GM/T 0012-2020 (GM/T0012-2020, GMT 0012-2020, GMT0012-2020) & related versions
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | See Detail | Status | Similar PDF |
GM/T 0012-2020 | English | 1820 |
Add to Cart
|
0-9 seconds. Auto delivery.
|
Trusted computing -- Trusted computing interface specification of trusted cryptography module
|
GM/T 0012-2020
| Valid |
GMT 0012-2020
|
GM/T 0012-2012 | English | 700 |
Add to Cart
|
0-9 seconds. Auto delivery.
|
Trusted computing--Interface specification of trusted cryptography module
|
GM/T 0012-2012
| Obsolete |
GMT 0012-2012
|
Buy with any currencies (Euro, JPY, KRW...): GM/T 0012-2020 Preview this PDF: GM/T 0012-2020
GM/T 0012-2020
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Replacing GM/T 0012-2012
Trusted computing - Trusted computing interface
specification of trusted cryptography module
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: National Cryptography Administration
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 7
4 Abbreviations ... 12
5 Overview of trusted cryptographic module functions ... 13
5.1 Trusted computing platform ... 13
5.2 Trusted cryptographic module ... 16
6 Functional interface of trusted cryptographic module ... 17
6.1 General requirements ... 17
6.2 Startup command ... 17
6.3 Test command ... 18
6.4 Session commands ... 20
6.5 Object commands ... 22
6.6 Duplicate command ... 29
6.7 Asymmetric algorithm commands ... 33
6.8 Symmetric algorithm commands ... 37
6.9 Random number generator commands ... 38
6.10 HASH/HMAC commands ... 39
6.11 Certificate commands ... 45
6.12 Ephemeral EC key command ... 48
6.13 Signature and signature verification commands ... 50
6.14 Measurement commands ... 52
6.15 Enhanced authorization commands ... 54
6.16 Hierarchical commands ... 64
6.17 Dictionary attack command ... 69
6.18 Management function commands ... 70
6.19 Context management commands ... 71
6.20 Performance commands ... 74
6.21 NV operation command ... 75
Appendix A (Normative) Data structure ... 85
Trusted computing - Trusted computing interface
specification of trusted cryptography module
1 Scope
This document describes the functions of the trusted cryptographic module; defines the
command interface of the trusted cryptographic module in detail.
This document is applicable to the research, production, evaluation, application
development of products related to trusted cryptographic modules.
2 Normative references
The contents of the following documents constitute the essential provisions of this
document through normative references in the text. Among them, for dated references,
only the version corresponding to the date applies to this document; for undated
references, the latest version (including all amendments) applies to this document.
GB/T 20518 Information security technology - Public key infrastructure - Digital
certificate format
GB/T 29829 Information security techniques - Functionality and interface
specification of cryptographic support platform for trusted computing
GB/T 32905 Information security technology SM3 cryptographic hash algorithm
GB/T 32907 Information security techno1ogy--SM4 b1ock cipher algorithm
GB/T 32915 Information security technology - Binary sequence randomness
detection method
GB/T 32918 (all parts) Information security technology -- Public key cryptographic
algorithm SM2 based on elliptic curves
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Trusted computing platform
A supporting platform, which is built in the computing system, to realize the trusted
computing function.
[GB/T 29829-2013, 3.1.1]
3.2
Cryptographic support platform for trusted computing
An important part of a trusted computing platform, including cryptographic
algorithms, key management, certificate management, cryptographic protocols,
cryptographic services, which provides cryptographic support for the integrity,
identity credibility, data security of the trusted computing platform itself. Its product
forms are mainly manifested as trusted cryptographic modules and trusted
cryptographic service modules.
[GB/T 29829-2013, 3.1.2]
3.3
Integrity measurement
The process of calculating the hash value of the measured object, using a
cryptographic hash algorithm.
[GB/T 29829-2013, 3.1.3]
3.4
Root of trust for measurement
A trusted integrity measurement unit, which is the basis for trusted measurement in
a trusted computing platform.
[GB/T 29829-2013, 3.1.4]
3.5
Root of trust for storage
It refers to storing the master key, which is the basis for trusted storage in the trusted
computing platform.
[GB/T 29829-2013, 3.1.5]
3.6
Root of trust for reporting
Refers to the cryptographic module key, which is the basis for trusted reporting in
the trusted computing platform.
[GB/T 29829-2013, 3.1.6]
3.7
Trusted cryptography module
It is a hardware module of the trusted computing platform, which provides
cryptographic operation functions for the trusted computing platform AND has a
protected storage space.
