP_ACF.1.3/States iterations 1 & 2 from this security target O.Secure_AC_Activation Activation of the Additional Code and update of the Identification Data shall be performed at the same time in an Atomic way. All the operations needed for the code to be able to operate as in the Final TOE shall be completed before activation. If the Atomic Activation is successful, then the resulting product is the Final TOE, otherwise (in case of interruption, or incident which prevents the forming of the final TOE), the Initial TOE shall remain in its initial state of fail secure. Covered by SFR FDP_ACF.1.2/States iteration 3 O.TOE_Identification The Identification Data identifies the Initial TOE and Additional Code. The TOE provides means to store Identification Data in its non-volatile memory and guarantees the integrity of these data. After Atomic Activation of the Additional Code, the identification Data of the Final TOE allows identifications of the initial TOE and Additional Code. The user shall be able to uniquely identify Initial TOE and Additional Code(s) which are embedded in the Final TOE. Covered by SFR FCO_NRO.1.2/M&R iteration 6 Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 19 of 54 6 EXTENDED COMPONENTS DEFINITION (ASE_ECD) The extended component “FCS_RNG Generation of random numbers” is defined in the PP [12], section 6.1. No other extended component are added in this security target. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 20 of 54 7 SECURITY REQUIREMENTS (ASE_REQ) 7.1 Security Functional Requirements listed by the TPM 2.0 Protection Profile The security functional requirements (SFRs) for the TOE are defined in the PP [12] section 7.1. All assignments and selections of the Security Functional Requirements are done in the PP with the exception of the following SFRs that required to be completed in the security target. 7.2 Security Functional Requirements for the TOE FMT_MSA.2 Secure security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for: security attributes of keys, PCRs, NV storage areas, counters and firmware. FCS_CKM.1/PKRSA Cryptographic key generation (primary keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/PKRSA The TSF shall generate cryptographic primary RSA keys in accordance with a specified cryptographic key generation algorithm RSA key generator and specified cryptographic key sizes 2048 bits that meet the following: TPM library specification [6], [7], [8] in combination with [SP800-108], and [IEEE1363], [RFC 3447]. FCS_CKM.1/PKECC Cryptographic key generation (primary keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/PKECC The TSF shall generate cryptographic primary ECC keys in accordance with a specified cryptographic key generation algorithm ECC key generator and specified cryptographic key sizes 256 and 384 bits that meet the following: TPM library specification [6], [7], [8], in combination with [SP800-108]. FCS_CKM.1/PKAES Cryptographic key generation (primary keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/PKAES The TSF shall generate cryptographic primary symmetric keys in accordance with a specified cryptographic key generation algorithm AES key generator and specified Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 21 of 54 cryptographic key sizes 128, 192 & 256 bits, that meet the following: TPM library specification [6], [7], [8] in combination with [SP800-108], . FCS_CKM.1/RSA Cryptographic key generation (RSA keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/RSA The TSF shall generate cryptographic RSA keys in accordance with a specified cryptographic key generation algorithm RSA key generator and specified cryptographic key sizes 2048 bits that meet the following: TPM library specification [6], [7], [8], [RFC 3447] and [IEEE1363]. FCS_CKM.1/ECC Cryptographic key generation (ECC keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/ECC The TSF shall generate cryptographic ECC keys in accordance with a specified cryptographic key generation algorithm ECC key generator and specified cryptographic key sizes 256 and 384 bits that meet the following: TPM library specification [6], [7], [8]. FCS_CKM.1/SYMM Cryptographic key generation (symmetric keys) Hierarchical to: No other components. Dependencies: [FCS_CKM.2 Cryptographic key distribution, or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FCS_CKM.1.1/SYMM The TSF shall generate cryptographic symmetric keys in accordance with a specified cryptographic key generation algorithm AES key generator and specified cryptographic key sizes 128, 192 & 256 bits that meet the following: TPM library specification [6], [7], [8]. FCS_CKM.4 Cryptographic key destruction Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method key overwriting and NV memory zeroization that meets the following: none. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 22 of 54 FCS_COP.1/AES Cryptographic operation (symmetric encryption/decryption) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/AES The TSF shall perform symmetric encryption and decryption in accordance with a specified cryptographic algorithm AES in the mode CFB, CTR, OFB, CBC and ECB and cryptographic key sizes 128, 192 and 256 bits that meet the following: [FIPS 197] and [SP 800-38A] FCS_COP.1/SHA Cryptographic operation (hash function) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/SHA The TSF shall perform hash value calculation in accordance with a specified cryptographic algorithm SHA-1, SHA-256 and SHA-384 and cryptographic key sizes none that meet the following: FIPS 180-4. FCS_COP.1/SHA3 Cryptographic operation (hash function) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/SHA3 The TSF shall perform hash value calculation in accordance with a specified cryptographic algorithm SHA3-256 and SHA3-384 and cryptographic key sizes none that meet the following: FIPS 202. FCS_COP.1/HMAC/SHA Cryptographic operation (HMAC calculation) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/HMAC/SHA The TSF shall perform HMAC value generation and verification in accordance with a specified cryptographic algorithm HMAC with SHA-1, SHA-256 and SHA-384 and cryptographic key sizes 160, 256 and 384 bits that meet the following: [FIPS 198-1] [24]. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 23 of 54 FCS_COP.1/HMAC/SHA3 Cryptographic operation (HMAC calculation) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/HMAC/SHA3 The TSF shall perform HMAC value generation and verification in accordance with a specified cryptographic algorithm HMAC with SHA3-256 and SHA3- 384 and cryptographic key sizes 256 and 384 bits that meet the following: [FIPS 198-1] [24]. FCS_COP.1/RSASign Cryptographic operation (RSA signature generation/verification) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/RSASign The TSF shall perform signature generation and verification in accordance with a specified cryptographic algorithm RSASSA_PKCS1v1_5, RSASSA_PSS and cryptographic key sizes 2048 bit that meet the following: PKCS#1v2.1 [RFC 3447]. FCS_COP.1/ECDSA Cryptographic operation (ECC signature generation/verification) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/ECDSA The TSF shall perform signature generation and verification in accordance with a specified cryptographic algorithm ECDSA with curve TPM_ECC_NIST_P256 and TPM_ECC_NIST_P384 and TPM_ECC_BN_P256 and cryptographic key sizes 256 and 384 bits that meet the following: FIPS PUB 186-4 [22]. FCS_COP.1/ECDAA Cryptographic operation (ECDAA commit) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/ECDAA The TSF shall perform signature generation in accordance with a specified cryptographic algorithm ECDAA with curve TPM_ECC_NIST_P256, and TPM_ECC_BN_P256 and TPM_ECC_NIST_P384 and cryptographic key sizes 256 and 384 that meet the following: [FIPS 186-4] for curves TPM_ECC_NIST_P256 and TPM_ECC_NIST_P384 and [ISO/IEC 15946-5] for curve TPM_ECC_BN_P256. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 24 of 54 FCS_COP.1/ECDEC Cryptographic operation (decryption) Hierarchical to: No other components. Dependencies: [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FCS_COP.1.1/ECDEC The TSF shall perform decryption of ECC key in accordance with a specified cryptographic algorithm ECDH with curve TPM_ECC_NIST_P256, TPM_ECC_NIST_P384 and TPM_ECC_BN_P256 and cryptographic key sizes 256 and 384 bits that meet the following: TPM library specification [6], [7], [8] and [SP 800-56A] [28]. FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. FIA_UID.1.1 The TSF shall allow (1) to execute indication _TPM_Hash_Start, _TPM_Hash_Data and _TPM_Hash_End, (2) to execute commands that do not require authentication, (3) to access objects where the entity owner has defined no authentication requirements (authValue, authPolicy), (4) none on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user, e.g. self-test. FPT_TST.1 TSF testing Hierarchical to: No other components. Dependencies: No dependencies. FPT_TST.1.1 The TSF shall run a suite of self tests at the request of the authorised user “World” (1) the TPM2_SelfTest command and of selected algorithms using the TPM2_IncrementalSelfTest command, at the conditions (1) Initialisation state after reset and before the reception of the first command, (2) prior to execution of a command using a not self-tested function, none to demonstrate the correct operation of sensitive parts of the TSF. FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity of TSF data. FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity of the TSF. