docs/tpm_quick_ref.md - chromium/src.git - Git at Google

 # TPM Quick ref

 TODO: this page looks very outdated. glossary.md does not exist,
 git.chromium.org does not exist. Delete it?

 This page is meant to help keep track of TPM use across the system. It may not
 be up to date at any given point, but it's a wiki so you know what to do.

 ## Details

 *   [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.tpm)
 *   TPM_Clear is done (as in vboot_reference) but in the firmware code itself on
     switch between dev and verified modes and in recovery.  (TODO: link code)
 *   [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=HEAD#l861)
     (triggered at sign-in by chrome):
 *   [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/tpm_bootmode.c)
     (no active use elsewhere):
 *   [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index.c)
 *   [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.lockbox)
 *   [Tamper-evident storage for avoiding runtime device management mode changes](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/enrollment/enterprise_enrollment_screen.cc)
 *   [User key/passphrase and cached data protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs)
 *   A TPM in a Chrome device has an EK certificate that is signed by an
     intermediate certificate authority that is dedicated to the specific TPMs
     allocated for use in Chrome devices. OS-level self-validation of the
     platform TPM should be viable with this or chaining any other trust
     expectations.
 *   TPM is used for per-user certificate storage (NSS+PKCS#11) using
     opencryptoki but soon to be replaced by chaps. Update links here when chaps
     stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure
     it is tied to the local user account). This functionality includes VPN and
     802.1x-related keypairs.
	# TPM Quick ref

	TODO: this page looks very outdated. glossary.md does not exist,
	git.chromium.org does not exist. Delete it?

	This page is meant to help keep track of TPM use across the system. It may not
	be up to date at any given point, but it's a wiki so you know what to do.

	## Details

	* [TPM ownership management](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.tpm)
	* TPM_Clear is done (as in vboot_reference) but in the firmware code itself on
	switch between dev and verified modes and in recovery. (TODO: link code)
	* [TPM owner password clearing](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/login_utils.cc;h=9c4564e074c650bd91c27243c589d603740793bb;hb=HEAD#l861)
	(triggered at sign-in by chrome):
	* [PCR extend](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/tpm_bootmode.c)
	(no active use elsewhere):
	* [NVRAM use for OS rollback attack protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/vboot_reference.git;a=blob;f=firmware/lib/rollback_index.c)
	* [Tamper evident storage](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.lockbox)
	* [Tamper-evident storage for avoiding runtime device management mode changes](http://git.chromium.org/gitweb/?p=chromium/chromium.git;a=blob;f=chrome/browser/chromeos/login/enrollment/enterprise_enrollment_screen.cc)
	* [User key/passphrase and cached data protection](http://git.chromium.org/gitweb/?p=chromiumos/platform/cryptohome.git;a=blob;f=README.homedirs)
	* A TPM in a Chrome device has an EK certificate that is signed by an
	intermediate certificate authority that is dedicated to the specific TPMs
	allocated for use in Chrome devices. OS-level self-validation of the
	platform TPM should be viable with this or chaining any other trust
	expectations.
	* TPM is used for per-user certificate storage (NSS+PKCS#11) using
	opencryptoki but soon to be replaced by chaps. Update links here when chaps
	stabilizes (Each user's pkcs#11 key store is kept in their homedir to ensure
	it is tied to the local user account). This functionality includes VPN and
	802.1x-related keypairs.