The TPMKEY URI Scheme

The Trusted Platform Module (TPM) is a trusted piece of hardware built into many current devices that has been specified by the Trusted Computing Group (TCG) . In addition to the chip itself, the TCG defined one standard way to interface with a TPM, called the TCG Software Stack (TSS) . The TSS defines several layers. The most important ones in the context of this document are the TCG Service Provider (TSP) and the TCG Core Services (TCS). The TSP provides the TCG services to applications, which in turn provide access to the TPM. Each application accesses a single TSP and there is only one TCS for several TSPs. The task of the TCS is to provide a common set of services per platform for all TSPs. TPM keys can be stored either in the TSP (called "user space") or in the TCS (called "system space"). Furthermore, the TSS assigns a UUID to each key. That UUID is unique for a specific key hierarchy on a specific platform. Last, keys can also be stored in so called key blobs, which are basically files. The URI scheme defined in this document is designed with a mapping to TPM keys that are accessed via the TSS in mind. The URI uses only the scheme and the path components which are required by the Uniform Resource Identifier generic syntax [RFC3986]. The URI scheme does not use the hierarchical element for a naming authority in the path since the authority part could not be mapped to TPM key elements. The URI scheme does not use the optional query and fragment elements.

In accordance with , this section provides the information required to register the TPMKEY URI scheme.

tsskey

Provisional.

The TPMKEY URI scheme is a sequence of attribute value pairs separated by a semicolon. In accordance with , the data should first be encoded as octets according to the UTF-8 character encoding ; then only those octets that do not correspond to characters in the unreserved set or to permitted characters from the reserved set should be percent-encoded. Rules "unreserved" and "pct-encoded" in the TPMKEY specification below were imported from . As a special case, note that according to , a space must be percent-encoded. A TPMKEY URI takes the form (for explanation of Augmented BNF, see ):

The attribute "file" represents a filename and corresponds to a file that contains a BER-encoded blob in accordance with the ASN.1 data definitions in the Portable Data section of the Trusted Computing Group Software Stack Specification Version 1.2. The attribute "uuid" represents a unique identifier of a TPM key and the attribute "storage" corresponds to the storage subsystem used (user or system).

The TPMKEY URI scheme is used to reference TPM keys through the TSS. The allowed operations on the URI are defined by the TSS specification.

Not sure what to write here

The TPMKEY URI scheme SHOULD be used by all application and protocols that use the TPM through the TSS.

One of the simplest forms is from a key stored in the TSP.

A TPM key that is stored in a system's file.

This document registers a URI scheme. The registration template can be found in Section 3 of this document.

There are security considerations for URI schemes discussed in . Given that the TPMKEY URI is also supposed to be used in command line arguments to running programs, and those arguments can be world readable on some systems, the URI intentionaly does not allow for specifying the TPM key password as a URI attribute.

This document derives from . Furthermore the authors want to thank Greg Kazmierczak for early feedback.