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 25 of 54 FPT_FLS.1/FS Failure with preservation of secure state (fail state) Hierarchical to: No other components. Dependencies: No dependencies. FPT_FLS.1.1/FS The TSF shall preserve a secure state by entering the Fail state when the following types of failures occur: (1) If during TPM Restart or TPM Resume, the TPM fails to restore the state saved at the last Shutdown(STATE), the TPM shall enter Failure Mode and return TPM_RC_FAILURE. (2) failure detected by TPM2_ContextLoad when the decrypted value of sequence is compared to the stored value created by TPM2_ContextSave(), (3) failure detected by self-test according to FPT_TST.1, (4) failure of execution flow control and hardware failure FPT_PHP.3 Resistance to physical attack Hierarchical to: No other components. Dependencies: No dependencies. FPT_PHP.3.1 The TSF shall resist physical manipulation and physical probing to the TSF by responding automatically such that the SFRs are always enforced. FDP_ACC.2/States Complete access control (operational states) Hierarchical to: FDP_ACC.1 Subset access control Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.2.1/States The TSF shall enforce the TPM State Control SFP on all subjects and objects and all operations among subjects and objects covered by the SFP. FDP_ACC.2.2/States The TSF shall ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP. FDP_ACF.1/States Security attribute based access control (operational states) Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1/States The TSF shall enforce the TPM State Control SFP to objects based on the following Subjects as defined in Table 7 5 : (1) Platform firmware with the security attributes platformAuth, platformPolicy and physical presence if supported by the TOE, (2) all other subjects; their security attributes are irrelevant for this SFP, Objects as defined in Table 8 and Table 96: (1) Shutdown BLOB with the security attribute validation status, (2) Firmware update data with security attributes signature of the TPM manufacturer and digest, (3) all other objects; their security attributes are irrelevant for this SFP. FDP_ACF.1.2/States The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: (1) The Platform firmware is authorised to change the TPM state to FUM if the authenticity of the first digest or the signature could be successfully verified. 5 See Table 7 in Protection Profile [12] 6 See Table 8 and 9 in Protection Profile [12] Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 26 of 54 (2) While in FUM state the platform firmware is authorised to import or activate firmware data only after successful verification of its integrity and authenticity (see FDP_UIT.1/States). (3) The FUM state shall only be left when the TOE is reset after successful loading of the firmware data. (4) In the Init state the subject “World” is authorised to execute the commands TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_EventSequence- Complete, TPM2_SequenceComplete, TPM2_PCR_Extend, TPM2_Startup, TPM2_SelfTest, TPM2_GetRandom, TPM2_HierarchyControl, TPM2_Hierarchy- ChangeAuth, TPM2_SetPrimaryPolicy, TPM2_GetCapability, TPM2_NV_Read, and the sequence _TPM_Hash_Start, _TPM_Hash_Data, and _TPM_Hash_End. (5) In the Init state every subject is authorised to process the Resume operation on the Shutdown BLOB with state transition to Operational. (6) In the Init state every subject is authorised to process the Restart operation on the Shutdown BLOB with state transition to Operational. (7) In the Init state, if no Shutdown BLOB was generated or if the Shutdown BLOB is invalid (see attribute “Validation status”) every subject is authorised to process the TPM2_Startup command. In case of the parameter TPM_SU_CLEAR the TPM shall change the state to Operational and initialise its internal operational variables to default initialisation values (Reset), otherwise the TPM shall return an error and stay in the same state. (8) In the Operational state, nobody is authorised to execute the command TPM2_Startup. For all other subjects, objects and operations, the access control rules of the Access Control SFP shall apply (see FDP_ACF.1/AC). (9) The Operational state shall change to Self-Test state if one of the commands TPM2_Selftest or TPM2_IncrementalSelfTest is executed or when a test of a dedicated functionality is required (see FPT_TST.1). In the Self-Test state, nobody is authorised to execute any other TPM command. (10) The Self-Test state shall be left only after finishing the intended test of the dedicated functionality. In case of a successful test result the state shall change to Operational, otherwise to Fail. (11) In the Fail state, every subject is authorised to execute the commands TPM2_GetTestResult and TPM2_GetCapability. (12) In the Fail state the subject World is authorised to send a _TPM_Init indication with state change to Init. (13) Any subject is authorised to prepare the TPM for a power cycle using the TPM2_Shutdown command and to create a shutdown BLOB by TPM2_Shutdown(TPM_SU_STATE). FDP_ACF.1.3/States The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: (1) the TPM authorises to enter FUM state if the firmware update data major version is equal to the major version of the loaded firmware (2) the TPM authorises to enter FUM state if the firmware update data minor version is strictly bigger than the minor version of the loaded firmware FDP_ACF.1.4/States The TSF shall explicitly deny access of subjects to objects based on the following additional rules: (1) Once the TPM receives a TPM2_SelfTest command and before completion of all tests, the TPM shall return TPM_RC_TESTING for any command that uses a command that requires a test. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 27 of 54 FMT_MSA.1/States Management of security attributes (operational states) Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1/States TSF shall enforce the TPM state control SFP to restrict the ability to modify the security attributes TPM state (1) FUM to Platform firmware, (2) other than FUM to any role. FMT_MSA.3/States Static attribute initialisation (operational states) Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1/States The TSF shall enforce the TPM state control SFP to provide restrictive default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2/States The TSF shall allow nobody to specify alternative initial values to override the default values when an object or information is created. FDP_UIT.1/States Data exchange integrity (operational states) Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter-TSF trusted channel, or FTP_TRP.1 Trusted path] FDP_UIT.1.1/States The TSF shall enforce the TPM state control SFP to receive firmware update data in a manner protected from modification, deletion, insertion, replay errors. FDP_UIT.1.2/States The TSF shall be able to determine on receipt of firmware update data, whether modification, deletion, insertion, replay has occurred. FDP_ACC.1/Hier Subset access control (object hierarchy) Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1/Hier The TSF shall enforce the TPM Object Hierarchy SFP on Subjects (1) Platform firmware, (2) Platform Owner, (3) Privacy administrator, (4) Lockout administrator, (5) USER, (6) World Objects (5) PPS, (6) EPS, (7) SPS, (8) PPO, Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 28 of 54 (9) EK, (10) SRK (11) Null Seed, (12) object in a TPM hierarchy Operations (1) TPM2_CreatePrimary, (2) TPM2_CreateLoaded (3) TPM2_HierarchyControl, (4) TPM2_Clear, (5) TPM2_ClearControl, (6) TPM2_HierarchyChangeAuth, (7) TPM2_SetPrimaryPolicy, (8) TPM2_Load, (9) TPM2_LoadExternal, (10) TPM2_ReadPublic, (11) Use (12) TPM2_ChangeEPS (13) TPM2_ChangePPS (14) TPM2_RestoreEK FDP_ACF.1/Hier Security attribute based access control (object hierarchy) Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1/Hier The TSF shall enforce the TPM Object Hierarchy SFP to objects based on the following: Subjects: (1) Platform firmware with security attribute authorisation state gained by authentication with platformAuth or platformPolicy, (2) Platform Owner with security attribute authorisation state gained by authentication with ownerAuth or ownerPolicy, (3) Privacy administrator with security attribute authorisation state gained by authentication with endorsementAuth or endorsementPolicy, (4) Lockout administrator with security attribute authorisation state, (5) USER with authentication state gained with userAuth or authPolicy, (6) World with no security attributes, Objects: (1) EPS, (2) PPS, (3) SPS, (4) EK, (5) PPO, (6) SRK, (7) Null Seed, (8) object in a TPM hierarchy with security attributes: state of the hierarchy, fixedParent, fixedTpm FDP_ACF.1.2/Hier The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: (1) The subject World is authorised to create an EPS whenever the TPM is powered on and no EPS is present. (2) The subject World is authorised to create an PPS whenever the TPM is powered on and no PPS is present. (3) The subject World is authorised to create an SPS whenever the TPM is powered on and no SPS is present. (4) The subject World is authorised to create a Null Seed whenever the TPM is reset. (5) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE and the lockout administrator with lockoutAuth is authorised to Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 29 of 54 change the SPS to a new value from the RNG (TPM2_Clear). