TCPA: Trusted Building Block (TBB) PC-Specific PP
Evaluating trust in a PC is difficult and expensive. This PP defines a "Root of Trust" as a building block using
TCPA (Trusted Computing Platform Alliance) architecture. This architecture reduces the number of trusted
components to the minimum number required to establish a trust statement. The Root of Trust provides the
foundation for "Transitive Trust" which makes and reports trust measurements of components external to the
Root of Trust.
The target of evaluation (TOE) is a subsystem that comprises a Trusted Platform Module (TPM) and a Core
Root of Trust for Measurement (CRTM) and their connection to the motherboard. The TOE assumes a
certified TPM. The assumption is that the TOE is composed of software and hardware. The security
requirements in this PP apply to the TOE from the final manufacture of the TOE to the operation by the end
user. The TOE must provide the assurances that the connections between the TPM, CRTM, and the
motherboard are properly established, maintained and checked for attacks.
Connection Rules:
All connections within the TOE must provide the following:
- One-to-one
The TPM may be removable from the motherboard but must not be moveable to another motherboard.
Conversly, a motherboard must allow only the orginal TPM to be attaced.
- TPM Connection
| 2a |
Tamper Resistence |
|
The TOE must have a mechanism that passively resists at least one type of physical alteration of the TPM
connection that can be reasonably expected to prevent correct TBB operation.
|
| 2b |
Tamper Evidence |
|
The TOE must have a mechanism that passively indicates at least one type of physical alteration of the TPM
connection that can be reasonably expected to prevent correct TBB operation.
|
- CRTM Connection
| 3a |
Tamper Resistent |
|
The TOE must have a mechanism that passively resists at least one type of physical alteration of the CRTM
connection that can be reasonably expected to prevent correct TBB operation.
|
| 3b |
Tamper Evidence |
|
There is no requirement for tamper evidence for the CRTM's connection to the motherboard.
|
Explanatory note:
Many security relevant functionalities can be implemented in hardware or software or a combination of the
two. This protection profile does not mandate how this functionality is to be implemented. Any Security
Target claiming compliance with this protection profile should indicate how the required functionality is met.
An ST should indicate a specific mechanism that indicates/resists a stated physical alteration that is expected
to prevent correct TBB operation in a target environment. Soldering, for example, is a mechanism that
passively resists methods of physical alteration that do not involve desoldering. Certain flowed-solder joints
are, for example, visibly different to manually soldered joints, and provide a mechanism that passively
indicates physical alteration to flow-soldered joints by manual soldering. Flow soldering of a TPM to a
motherboard is, therefore, one mechanism potentially capable of satisfying this PP in a marketplace where
there is limited availability of flow soldering.