[GB/T 29829-2013, 3.1.7]
3.8
TCM service module
A software module inside the trusted computing cryptography supporting platform,
which provides software interfaces for accessing trusted cryptography modules
outside the platform.
[GB/T 29829-2013, 3.1.8]
3.9
Component
A hardware and/or software module, in a computing system, that can be measured.
[GB/T 29829-2013, 3.1.9]
3.10
Platform configuration register
A storage unit, which is used inside the trusted cryptographic module, to store
platform integrity metrics.
[GB/T 29829-2013, 3.1.10]
3.11
Integrity measurement value
The hash value, which is obtained after the component is measured.
[GB/T 29829-2013, 3.1.11]
a) The process of calculating the measurement value shall be the process of
performing hash operation;
b) The input data of the hash operation shall be the data, which is specified by the
measurer that can characterize the characteristics of the measurement-object;
c) The hash value output by the hash operation is the integrity measurement value of
the measurement-object;
d) The measurer shall enter the measured value into the designated PCR. The way
to write in is: new PCR value = password hashing algorithm (former PCR value
|| measurement value);
e) Measuring process information shall be recorded in the platform event log. At
least it shall be recorded: Measurer information, measurement-object information,
original PCR value, measurement value, new PCR value, completion time, etc.;
f) If the integrity measure of each component in a component sequence is stored in
the same PCR, then a special compression storage method is adopted, that is,
starting from the first component, the integrity measure of the component is
concatenated with the target PCR's existing stored values, to perform the hash
operation; THEN, the result obtained is stored in the PCR, and so on. After the
integrity measurement value storage operation of the last component is completed,
the obtained value is the integrity measure of this component sequence, as stored
in the PCR.
Integrity reporting refers to the process, by which the platform provides integrity
measurements of the platform or components of the platform to the prover.
The integrity report shall meet the following requirements:
a) The platform can provide the specified PCR value to the prover, without any
authorization;
b) The platform can provide the prover with the specified PCR value and the
signature of the PCR value. It can sign using the platform identity key;
c) The platform can provide relevant event log information of the specified PCR to
the prover;
d) The prover can judge whether the PCR value comes from the correct measurement
process, by analyzing the integrity measurement event log information;
e) The prover shall use the platform identity key, to verify the PCR value signature
and obtain the platform integrity report result.
6 Functional interface of trusted cryptographic module
6.1 General requirements
This chapter specifies the specific commands of the functional interface of the trusted
cryptographic module. The trusted cryptographic module, which is defined in this
document, shall satisfy all command interfaces in this chapter.
6.2 Startup command
6.2.1 TCM2_Startup
This command is used for TCM initialization. When the command is executed
successfully, it is no longer allowed to execute the command successfully.
When TCM needs TCM2_Startup command, if it receives other commands, OR
receives this command when it does not need this command, TCM will return
TCM2_RC_INITIALIZE.
The shutdown/startup sequence is as follows, which defines the operation method of
the TCM after receiving the TCM2_Startup() command.
a) TCM reset: Send Shutdown (CLEAR) or do not send TCM2_Shutdown ()
command to close, send Startup (CLEAR) when startup. When the TCM is reset,
all variables are restored to the initial state.
b) TCM restart: Send Shutdown (STATE) command to shut down, send Startup
(CLEAR) when startup. In this state, the following values will be restored to their
initial state:
● The control switch status of PCR and platform domain;
● The remaining TCM status values will be saved.
c) TCM wake-up: Send Shutdown (STATE) command to shut down, send Startup
(STATE) when startup. In this state, the following states will be saved:
● S-RTM;
● PCR;
● Platform control switches, except phEnable, phEnableNV.
For the command codes, return codes commonly used and data structures involved in
all interfaces in this document, please refer to Appendix A.
......