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_Clear command. (6) The Platform firmware is authorised to create a Platform Primary Object under PPS. The physical presence is not required if it is not if supported by the TOE or disabled for TPM2_CreatePrimary or TPM2_CreateLoaded command. (7) The Platform Owner is authorised to create a primary object (SRK) under SPS. (8) The privacy administrator is authorised to create a primary object (EK) under EPS. (9) The subject World is authorised to create temporary objects for no hierarchy (using the Null Seed). (10) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE and the lockout administrator with lockoutAuth are authorised to remove all TPM context associated with a specific owner (TPM2_Clear). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_ClearControl command. (11) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE and the lockout administrator with lockoutAuth are authorised to disable and enable the execution of TPM2_Clear by the command TPM2_ClearControl. The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_ClearControl command. (12) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE, the Platform Owner, the privacy administrator and the lockout administrator are authorised to change the authorisation secret for a hierarchy or lockout (TPM2_HierarchyChangeAuth). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_HierarchyChangeAuth command. (13) The Platform firmware with platformAuth, platformPolicy or physical presence, if supported by the TOE the Platform Owner and the privacy administrator are authorised to set the authorisation policy for the platform hierarchy (platformPolicy), the storage hierarchy (ownerPolicy) and the endorsement hierarchy (endorsementPolicy) using the command TPM2_SetPrimaryPolicy. The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_SetPrimaryPolicy command. (14) The Platform firmware is authorized to replace the current EPS with a value from RNG, disable EKs loaded by the TPM Vendor and to set the endorsement hierarchy controls to their default values (TPM2_ChangeEPS). (15) The Platform firmware is authorized to replace the current PPS with a value from RNG and to set the platformPolicy to the default value (TPM2_ChangePPS) (16) The Platform firmware is authorized to replace the current EPS with a value from RNG, to restore the EKs loaded by the TPM vendor and to set the endorsement hierarchy controls to their default values (TPM2_RestoreEK). The EKs are restored from the EKs values loaded by the TPM vendor in phase 2 (manufacturing and delivery) defined for case 1 in the Protection Profile [12] . The restored values are used to generate the EKs when the command TPM2_CreatePrimary uses the default creation templates defined in the TOE user guidance FDP_ACF.1.3/Hier The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: none. FDP_ACF.1.4/Hier The TSF shall explicitly deny access of subjects to objects based on the following additional rules: (1) No subject is authorised to use any object of a hierarchy if the corresponding hierarchy is disabled (i.e phEnable for platform hierarchy is CLEAR, shEnable for Storage hierarchy is CLEAR, ehEnable for EPS hierarchy is CLEAR). FMT_MSA.1/Hier Management of security attributes (object hierarchy) Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 30 of 54 Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1/Hier TSF shall enforce the TPM Object Hierarchy SFP to restrict the ability to modify the security attributes fixedTPM and fixedParent to nobody. FMT_MSA.3/Hier Static attribute initialisation (object hierarchy) Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1/Hier The TSF shall enforce the TPM Object Hierarchy SFP to provide restrictive default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2/Hier The TSF shall allow the creator of an object in a TPM hierarchy to specify alternative initial values to override the default values when an object or information is created. FMT_MSA.4/Hier Security attribute value inheritance (hierarchy) Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_MSA.4.1/Hier The TSF shall use the following rules to set the value of security attributes: (1) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE is authorised to enable and to disable the use of the platform hierarchy and its associated NV storage (TPM2_HierarchyControl changing phEnable or phEnableNV). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_HierarchyControl command. (2) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE and Platform Owner with ownerAuth or ownerPolicy are authorised to enable and to disable the use of a Storage hierarchy (TPM2_HierarchyControl changing shEnable). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_HierarchyControl command. (3) The Platform firmware with platformAuth, platformPolicy or physical presence if supported by the TOE and privacy administrator with endorsementAuth or endorsementPolicy are authorised to enable and to disable the use of a Endorsement hierarchy (TPM2_HierarchyControl changing ehEnable). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_HierarchyControl command. (4) The only way to enable platform hierarchy is power-on of the TPM. (5) The Platform firmware with platformAuth, platformPolicy, or physical presence if supported by the TOE is authorised to enable the use of the Endorsement hierarchy and the Storage hierarchy (TPM2_HierarchyControl). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_HierarchyControl command FDP_ACF.1/ACSecurity attribute based access control (access control) Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1/ACThe TSF shall enforce the Access Control SFP to objects based on the following Subjects: Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 31 of 54 (1) Platform firmware with security attribute authorisation state gained by authentication with platformAuth, platformPolicy or physical presence if supported by the TOE, (2) Platform firmware with security attribute authorisation state gained by authentication with ownerAuth or ownerPolicy, (3) Privacy administrator with security attribute authorisation state gained by authentication with endorsementAuth or endorsementPolicy, (4) Lockout administrator with security attribute authorisation state, (5) USER with authentication state gained with userAuth or authPolicy, (6) DUP with authentication state gained with authPolicy, (7) ADMIN with authentication state gained with userAuth or authPolicy, (8) World with no security attributes, Objects: (1) User key with security attributes TPM_ALG_ID, TPMA_OBJECT, (2) TPM objects, (3) Clock with security attributes: resetCount, restartCount, safe-flag, (4) Data with security attribute “externally provided”. FDP_ACF.1.2/ACThe TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: (1) The Platform firmware platformAuth, platformPolicy or with physical presence if supported by the TOE and the Platform Owner are authorised to control the persistence of loadable objects in TPM memory (TPM2_EvictControl). The physical presence is not required if it is not supported by the TOE or disabled for TPM2_EvictControl command. (2) The Platform firmware platformAuth, platformPolicy or with physical presence if supported by the TOE and the Platform Owner are authorised to advance the value and to adjust the rate of advance of the TPMs clock (TPM2_ClockSet, TPM2_ClockRateAdjust). The physical presence is not required if it is not supported by the TOE or disabled for the TPM2_ClockSet respective TPM2_ClockRateAdjust command. (3) Any subject is authorised to get the current value of time, clock, resetCount and restartCount (TPM2_ReadClock). (4) A subject with the role USER endorsed by the Privacy administrator or the keyHandle identifier of a loaded key that can perform digital signatures is authorised to get the current value of time and clock (TPM2_GetTime) (5) No subject is authorised to set the clock to a value less than the current value