Security Testing and Evaluation Labs
Security Evaluation Laboratory (SEL)
TCPA: Trusted Building Block (TBB) PC-Specific PP
| Sponsor: | Trusted Computer Platform Association |
| Assurance Level: | APE |
| Status: | Evaluated |
| NIAP VPL Entry: | VID3009 |
Evaluating trust in a PC is difficult and expensive. This PP defines a "Root of Trust" as a building block using TCPA (Trusted Computing Platform Alliance) architecture. This architecture reduces the number of trusted components to the minimum number required to establish a trust statement. The Root of Trust provides the foundation for "Transitive Trust" which makes and reports trust measurements of components external to the Root of Trust.
The target of evaluation (TOE) is a subsystem that comprises a Trusted Platform Module (TPM) and a Core Root of Trust for Measurement (CRTM) and their connection to the motherboard. The TOE assumes a certified TPM. The assumption is that the TOE is composed of software and hardware. The security requirements in this PP apply to the TOE from the final manufacture of the TOE to the operation by the end user. The TOE must provide the assurances that the connections between the TPM, CRTM, and the motherboard are properly established, maintained and checked for attacks.
Connection Rules:
All connections within the TOE must provide the following:
- One-to-one The TPM may be removable from the motherboard but must not be moveable to another motherboard. Conversly, a motherboard must allow only the orginal TPM to be attaced.
- TPM Connection
2a Tamper Resistence The TOE must have a mechanism that passively resists at least one type of physical alteration of the TPM connection that can be reasonably expected to prevent correct TBB operation. 2b Tamper Evidence The TOE must have a mechanism that passively indicates at least one type of physical alteration of the TPM connection that can be reasonably expected to prevent correct TBB operation. - CRTM Connection
3a Tamper Resistent The TOE must have a mechanism that passively resists at least one type of physical alteration of the CRTM connection that can be reasonably expected to prevent correct TBB operation. 3b Tamper Evidence There is no requirement for tamper evidence for the CRTM's connection to the motherboard.
Explanatory note:
Many security relevant functionalities can be implemented in hardware or software or a combination of the two. This protection profile does not mandate how this functionality is to be implemented. Any Security Target claiming compliance with this protection profile should indicate how the required functionality is met.
An ST should indicate a specific mechanism that indicates/resists a stated physical alteration that is expected to prevent correct TBB operation in a target environment. Soldering, for example, is a mechanism that passively resists methods of physical alteration that do not involve desoldering. Certain flowed-solder joints are, for example, visibly different to manually soldered joints, and provide a mechanism that passively indicates physical alteration to flow-soldered joints by manual soldering. Flow soldering of a TPM to a motherboard is, therefore, one mechanism potentially capable of satisfying this PP in a marketplace where there is limited availability of flow soldering.