GM/T 0012-2012
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 38310-2013
Trusted computing - Interface specification
of trusted cryptography module
ISSUED ON. NOVEMBER 22, 2012
IMPLEMENTED ON. NOVEMBER 22, 2012
Issued by. State Cryptography Administration
Table of Contents
Foreword . 4
Introduction .. 5
1 Scope .. 6
2 Normative references .. 6
3 Terms and definitions, abbreviations . 6
4 Overview . 7
5 Management functions of trusted cryptography module . 8
5.1 Start-up .. 9
5.2 State save TCM_SaveState .. 11
5.3 Self-test .. 12
5.4 Setting of operation mode. 14
5.5 Owner management . 22
5.6 Attribute management . 28
5.7 Upgrade and maintenance .. 31
5.8 Authorization value management . 33
5.9 Non-volatile storage management .. 37
5.10 Operational environment management . 49
5.11 Audit . 52
5.12 Clock .. 56
5.13 Counter .. 59
6 Platform identity identifier and authentication . 66
6.1 Cryptographic module key management . 66
6.2 Platform identity key management .. 71
7 Platform data protection . 80
7.1 Data protection operation . 80
7.2 Key management.. 85
7.3 Key protocol .. 96
7.4 Key migration . 102
7.5 Cryptographic service .. 110
7.6 Transport session .. 120
7.7 Authorization protocol .. 125
8 Integrity measurement and reporting function . 128
8.1 Overview .. 128
8.2 Management of platform configuration register . 128
Annex A (Normative) Data structure .. 133
Bibliography .. 178
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this Standard
may be the subject of patent rights. The issuing authority shall not be held
responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of Code
Industry Standardization Technical Committee.
Main drafting organizations of this Standard. Legend Holdings Limited, Nationz
Technologies Inc., Tongfang Co., Ltd., Institute of Software, Chinese Academy
of Sciences, Sinosun Technology Co., Ltd., Jetway Information Security
Industry Co., Ltd., Changchun Ji Tai Yuan Information Technology Co., Ltd.,
Founder Technology Group Co., Ltd., Beijing University of Science and
Technology Information, China Great Wall Computer Shenzhen Co., Ltd.,
Chengdu Westone Information Industry Co., Ltd., Wuxi Jiangnan Information
Security Engineering Technology Center, National Defense Science and
Technology University of Chinese People's Liberation Army.
Main drafters of this Standard. Wu Qiuxin, Yang Xianwei, Fan Qin, Zou Hao, Yu
Fajiang, Ning Xiaokui, Wang Zi, Zheng Bike, Lin Yang, Li Weiping, Yin Hongbing,
Xu Xia, Yan Fei, Liu Ren, Li Feng, Xu Yong, Jia Bing, Wang Lei, Gu Jian, He
Changlong, Qin Zi, Liu Xin, Wang Zhengpeng.
Trusted computing - Interface specification
of trusted cryptography module
1 Scope
This Standard describes trusted computing - interface specification of trusted
cryptography module; It specifies functions of trusted cryptography module and
command function interface.
This Standard is applicable to the development, production, evaluation and
application development of trusted cryptography module.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 5271.8, Information technology - Vocabulary - Part 8. Security (GB/T
5271.8-2001, idt ISO/IEC 2382-8.1998)
GM/T 0002, SM4 Block Cipher Algorithm
GM/T 0003 (all parts), Public Key Cryptographic Algorithm SM2 Based on
Elliptic Curves
GM/T 0004, SM3 Password Hashing Algorithm
GM/T 0005, Randomness Test Specification
GM/T 0011, Trusted computing - Functionality and interface specification of
cryptographic support platform
3 Terms and definitions, abbreviations
3.1 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB/T
5271.8 as well as the followings apply.
1) running management program, i.e., TCM operation system;
2) function command program, which is core and main body of firmware;
3) function interface to interact with the host program.
TCM core functional system is to build three dimensions of trusted computing
based on independent cryptographic algorithm, including platform integrity
measurement and verification, platform credible identification and identification,
platform data protection. The relevant content has been described in detail in
GM/T 0011,which shall not be repeated in this Standard. I/O interface of TCM
is related to platform, which shall be specifically defined to platform but not
involved in this Standard.
This Standard mainly defines function commands in TCM firmware and
corresponding function interfaces. It mainly includes the following four aspects.
1) TCM management function that establishes 43 function commands and
interface specification in 13 aspects, including startup, status saving, self-
test, working mode setting, owner management, attribute management,
authorization value management, non-volatility memory management,
operation environment management, auditing, clock, counter, upgrade
and maintenance.
2) Platform identity identifier function that establishes 9 function commands
and interface specification in 2 aspects including cryptography module key
management and platform identity key management.
3) Platform data protective function that establishes 27 function commands
and interface specification in 7 aspects including data operational
protection, key management, key protocol, key migration, cryptographic
service, transport session, authorization protocol.
4) Integrity metrics and reporting function that establish 4 function commands
and interface specification in 4 aspects including PCR Write, PCR Read,
PCR Reference, PCR Reset. The reporting function needs to be realized
in conjunction with the signing operation.
The descriptions of each function command and interface mainly provide
function description and definition of interface. The internal logic of function
command shall not be strictly defined.
