Do microcontroller processors like Arm Cortex-M support the TPM’s Dynamic root of trust (similar to e.g. Intel TXT)?

The TPM (Trusted Platform Module) has a feature called dynamic root-of-trust. If i understand correctly a measurement of the current system is taken (to enable attestation) by the CPU and transmitted to the TPM. To make sure that the measu… Continue reading Do microcontroller processors like Arm Cortex-M support the TPM’s Dynamic root of trust (similar to e.g. Intel TXT)?

How is the authenticity and integrity of the various chips inside laptops and mobile phones ensured by their vendors?

Modern laptops and mobile phone platforms are built around a main, beefy SoC, which generally supports Secure Boot for its firmware and also has a unique hardware identity that is used to attest to a remote management system that it is gen… Continue reading How is the authenticity and integrity of the various chips inside laptops and mobile phones ensured by their vendors?

How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

During remote attestation, a device sends the server the EK certificate, AK public, AK name. By using tpm2_makecredential/tpm2_activatecredential, the attestation sever can confirm that:

the EK is resident in the device TPM, and
the AK th… Continue reading How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

How can we know the attestation key in "make credential" key is not duplicable?

For my attestation scenario, I need a unique, non-transferable signing (or decryption, it could also work) key from the remote machine in the form of a signing key. There are no privacy concerns at all so I could use the EK but EK can’t si… Continue reading How can we know the attestation key in "make credential" key is not duplicable?

How can we (remotely) prove that a non-restricted RSA key in TPM is not duplicable (has fixedTPM flag)?

For my attestation scenario, I need a TPM-generated, non-transferable RSA key (for signing and/or decryption) from a remote machine that would uniquely identify the remote machine.

There are no privacy concerns at all so I could use the E… Continue reading How can we (remotely) prove that a non-restricted RSA key in TPM is not duplicable (has fixedTPM flag)?

Practicality of outsourcing password hashing using enclaves

I’ve been pondering some potential cybersecurity applications for enclaves. One of them being the problem of password hashing.
Some clients have enclave support, meaning part of their CPU can securely execute code in an encrypted and authe… Continue reading Practicality of outsourcing password hashing using enclaves