mirror of
https://github.com/tpm2dev/tpm.dev.tutorials.git
synced 2024-11-10 01:12:10 +00:00
20 lines
1.1 KiB
Text
20 lines
1.1 KiB
Text
|
@startuml
|
||
|
participant TPM as T
|
||
|
participant Client as C
|
||
|
participant Server as S
|
||
|
participant ServerSimTPM as ST
|
||
|
title Three-message (1.5 round trips) attestation protocol w/ Proof-of-Possession
|
||
|
C -> C: timestamp = gettimeofday();
|
||
|
C --> T: TPM2_Quote(AK, set-of-all-PCRs, timestamp)
|
||
|
T --> C: quote=Signed_AK({hash-of-PCRs, misc, timestamp})
|
||
|
C -> S: [ID], EKpub, [EKcert], AKpub,\nPCRs, eventlog, timestamp, quote
|
||
|
S -> S: check that timestamp is recent;\ndata = Lookup(EKpub, [EKcert], [ID]);\n[Validate(EKcert)];\ncompute PCRs hash from eventlog and PCRs;\nvalidate quote;\nsession_key = genkey();\nAKcert = CA_Certify(AKpub, data.ID, AKtbscert);\nstuff = Encrypt_session_key({AKcert,\n\t\t\t\t\tdata.for_client})
|
||
|
S --> ST: TPM2_MakeCredential(EKpub, AKpub, session_key)
|
||
|
ST --> S: credentialBlob, secret
|
||
|
S -> C: credentialBlob, secret, stuff
|
||
|
C --> T: TPM2_ActivateCredential(AKhandle, EKhandle,\n\t\t\t\t\tcredentialBlob, secret)
|
||
|
T --> C: certInfo = session_key
|
||
|
C -> C: {AKcert, secrets} =\n\t\tDecrypt_session_key(stuff);
|
||
|
C -> S: {AKcert, PoP = Digest(AKcert)}
|
||
|
@enduml
|