of clock using the TPM2_ClockSet command. (6) No subject is authorised to set the clock to a value greater than its maximum value (0xFFFF000000000000) using the TPM2_ClockSet command. (7) A subject with the role USER is authorised to generate digital signatures using the command TPM2_Sign for externally provided data (hash). The user authorisation shall be done based on the required authorisation of the key that will perform signing. The key attributes shall allow the signing operation for externally provided data. (8) Any subject is authorised to verify digital signatures using the command TPM2_VerifySignature. (9) Any subject is authorised to request data from the random number generator using the command TPM2_GetRandom. (10) Any subject is authorised to add additional information to the state of the random number generator using the command TPM2_StirRandom. (11) Any subject is authorised to perform RSA encryption using the command TPM2_RSA_Encrypt for externally provided data. The key attributes shall allow the encrypt operation for externally provided data. (12) A subject with the role USER is authorised to perform RSA decryption using the command TPM2_RSA_Decrypt for externally provided data. The user authorisation shall be done based on the required authorisation of the key that will be used for decryption. The key attributes shall allow the decrypt operation for externally provided data. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 32 of 54 (13) Any subject is authorised to generate ECC ephemeral key pairs using the command TPM2_ECDH_KeyGen. (14) A subject with the role USER is authorised to recover a value that is used in ECC based key sharing protocols using the command TPM2_ECDH_ZGen. The user authorisation shall be done based on the required authorisation of the involved private key. (15) Any subject is authorised to request the parameters of an identified ECC curve using the command TPM2_ECC_Parameters. (16) The subject USER is authorised to start a HMAC sequence using the command TPM2_HMAC_Start. (17) The subject World is authorised to start a hash or event sequence using the command TPM2_HashSequenceStart. (18) The subject USER is authorised to add data to a hash, event or HMAC sequence using the command TPM2_SequenceUpdate. (19) The subject USER is authorised to add the last part of data (if any) to a hash or HMAC sequence using the command TPM2_SequenceComplete. (20) The subject USER is authorised to add the last part of data (if any) to an event sequence using the command TPM2_EventSequenceComplete. (21) Any subject is authorised to perform hash operations on a data buffer using the command TPM2_Hash. (22) A subject with the role USER is authorised to perform HMAC operations on a data buffer. The user authorisation shall be done based on the required authorisation of the involved symmetric key. (23) A subject with the role USER is authorised to generate HMACs using the command TPM2_HMAC for externally provided data (hash). The user authorisation shall be done based on the required authorisation of the key that will perform the HMAC. The key attributes shall allow the signing operation for externally provided data. FDP_ACF.1.3/ACThe TSF shall explicitly authorise access of subjects to objects based on the following additional rules: none FDP_ACF.1.4/ACThe TSF shall explicitly deny access of subjects to objects based on the following additional rules: none. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 33 of 54 7.2.1 Extended component FCS_RNG.1 The protection profile [12] defines the extended family Random Number Generation (FCS_RNG) of the class FCS (Cryptographic support) in order to describe the generation of random numbers for cryptographic purposes. FCS_RNG.1 Random number generation Hierarchical to: No other components. Dependencies: No dependencies. FCS_RNG.1.1 The TSF shall provide a deterministic random number generator that implements: NIST SP 800-90A Hash_DRBG. [29] FCS_RNG.1.2 The TSF shall provide random numbers that meet: Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. In order to comply with the requirements defined in the standard AIS 20 [36], a refinement of the SFR FCS_RNG is provided below: FCS_RNG.1 Random number generation Hierarchical to: Dependencies: No other components No dependencies FCS_RNG.1.1 The TSF shall provide a deterministic random number generator AIS20 Class DRG.3 according to [36] that implements: (DRG.3.1) if initialized with a random seed using a PTRNG of class PTG.2 as random source, the internal state of the RNG shall have at least 100 bit of min-entropy and implements NIST SP 800-90A Hash_DRBG [29] and FIPS 180-4 [22]. (DRG.3.2) The RNG provides forward secrecy (DRG.3.3) The RNG provides backward secrecy even if the current internal state is known FCS_RNG.1.2 (DRG.3.4) (DRG.3.5) The TSF shall provide random numbers that meet The RNG initialized with a random seed before the first use of the RNG after each product power up and reseeded after 232 requests generates output for more than 234 strings of bit length 128 that are mutually different with probability of w>1-2-16 Statistical test suites cannot practically distinguish the random numbers from output sequences of an ideal RNG. The random numbers must pass FIPS 140-2 statistical test suite. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 34 of 54 7.3 Security assurance requirements The Security Assurance Requirements (SAR) for the TOE are the assurance components of Evaluation Assurance Level 4 (EAL4) as defined in CC part 3 and augmented with ALC_FLR.1 and AVA_VAN.5. The security assurance requirements defined in Table 5 are defined in section 7.2 of the PP [12] with the exception of the vulnerability assessment assurance component augmented to AVA_VAN.5 whereas the PP [12] mandates AVA_VAN.4. Table 5: Security assurance requirements for the TOE Assurance Class Assurance components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.4 Complete functional specification ADV_IMP.1 Implementation representation of the TSF ADV_TDS.3 Basic modular design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life-cycle support ALC_CMC.4 Production support, acceptance procedures and automation ALC_CMS.4 Problem tracking CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model ALC_FLR.1 Basic flow remediation - augmented ALC_TAT.1 Well-defined development tools ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: security enforcing modules ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA: Vulnerability assessment AVA_VAN.5 Methodical vulnerability analysis - augmented Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 35 of 54 7.4 Security Requirements rationale The security requirements rationale of the TOE are defined and described in the PP [12], section 7.3 Security Requirements rationale. 7.4.1 Sufficiency of SFR The SFRs FCS_CKM.1/PKRSA, FCS_CKM.1/PKECC and FCS_CKM.1/PKAES fulfil the same objectives as the SFR FCS_CKM.1/PK defined in the PP [12] Table 11. The SFRs FCS_COP.1/SHA3 fulfils the same objectives as the SFR FCS_COP.1/SHA defined in the PP [12] Table 11. The SFRs FCS_COP.1/HMAC/SHA and FCS_COP.1/HMAC/SHA3 fulfil the same objectives as the SFR FCS_COP.1/HMAC defined in the PP [12] Table 11. 7.4.2 Dependency rationale The SFRs FCS_CKM.1/PKRSA, FCS_CKM.1/PKECC and FCS_CKM.1/PKAES fulfil the same dependency rationale as the SFR FCS_CKM.1/PK defined in the PP [12] Table 12. The SFRs FCS_COP.1/SHA3 fulfil the same dependency rationale as the SFR FCS_COP.1/SHA defined in the PP [12] Table 12. The SFRs FCS_COP.1/HMAC and FCS_COP.1/HMAC/SHA3 fulfil the same dependency rationale as the SFR FCS_COP.1/HMAC defined in the PP [12] Table 12. 7.5 Security Assurance rationale The security assurance requirements rationale of the TOE are defined and described in the section 7.3 Assurance rationale. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 36 of 54 8 TOE SUMMARY SPECIFICATION The product overview is described in section 2.2. In the following section, the security functionality and the assurance measures of the TOE are described. 