tpm.dev.tutorials/Attestation/Protocol-Three-Messages.puml
2021-05-08 17:31:43 -05:00

19 lines
1.1 KiB
Text

@startuml
participant TPM as T
participant Client as C
participant Server as S
participant ServerSimTPM as ST
title Three-message (1.5 round trips) attestation protocol w/ Proof-of-Possession
C -> C: timestamp = gettimeofday();
C --> T: TPM2_Quote(AK, set-of-all-PCRs, timestamp)
T --> C: quote=Signed_AK({hash-of-PCRs, misc, timestamp})
C -> S: [ID], EKpub, [EKcert], AKpub,\nPCRs, eventlog, timestamp, quote
S -> S: check that timestamp is recent;\ndata = Lookup(EKpub, [EKcert], [ID]);\n[Validate(EKcert)];\ncompute PCRs hash from eventlog and PCRs;\nvalidate quote;\nsession_key = genkey();\nAKcert = CA_Certify(AKpub, data.ID, AKtbscert);\nstuff = Encrypt_session_key({AKcert,\n\t\t\t\t\tdata.for_client})
S --> ST: TPM2_MakeCredential(EKpub, AKpub, session_key)
ST --> S: credentialBlob, secret
S -> C: credentialBlob, secret, stuff
C --> T: TPM2_ActivateCredential(AKhandle, EKhandle,\n\t\t\t\t\tcredentialBlob, secret)
T --> C: certInfo = session_key
C -> C: {AKcert, secrets} =\n\t\tDecrypt_session_key(stuff);
C -> S: {AKcert, PoP = Digest(AKcert)}
@enduml