The following clauses shall describe in detail the function commands and
interface specifications of TCM.
5 Management functions of trusted cryptography
- data length is the number of total bytes of output data;
- return code is the result of this operation (see return code definition table).
5.2 State save TCM_SaveState
Function description.
Before it is used to enter low power state or no power state, inform TCM to save
the current temporary variable to non-volatility memory so that in next start-up,
recover to the current saved state.
The value needs saving must be volatile. If the saved value is already in non-
volatility storage media, it shall not be saved. TCM must be able to check the
validity of the saved value.
Temporary variables that need to be saved shall at least include.
1) PCR value (PCR attribute perReset is TRUE, or PCR value identified as
DEBUG is excluded);
2) all values in TCM_STCLEAR_DATA;
3) all values in TCM_STCLEAR_FLAGS;
4) if the key's parentPCRStatus attribute is FALSE, the value that has been
loaded into the key needs to be saved.
The auditDigest value needs processing first according to auditing
requirements when it is saved. The output parameter of this command shall not
be audited (optional).
Interface.
Input data format.
Identifier Data length Return code
2B 4B 4B
- identifier is TCM_TAG_RQU_COMMAND;
- data length is the total number of bytes of input data;
- command code is the fixed value defined by TCM_ORD_SaveState.
Output data format.
Identifier Data length Return code
2B 4B 4B
- identifier is TCM_TAG_RSP_COMMAND;
Identifier Data length Return code
2B 4B 4B
- identifier is TCM_TAG_RQU_COMMAND;
- data length is the total number of bytes of input data;
- command code is the fixed value defined by TCM_ORD_ContinueSelfTest.
Output data format.
Identifier Data length Return code
2B 4B 4B
- identifier is TCM_TAG_RSP_COMMAND;
- data length is the total number of bytes of output data;
- return code is the result of this operation (see return code definition table).
5.3.2 Get self-test result TCM_GetTestResult
Function description.
This command provides the information of self-test result. This command can
be run in failure mode, in order for TCM manufacturer to get diagnostic
information.
TCM shall return the information block of the latest self-test result. And this
information cannot contain any data that uniquely identifies a TCM.
Interface.
Input data format.
Identifier Data length Return code
2B 4B 4B
- identifier is TCM_TAG_RQU_COMMAND;
- data length is the total number of bytes of input data;
- command code is the fixed value defined by TCM_ORD_GetTestResult.
Output data format.
Identifier Data length Return code Output data length Output data
2B 4B 4B 4B Variable
- identifier is TCM_TAG_RSP_COMMAND;
- data length is the total number of bytes of output data;
Command code Status bit Serial number
4B 1B 4B
1S 2S 2H1
Output verification code calculation.
Return code Command code Serial number
4B 4B 4B
1S 2S 2H1
5.4.3 Physical site setting enabled mode TCM_PhysicalEnable
Function description.
Use physical site as authentication enabled TCM.
1) this command needs performing on physical site;
2) it needs to set the value of TCM_PERMANENT_FLAGS.disable as FALSE.
Interface.
Input data format.
Identifier Data length Command code
2B 4B 4B
- identifier is TCM_TAG_RQU_COMMA...
......
Standard ID | GM/T 0012-2020 (GM/T0012-2020) | Description (Translated English) | Trusted computing -- Trusted computing interface specification of trusted cryptography module | Sector / Industry | Chinese Industry Standard (Recommended) | Classification of Chinese Standard | L80 | Word Count Estimation | 133,160 | Date of Issue | 2020-12-28 | Date of Implementation | 2021-07-01 | Older Standard (superseded by this standard) | GM/T 0012-2012 | Regulation (derived from) | National Cryptography Administration Announcement No. 41 | Issuing agency(ies) | National Cryptography Administration | Standard ID | GM/T 0012-2012 (GM/T0012-2012) | Description (Translated English) | Trusted computing--Interface specification of trusted cryptography module | Sector / Industry | Chinese Industry Standard (Recommended) | Classification of Chinese Standard | L80 | Word Count Estimation | 132,131 | Date of Issue | 2012/11/22 | Date of Implementation | 2012/11/22 | Standard ID | () | Description (Translated English) | (Technical specifications for ceramic capacitive sensor type partial discharge monitoring devices of 35kV and below) | Sector / Industry | Chinese Industry Standard | Date of Issue | 2023-10-11 | Date of Implementation | 2024-04-11 | Issuing agency(ies) | National Energy Board |
|