8.1 TOE Security Features This section contains the definition and description of the security features (SF) of the TOE. The TOE provides five security features (SF) to meet the security functional requirements. The security features are: • SF_CRY: Cryptographic Support • SF_I&A: Identification and Authentication • SF_G&T General and Test • SF_OBH Object Hierarchy • SF_TOP TOE Operation 8.1.1 SF_CRY - Cryptographic Support There are several functions within the TOE related to cryptographic support: generation of random numbers, generation of asymmetric key pairs, RSA and ECC digital signature (generation and verification), RSA, ECC and AES data encryption and decryption, key destruction, the generation of hash values and the generation and verification of MAC values. The TOE supports the generation of cryptographic keys in accordance with the specified cryptographic key generation algorithm RSA key generator and ECC key generator and specified cryptographic key sizes RSA 2048 bits that meet the following: [33] and optional [31] and ECC with key sizes of 256 and 384 bits that meet [6], [7], [8],and optional [31]. RSA key generator: • Endorsement Key generated with default template defined in [46] is securely written in the TOE during the manufacturing process • Other keys are generated according to [6], [7], [8] using the DRBG as random generator ECC key generator • Endorsement Key generated with default template defined in [46] is securely written in the TOE during the manufacturing process • Other keys are generated according to [6], [7], [8] using the DRBG as random generator The covered security functional requirements are FCS_CKM.1/PKRSA, FCS_CKM.1/PKECC, FCS_CKM.1/RSA and FCS_CKM.1/ECC. The TOE supports the generation of symmetric cryptographic keys in accordance with the specified cryptographic key generation algorithm AES key generator and specified cryptographic key sizes 128, 192 and 256 bits that meet [6], [7], [8] and optional [31]. The covered security functional requirements are FCS_CKM.1/PKAES and FCS_CKM.1/SYMM. The TOE supports the destruction of cryptographic keys by erasure of volatile memory areas containing cryptographic keys in accordance with FIPS PUB 140-2 [20]. The covered security functional requirement is FCS_CKM.4. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 37 of 54 The TOE performs the encryption and decryption in accordance with the specified cryptographic algorithm AES in the CFB, CTR, OFB, CBC, ECB modes and cryptographic key size of 128, 192 and 256 bits that meet [FIPS 197] and [SP 800-38A]. The covered security functional requirement is FCS_COP.1/AES. The TOE performs the hash value calculation in accordance with the specified cryptographic algorithm SHA-1, SHA-256 and SHA-384 that meets [FIPS 180-4] beside SHA3-256 and SHA3-384 that meet [FIPS 202] . The covered security functional requirement is FCS_COP.1/SHA. The TOE performs HMAC value calculation and verification in accordance with the specified cryptographic algorithm HMAC with SHA-1, SHA-256, SHA-384, SHA3-256 and SHA3-384 and cryptographic key sizes 160, 256 and 384 bits that meet [FIPS 198-1] and [FIPS 180-4] The covered security functional requirements are FCS_COP.1/HMAC/SHA and FCS_COP.1/HMAC/SHA3. The TOE performs asymmetric encryption and decryption in accordance with the specified cryptographic algorithm RSA without padding, RSAES-PKCS1-v1_5, RSAES-OAEP and cryptographic key sizes 2048 bits that meet [RFC 3447]. The covered security functional requirement is FCS_COP.1/RSAED. The TOE performs signature generation and signature verification in accordance with the specified cryptographic algorithm RSASA_PKCS1v1_5, RSASSA_PSS and cryptographic key sizes 2048 bits that meet [RFC 3447]. The covered security functional requirement is FCS_COP.1/RSASign. The TOE performs signature generation and signature verification in accordance with the specified cryptographic algorithm ECDSA with curves TPM_ECC_NIST_P256, TPM_ECC_NIST_P384 and TPM_ECC_BN_P256 and cryptographic key sizes 256 and 384 bits that meet TPM library specification [TPM2.0 Part1 r138] section C.4. The covered security functional requirement is FCS_COP.1/ECDSA. The TOE performs signature generation in accordance with the specified cryptographic algorithm ECDAA with curves TPM_ECC_NIST_P256, TPM_ECC_NIST_P384 and TPM_ECC_BN_P256 and cryptographic key sizes 256 and 384 bits that meet TPM library specification [TPM2.0 Part1 r138], section C4.2. The covered security functional requirement is FCS_COP.1/ECDAA. The TOE performs decryption of ECC key in accordance with the specified cryptographic algorithm ECDH with curves TPM_ECC_BN_P256, TPM_ECC_NIST_P256 and TPM_ECC_NIST_P384 and cryptographic key sizes 256 and 384 bits that meet TPM library specification [6], [7], [8] and [SP 800-56A] section 6.1.1.2. The covered security functional requirement is FCS_COP.1/ECDEC. The TOE provides a deterministic random number generator (DRBG) including a true random generator, which is used for the seeding of the DRBG, to provide the random numbers. The TOE provides random numbers that fulfils the requirements from the functional class DRG.3 of [AIS 20] and [SP 800-90Ar1]. The DRBG is based on a HASH_DRBG with SHA256. The covered security functional requirement is FCS_RNG.1. The SF_CRY Cryptographic Support covers the following security functional requirements: • FCS_CKM.1/PKRSA, • FCS_CKM.1/PKECC, • FCS_CKM.1/PKAES, • FCS_CKM.1/RSA, • FCS_CKM.1/ECC, Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 38 of 54 • FCS_CKM.1/SYMM, • FCS_CKM.4, • FCS_COP.1/AES,FCS_COP.1/SHA, • FCS_COP.1/HMAC/SHA, • FCS_COP.1/HMAC/SHA3 • FCS_COP.1/RSAED, • FCS_COP.1/RSASign, • FCS_COP.1/ECDSA, • FCS_COP.1/ECDAA, • FCS_COP.1/ECDEC and • FCS_RNG.1. 8.1.2 SF_I&A - Identification and Authentication The TPM provides two mechanisms for the identification and authentication capability to authorize the use of a Protected Object and Protected Capability. Note that the TCG TPM Library specification refers to the identification and authentication process and access control as authorization. The first authentication mechanisms is the proof of knowledge of a shared secret (password or secret for HMAC) assigned to the entity as authValue. The second mechanism is the authentication of the user and verification of an intended state of the TPM and its environment encoded in authPolicy and assigned to the entity. The TOE provides a mechanism to generate secrets that meet uniform distribution of random variable generating the value, and is able to enforce the use of TSF generated secrets for nonce values for authorization sessions unknown authValues The covered security functional requirement is FIA_SOS.2. The TOE use different rules to set the value of security attributes. The covered security functional requirement is FMT_MSA.4/AUTH. The TOE provides the management functionality of the TSF data by user authorization. The covered security functional requirement is FMT_MTD.1/AUTH. TOE detects when the maximal tries of unsuccessful authentication attempts occur for objects and NV Index where DA is active and blocks the authorizations for a defined time. The covered security functional requirement is FIA_AFL.1/Recover. The TOE detects when one unsuccessful authentication attempt occurs using lockoutAuth in the command TPM2_DictionaryAttackLockReset and blocks the TPM2_DictionaryAttackLockReset command for a defined time. The covered security functional requirement is FIA_AFL.1/Lockout. The TOE detects when a defined number of successful authentication events exceeds pinLimit for an NV index with the attribute TPM_NT_PIN_PASS and blocks further authorization events. The covered security functional requirement is FIA_AFL.1/PINPASS. The TOE detects when a defined number of unsuccessful authentication events exceeds pinLimit for an NV index with the attribute TPM_NT_PIN_FAIL and blocks further authorization events. The covered security functional requirement is FIA_AFL.1/PINFAIL. The TOE allows access to a defined number of commands and objects for the user to be performed before the user is authenticated/identified. The covered security functional requirements are FIA_UID.1 and FIA_UAU.1. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 39 of 54 The TOE provides different authentication mechanisms to support user authentication and authenticate any user's claimed identity according to the different rules. The TOE provides re- authentication of the user for multiple command processing. The covered security functional requirements are FIA_UAU.5 and FIA_UAU.6. The TOE associate security attributes with subjects acting on the behalf of that user. The TOE enforces different rules on the initial association of user security attributes with subjects acting on the behalf of users and enforces different rules governing changes to the user security attributes associated with subjects acting on the behalf of users. The covered security functional requirement is FIA_USB.1. The SF_I&A - Identification and Authentication covers the following security functional requirements: • FIA_SOS.2, • FIA_MSA.4/AUTH, • FMT_MTD.1/AUTH, • FIA_AFL.1/Recover, • FIA_AFL.1/Lockout, • FIA_AFL.1/PINPASS • FIA_AFL.1/PINFAIL • FIA_UID.1, • FIA_UAU.1, • FIA_UAU.5, • FIA_UAU.6 and • FIA_USB.1. 8.1.3 SF_G&T - General and Test The TOE provides the roles: Platform firmware, Platform owner, Privacy Administrator, Lockout Administrator, User, Admin, DUP and World and associates users with roles. The roles are enforced within the TOE because there are specific commands and specific keys bond to different token. The covered security functional requirement is FMT_SMR.1. The TOE performs different management functions. The covered security functional requirement is FMT_SMF.1. The TOE ensures that only secure values are accepted for security attributes. The covered security functional requirement is FMT_MSA.2. The TOE provides reliable time stamps as number of milliseconds the TOE has been powered since initialization of the Clock value. The covered security functional requirement is FPT_STM.1 The TOE ensures that any previous information content of a resource is made unavailable upon the deallocation of the resource from defined objects. The covered security functional requirement is FDP_RIP.1. The TOE supports a suite of self tests during startup and at the request of an authorized user world to demonstrate the correct operation of sensitive parts of the TSF and to verify the integrity of stored TSF executable code and parts of TSF data. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 40 of 54 The covered security functional requirement is FPT_TST.1. The TOE preserves a secure state by entering the Fail state when a failure during TPM Restart or Resume occurs, a failure is detected by TPM2_ContecxtLoad or the self test, of any crypto operations including RSA encryption, RSA decryption, AES encryption, AES decryption, SHA-1, RNG, RSA signature generation, HMAC generation or failure of any commands or internal operations and authorization occurs. The covered security functional requirement is FPT_FLS.1/FS. The TOE preserves a secure state by shutdown, when detecting a physical attack or an environmental condition which is out of spec value. The covered security functional requirement is FPT_FLS.1/SD. The TOE resists physical manipulation and physical probing to the TSF by responding automatically such that the SFRs are always enforced. The TOE supports the following functions for protection against and detection of physical manipulation and probing: • Protection by an active shield that commands an automatic reaction on die integrity violation detection. • Preventative mechanisms are implemented in order to mitigate the risk of information disclosure or unauthorized modification • Bus encryption • Memories scrambling and encryption • Mechanisms for operation execution concealment • Clock frequency modification and jittering • Intrinsic countermeasures for cryptographic algorithm against side channel attacks like timing attacks (TA), SPA and DPA. • Detection of abnormal behavior of the following operational conditions: • High voltage supply • Glitches • Detection of abnormal TOE behavior: • MPU error • TRNG failure The covered security functional requirements are FPT_PHP.3, FDP_ITT.1 and FPT_ITT.1. The SF_G&T - General and Test covers the following security functional requirements: • FMT_SMR.1, • FMT_SMF.1, • FMT_MSA.2, • FPT_STM.1, • FDP_RIP.1, • FPT_TST.1, • FPT_FLS.1/FS, • FPT_FLS.1/SD and Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 41 of 54 • FPT_PHP.3 • FDP_ITT.1 • FPT_ITT.1 8.1.4 SF_OBH - Object Hierarchy The TOE supports different states during his lifecycle as described in [TPM2.0 PP] section 7.1.4.1 -TPM Operational States in detail. The TOE enforces the TPM State Control SFP on all subjects and objects and all operations among subjects and objects covered by the SFP. The TOE ensure that all operations between any subject controlled by the TSF and any object controlled by the TSF are covered by an access control SFP and enforces different access control rules on controlled subjects and objects. The covered security functional requirements are FDP_ACC.2/States and FDP_ACF.1/States. The TOE enforce the TPM state control SFP to restrict the ability to modify the security attributes TPM state and to provide restrictive default values for security attributes that are used to enforce the SFP. The TOE enforce the TPM state control SFP to receive firmware update data in a manner protected from errors and determines on receipt of firmware update data, whether error has occurred. The covered security functional requirements are FMT_MSA.1/States, FMT_MSA.3/States and FDP_UIT.1/States. The TOE supports three different hierarchies, the platform hierarchy, the storage hierarchy and the endorsement hierarchy. The root of each TPM hierarchy is defined by a primary seed which is a random value persistently stored in the TOE. A hierarchy may be disabled. The TOE monitors user data stored in containers controlled by the TSF for data modifications and modification of hierarchy on all objects, based on the different attributes. The covered security functional requirement is FDP_SDI.1. The TOE enforces the TPM Object Hierarchy SFP on defined subjects, objects and operations and enforces different rules to determine if an operation among controlled subjects and controlled objects is allowed and deny access of subjects to objects based on different rules. The covered security functional requirements are FDP_ACC.1/Hier and FDP_ACF.1/Hier. The TOE enforces the TPM Object Hierarchy SFP to not allow the modification of the security attributes fixedTPM and fixedParent. The covered security functional requirement is FMT_MSA.1/Hier. The TOE enforces the TPM Object Hierarchy SFP to provide restrictive default values for security attributes that are used to enforce the SFP and allows the creator of an object in a TPM hierarchy to specify alternative initial values to override the default values when an object or information is created. The covered security functional requirement is FMT_MSA.3/Hier. The TOE enforces different rules to set the value of security attributes. The covered security functional requirement is FMT_MSA.4/Hier. The TOE allows the import and export of data as an object of a hierarchy. The TOE enforces the Data Export and Import SFP on subjects, objects and operations. The Data Export and Import SFP enforce different rules to determine if an operation between a controlled subject and controlled object is allowed. The covered security functional requirements are FDP_ACC.1/ExIm and FDP_ACF.1/ExIm. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 42 of 54 The TOE enforce the Data Export and Import SFP to restrict the ability to use the security attribute authorization data to every subject, to provide restrictive default values for security attributes that are used to enforce the SFP and to prevent to override the default values when an object or information is created. The covered security functional requirements are FMT_MSA.1/ExIm and FMT_MSA.3/ExIm The TOE enforces the Data Export and Import SFP when exporting user data, controlled under the SFP(s), outside of the TOE and to export the user data with the user data's associated security attributes. The TOE ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data and different rules are enforced when user data is exported from the TOE. The covered security functional requirement is FDP_ETC.2/ExIm. The TOE enforces the Data Export and Import SFP when importing user data, controlled under the SFP(s), outside of the TOE. The correct interpretation, association and use of the security attributes associated with the imported user data are ensured and different rules are enforced when user data is imported from outside the TOE. The covered security functional requirement is FDP_ITC.2/ExIm. The TOE enforces the Data Export and Import SFP to transmit user data in a manner protected from unauthorised disclosure and to transmit and receive user data in a manner protected from modification errors. The TOE is able to determine on receipt of user data, whether modification has occurred. The covered security functional requirements are FDP_UCT.1/ExIm and FDP_UIT.1/ExIm. The TOE enforces the Measurement and Reporting SFP on subjects, objects and operations. The Measurement and Reporting SFP enforce different rules to determine if an operation among controlled subjects and controlled objects is allowed. The covered security functional requirements are FDP_ACC.1/M&R and FDP_ACF.1/M&R. The TOE enforces the Measurement and Reporting SFP to restrict the ability to modify the security attributes PCR attributes, PCR extension algorithm and used hash algorithm to the subject Platform firmware, to provide restrictive default values for security attributes that are used to enforce the SFP, and to prevent to override the default values when an object or information is created. The covered security functional requirements are FMT_MSA.1/M&R and FMT_MSA.3/M&R. The TOE is able to generate evidence of origin for transmitted attestation structure and object creation tickets at the request of the originator and provide a capability to verify the evidence of origin of information to recipient given as soon as the recipient can verify the signature and has confidence to the key that is used to sign. The covered security functional requirement is FCO_NRO.1/M&R. The SF_OBH - Object Hierarchy covers the following security functional requirements: • FDP_ACC.2/States, • FDP_ACF.1/States, • FMT_MSA.1/States, • FMT_MSA.3/States, • FDP_UIT.1/States, • FDP_SDI.1, • FDP_ACC.1/Hier, • FDP_ACF.1/Hier, • FMT_MSA.1/Hier, • FMT_MSA.3/Hier, Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 43 of 54 • FMT_MSA.4/Hier, • FDP_ACC.1/ExIm, • FDP_ACF.1/ExIm, • FMT_MSA.1/ExIm, • FMT_MSA.3/ExIm, • FDP_ETC.2/ExIm, • FDP_ITC.2/ExIm, • FDP_UCT.1/ExIm, • FDP_UIT.1/ExIm, • FDP_ACC.1/M&R, • FDP_ACF.1/M&R, • FMT_MSA.1/M&R, • FMT_MSA.3/M&R and • FCO_NRO.1/M&R 8.1.5 SF_TOP - TOE Operation The TOE enforces the Access Control SFP on different subjects, objects and operations and enforces different rules to determine if an operation among controlled subjects and controlled objects is allowed. The TOE explicitly authorize access of subjects to objects based on different additional rules and explicitly deny access of subjects to objects based on the different additional rules. The covered security functional requirements are FDP_ACC.1/AC and FDP_ACF.1/AC The TOE enforces the Access Control SFP to restrict the ability to query and modify different security attributes to specific subjects, to provide restrictive default values for security attributes that are used to enforce the SFP and to specify alternative initial values to override the default values when an object or information is created. The covered security functional requirements are FMT_MSA.1/AC and FMT_MSA.3/AC. The TOE enforces the Access Control SFP to transmit user data in a manner protected from unauthorised disclosure. The TOE provides a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. The TOE initiates communication via the trusted channel and permits another trusted IT product to initiate communication via the trusted channel. The covered security functional requirements are FDP_UCT.1/AC and FTP_ITC.1/AC. The TSF shall restrict the ability to disable and enable the functions TPM2_Clear to the subjects Platform firmware and Lockout administrator. The covered security functional requirement is FMT_MOF.1/AC. The TSF shall enforce the NVM SFP on different subjects, objects and operations and enforces different rules to determine if an operation among controlled subjects and controlled objects is allowed. The covered security functional requirements are FDP_ACC.1/NVM and FDP_ACF.1/NVM. The TOE enforces the NVM SFP to restrict the ability to query and modify the security attribute NV index attributes to the authorized role of the subject that executes the NVM related command and to provide restrictive default values when an object or information is created. The TOE prohibits to override the default values with alternative initial values when an object or information is created. The TOE enforces different rules to set the value of security attributes and restrict the ability to modify the authorization secret (authValue) for a NV index to the subject ADMIN. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 44 of 54 The covered security functional requirements are FMT_MSA.1/NVM, FMT_MSA.3/NVM, FMT_MSA.4/NVM and FMT_MTD.1/NVM. The TOE enforces the NVM SFP when importing user data, controlled under the SFP, and ignores any security attributes associated with the user data when imported from outside the TOE. Additionally the TOE enforces different rules when importing user data controlled under the SFP from outside the TOE. The TOE enforces the NVM SFP when exporting user data, controlled under the SFP(s), outside of the TOE. The covered security functional requirements are FDP_ITC.1/NVM and FDP_ETC.1/NVM. The TOE enforces the Credential SFP on different subjects, objects and operations and enforces different rules to determine if an operation among controlled subjects and controlled objects is allowed. The covered security functional requirements are FDP_ACC.1/Cre and FDP_ACF.1/Cre. The TOE enforces the Credential SFP to provide restrictive default values for security attributes that are used to enforce the SFP and prevents to override the default values when an object or information is created. The TOE enforces the Credential SFP to restrict the ability to use the security attributes HMAC in the credential BLOB to the subject USER. The covered security functional requirements are FMT_MSA.1/Cre and FMT_MSA.3/Cre. The TOE generates evidence of origin for transmitted TPM objects at the request of the originator and relates the information whether the object is resident in an authentic TPM of the originator of the information, and the name and the public area of the TPM object of the information to which the evidence applies. The TOE provides a capability to verify the evidence of origin of information to the initiator given based on a credential BLOB that was generated by the credential provider. The covered security functional requirement is FCO_NRO.1/Cre The SF_TOE - TOE Operationǁ covers the following security functional requirements: • FDP_ACC.1/AC, • FDP_ACF.1/AC, • FMT_MSA.1/AC, • FMT_MSA.3/AC, • FDP_UCT.1/AC, • FTP_ITC.1/AC, • FMT_MOF.1/AC, • FDP_ACC.1/NVM, • FDP_ACF.1/NVM, • FMT_MSA.1/NVM, • FMT_MSA.3/NVM, • FMT_MSA.4/NVM, • FMT_MTD.1/NVM, • FDP_ITC.1/NVM, • FDP_ETC.1/NVM, • FDP_ACC.1/Cre, • FDP_ACF.1/Cre, • FMT_MSA.1/Cre, • FMT_MSA.3/Cre and • FCO_NRO.1/Cre Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 45 of 54 8.1.6 Assignment of Security Functional Requirements Security Functional Requirement SF_ CRY SF_ I&A SF_ G&T SF_ OBH SF_ TOP FMT_SMR.1 X FMT_SMF.1 X FMT_MSA.2 X FPT_STM.1 X FDP_RIP.1 X FCS_RNG.1 X FCS_CKM.1/PKRSA X FCS_CKM.1/PKECC X FCS_CKM.1/PKAES X FCS_CKM.1/RSA X FCS_CKM.1/ECC X FCS_CKM.1/SYMM X FCS_CKM.4 X FCS_COP.1/AES X FCS_COP.1/SHA X FCS_COP.1/SHA3 X FCS_COP.1/HMAC/SHA X FCS_COP.1/HMAC/SHA3 X FCS_COP.1/RSAED X FCS_COP.1/RSASign X FCS_COP.1/ECDSA X FCS_COP.1/ECDAA X FCS_COP.1/ECDEC X FIA_SOS.2 X FMT_MSA.4/AUTH X FMT_MTD.1/AUTH X FIA_AFL.1/Recover X FIA_AFL.1/Lockout X FIA_AFL.1/PINPASS X FIA_AFL.1/PINFAIL X FIA_UID.1 X Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 46 of 54 FIA_UAU.1 X FIA_UAU.5 X FIA_UAU.6 X FIA_USB.1 X FPT_TST.1 X FPT_FLS.1/FS X FPT_FLS.1/SD X FPT_PHP.3 X FDP_ITT.1 X FPT_ITT.1 X FDP_ACC.2/States X FDP_ACF.1/States X FMT_MSA.1/States X FMT_MSA.3/States X FDP_UIT.1/States X FDP_SDI.1 X FDP_ACC.1/Hier X FDP_ACF.1/Hier X FMT_MSA.1/Hier X FMT_MSA.3/Hier X FMT_MSA.4/Hier X FDP_ACC.1/ExIm X FDP_ACF.1/ExIm X FMT_MSA.1/ExIm X FMT_MSA.3/ExIm X FDP_ETC.2/ExIm X FDP_ITC.2/ExIm X FDP_UCT.1/ExIm X FDP_UIT.1/ExIm X FDP_ACC.1/M&R X FDP_ACF.1/M&R X FMT_MSA.1/M&R X FMT_MSA.3/M&R X FCO_NRO.1/M&R X FDP_ACC.1/AC X FDP_ACF.1/AC X Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 47 of 54 FMT_MSA.1/AC X FMT_MSA.3/AC X FDP_UCT.1/AC X FTP_ITC.1/AC X FMT_MOF.1/AC X FDP_ACC.1/NVM X FDP_ACF.1/NVM X FMT_MSA.1/NVM X FMT_MSA.3/NVM X FMT_MSA.4/NVM X FMT_MTD.1/NVM X FDP_ITC.1/NVM X FDP_ETC.1/NVM X FDP_ACC.1/Cre X FDP_ACF.1/Cre X FMT_MSA.1/Cre X FMT_MSA.3/Cre X FCO_NRO.1/Cre X Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 48 of 54 9 ACRONYMS For the purposes of this document, the acronyms given in CC Parts 2 and 3 and the following apply. Acronym Description AFL Application Flash Loader AuthData Authentication Data or Authorisation Data, depending on the context CA Certificate Authority CFB Cipher Feedback mode CML Code Memory Loader CRTM Core Root of Trust for Measurement CTR Counter-mode encryption DA Dictionary Attack DAA Direct Autonomous Attestation DRBG Deterministic Random Bit Generator EAL evaluated assurance level ECB Electric Cookbook ECC Elliptic Curve Cryptography ECDAA ECC-based Direct Anonymous Attestation ECDH Elliptic Curve Diffie-Hellman EK Endorsement Key EPS Endorsement Primary Seed FIPS Federal Information Processing Standard FU Field Upgrade FUM Field Upgrade mode HMAC Hash Message Authentication Code HW Hardware Interface I/O Input/Output IV Initialisation Vector KDF key derivation function MMIO Memory Mapped I/O MPU Memory Protecting Unit NIST National Institute of Standards and Technology NV Non-volatile NVM Non-Volatile Memory OAEP Optimal Asymmetric Encryption Padding PCR platform configuration register(s) PK Primary Key PP Physical Presence, Protection Profile PPO Platform Primary Object PPS Platform Primary Seed PRIVEK Private Endorsement Key PRNG Pseudo Random Number Generator PUBEK Public Endorsement Key RNG Random Number Generator RSA Algorithm for public-key cryptography. The letters R, S, and A represent the initials of the first public describers of the algorithm Rivest, Shamir and Adleman. Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 49 of 54 Acronym Description RTM Root of Trust for Measurement RTR Root of Trust for Reporting RTS Root of Trust for Storage SHA Secure Hash Algorithm SPS Storage Primary Seed SRK Storage Root Key TCB Trusted Computing Base TCG Trusted Computing Group TOE Target of Evaluation TPM Trusted Platform Module TPM_ Prefix for a command defined in TPM 1.2 library specifications TPM2_ Prefix for a command defined in TPM 2.0 library specifications UTC Universal Time Clock Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 50 of 54 Appendix A REFERENCES The following materials are to be used in conjunction with or are referenced by this document. [1] [CCMB-2017-04-001] Common Criteria for Information Technology Security Evaluation, Version 3.1, Part 1: Introduction and general model, Revision 5, April 2017 [2] [CCMB-2017-04-002] Common Criteria for Information Technology Security Evaluation, Version 3.1, Part 2: Security functional components, Revision 5, April 2017 [3] [CCMB-2017-04-003] Common Criteria for Information Technology Security Evaluation, Version 3.1, Part 3: Security assurance components, Revision 5, April 2017 [4] [CCMB-2017-04-04] Common Methodology for Information Technology Security Evaluation (CEM) Evaluation Methodology, Version 3.1, Rev 5, April 2017 [5] [TCG Glossary] http://www.trustedcomputinggroup.org/developers/glossary [6] [TPM2.0 Part1 r138] TPM Library Part 1: Architecture, Specification Version 2.0, Revision 1.38, September 2016, Trusted Computing Group Incorporated [7] [TPM2.0 Part2 r138] TPM Library Part 2: TPM Structures, Specification Version 2.0, Revision 1.38, September 2016, Trusted Computing Group Incorporated [8] [TPM2.0 Part3 r138] TPM Library Part 3: Commands, Specification Version 2.0, Revision 1.38, September 2016, Trusted Computing Group Incorporated [9] [TPM2.0 Part4 r138] TPM Library Part 4: Supporting Routines, Specification Version 2.0, Revision 1.38, September 2016, Trusted Computing Group Incorporated [10] [TPM2.0 rev138 Err 1.4] Errata version 1.4 January 8th, 2018 for TCG TPM library Family “2.0” level 0 revision 1.38 September 29th 2016, Trusted Computing Group Incorporated. [11] [PTP 1.03] TCG PC Client Specific Platform TPM Profile for TPM 2.0 (PTP), Family “2.0”, Level 00 Revision 1.03, May 2017, Trusted Computing Group Incorporated [12] [TPM2.0 PP] PC Client Specific Trusted Platform Module Family 2.0 level 0 Revision 1.38, Version 1.1 - [ANSSI-CC-PP-2018/03], Trusted Computing Group Incorporated Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 51 of 54 [13] [IEEE P1363-2000] Standard Specifications for Public Key Cryptography, Institute of Electrical and Electronics Engineers, Inc. (note reaffirmation PAR is actual running) [14] [ISO/IEC 9796-2] ISO/IEC 9796-2, Information technology – Security techniques – Digital signature scheme giving message recovery – Part 2: Integer factorization based mechanisms, ISO, 2002. [15] [ISO/IEC 9797-2] ISO/IEC 9797-2, Information technology -- Security techniques -- Message Authentication Codes (MACs) -- Part 2: Mechanisms using a dedicated hash- function [16] [ISO/IEC 10116] ISO/IEC 10116:2006, Information technology — Security techniques — Modes of operation for an n-bit block cipher [17] [ISO/IEC 10118-3] ISO/IEC 10118-3, Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash function [18] [ISO/IEC 14888-3] ISO/IEC 14888-3, Information technology -- Security techniques -- Digital signature with appendix -- Part 3: Discrete logarithm based mechanisms [19] [ISO/IEC 18033-3] ISO/IEC 18033-3, Information technology — Security techniques — Encryption algorithms — Part 3: Block ciphers [20] [FIPS 140-2] FIPS Publication 140-2 [21] [FIPS 180-4] FIPS Publication, Secure Hash standard, NIST, 2002 August 1 [22] [FIPS 186-4] FIPS Publication, Digital Signature Standard (DSS) [23] [FIPS 197] FIPS Publication, Advanced Encryption Standard (AES), November 26, 2001 [24] [FIPS 198-1] FIPS Publication, The Keyed-Hash Message Authentication Code (HMAC), July 2008 [25] [FIPS 202] FIPS Publication, SHA-3 Standard: Permutation-Based hash and Extendable- Output Functions, August 2015 [26] [SP 800-17] NIST Special Publication 800-17: Modes of Operation Validation System (MOVS): Requirements and Procedures, February 1998 Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 52 of 54 [27] [SP 800-38A] NIST Special Publication 800-38A: Recommendation for Block Cipher Modes of Operation. December 2001 [28] [SP 800-56A] NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptology. March 2007 [29] [SP 800-90Ar1] Recommendation for random number generation using deterministic random bit generators, NIST, June 2015 [30] [SP800-107] NIST Special Publication 800-107: Recommendation for Applications Using Approved Hash Algorithms. August 2012 [31] [SP800-108] NIST Special Publication 800-108: Recommendation for Key Derivation Using Pseudorandom Functions. October 2009 [32] [RFC 2104] RFC2104 - HMAC: Keyed-Hashing for Message Authentication [33] [RFC 3447] IETF RFC 3447, Public key Cryptography Standard, PKCS#1 PKCS#1: v2.0 RSA Cryptography Standard, RSA Laboratories, October 1, 1998 PKCS#1: v2.1 RSA Cryptography Standard, RSA Laboratories, June 14, 2002 [34] [IEEE1363] IEEE Std1363 – 2000 Standard Specifications for Public Key Cryptography IEEE Std1363a – 2004 Standard Specifications for Public Key Cryptography [35] [PKCS#1] PKCS#1: v2.0 RSA Cryptography Standard, RSA Laboratories, October 1, 1998 [36] [AIS 20] A proposal for Functionality classes for random number generators Version 3.0 BSI [37] [RGS B1] Référentiel Général de Sécurité, version 2.0 Annexe B1. Mécanismes cryptographiques version 2.03 (21/02/2014) [38] [ANSSI N6] Application Note 6 – Security requirements for post-delivery code loading, Version 2.0, January 23rd 2015, ANSSI [39] [DS ST33TPHF2XSPI] ST33TPHF2XSPI datasheet: Flash-based TPM 2.0 device with an SPI interface, Firmware 1.256, V2, STMicroelectronics [40] [DS ST33TPHF2XSPI] ST33TPHF2XSPI datasheet: Flash-based TPM 2.0 device with an SPI interface, Firmware 1.257, V3, STMicroelectronics Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 53 of 54 [41] [DS ST33TPHF2XI2C] ST33TPHF2XI2C datasheet: Flash-based TPM 2.0 device with an I2C interface, Firmware 2.256, V1, STMicroelectronics [42] [DS ST33GTPMASPI] ST33GTPMASPI datasheet: Flash-based TPM 2.0 device with an SPI interface, Firmware 3.256, V3, STMicroelectronics [43] [DS ST33GTPMAI2C] ST33GTPMAI2C datasheet: Flash-based TPM 2.0 device with an I2C interface, Firmware 6.256, V3, STMicroelectronics [44] [EK CERT] TPM EK Certificate – Chip and EK authenticity verification (2.0), STMicroelectronics [45] [SCY REC] ST TPM 2.0 - Security recommendations (1.2), STMicroelectronics [46] [TPM2.0 EK CERT] TCG EK credential profile for TPM Family 2.0 Level 0. Specification Version 2.1 Revision 13, December 10 2018, Trusted Computing Group, Incorporated [47] [ISO/IEC 15946-5] ISO/IEC 15946-5, Information technology — Security techniques – Cryptographic techniques based on elliptic curves – Part 5: Elliptic curve generation; Clause 7.3 (Barreto –Naehrig (BN) elliptic curve) [48] [PTP 1.03 Err1.1] Errata version 1.1 for TCG PC Client Specific Platform TPM Profile for TPM 2.0 version 1.0 Revision 1.03, May 2017, Trusted Computing Group Incorporated Public SSS_ST33TPHF2X_GTPMA_ST_18_001 Page 54 of 54 Please Read Carefully: Information in this document is provided solely in connection with ST products. STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described herein at any time, without notice. All ST products are sold pursuant to ST’s terms and conditions of sale. Purchasers are solely responsible for the choice, selection and use of the ST products and services described herein, and ST assumes no liability whatsoever relating to the choice, selection or use of the ST products and services described herein. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. If any part of this document refers to any third party products or services it shall not be deemed a license grant by ST for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoever of such third party products or services or any intellectual property contained therein. UNLESS OTHERWISE SET FORTH IN ST’S TERMS AND CONDITIONS OF SALE ST DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE USE AND/OR SALE OF ST PRODUCTS INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (AND THEIR EQUIVALENTS UNDER THE LAWS OF ANY JURISDICTION), OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS EXPRESSLY APPROVED IN WRITING BY AN AUTHORIZED ST REPRESENTATIVE, ST PRODUCTS ARE NOT RECOMMENDED, AUTHORIZED OR WARRANTED FOR USE IN MILITARY, AIR CRAFT, SPACE, LIFE SAVING, OR LIFE SUSTAINING APPLICATIONS, NOR IN PRODUCTS OR SYSTEMS WHERE FAILURE OR MALFUNCTION MAY RESULT IN PERSONAL INJURY, DEATH, OR SEVERE PROPERTY OR ENVIRONMENTAL DAMAGE. ST PRODUCTS WHICH ARE NOT SPECIFIED AS "AUTOMOTIVE GRADE" MAY ONLY BE USED IN AUTOMOTIVE APPLICATIONS AT USER’S OWN RISK. Resale of ST products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by ST for the ST product or service described herein and shall not create or extend in any manner whatsoever, any liability of ST. ST and the ST logo are trademarks or registered trademarks of ST in various countries. Information in this document supersedes and replaces all information previously supplied. The ST logo is a registered trademark of STMicroelectronics. All other names are the property of their respective owners. © 2019 STMicroelectronics - All rights reserved STMicroelectronics group of companies Australia - Brazil - Canada - China - Finland - France - Germany - Hong Kong - India - Israel - Italy - Japan - Malaysia - Malta - Morocco - Singapore - Spain - Sweden - Switzerland - United Kingdom - United States. www.st.com