可信计算组织(Ttrusted Computing Group,TCG)是一个非盈利的工业标准组织,它的宗旨是加强在相异计算机平台上的计算环境的安全性。TCG于2003年春成立,并采纳了由可信计算平台联盟(the Trusted Computing Platform Alliance,TCPA)所开发的规范。现在的规范都不是最终稿,都还在不断的更新中,比如:TPM的规范就从原来的v1.0更新到v1.2,现在还在不断的修订。
TCG-Glossary-V1.1-Rev-1.0
修订历史
范围
词汇表包含了 TCG 文档中常用到的术语,但是可能不会覆盖 TCG 文档立全部的词汇。比如,词汇表中可能不会包含具体技术或者只有在某一个文档中用到的术语。
本文中的词汇表也不是为了覆盖全部的术语,它只是给读者们一些提示或者说是提醒。
词汇表
| 缩略语 | 术语 | 描述 |
| AIK Credential | 私有 CA 签发的包含 AIK 公开部分内容,由私有 CA 私钥签名。签名及其签名区域的含义以及重要程度由策略决定,通常它会陈述该公钥与一个可用的 TPM 关联。 | |
| Attestation | 保证信息准确性的过程,外部实体可以证实受保护区域、保护能力、信任根,一个平台可以证实其影响自身完整性的平台特性描述,每种证明都要求证明实体提供可靠的证据。 | |
| Attestation by the TPM | TPM 对自己一致数据提供证据的操作,这是通过 AIK 对内部数据进行签名实现的,验证方接收、验证数据完整性以及 AIK 本身有效性, AIK 凭证可以通过私有 CA 或者 DAA 协议获得。 | |
| AIK | Attestation Identity Key | 在 TPMv1.2中,AIK 是 TPM 创建的一个特殊目的的签名,AIK 是非对称密钥,私有部分是不可迁移的并且由 TPM 保护。公开部分是 AIK 凭证的一部分,由私有 CA 或者 DAA 协议签发。AIK 只能由 TPM 拥有者或者拥有者的授权代理创建。AIK 能用于平台认证、平台证明、密钥证明。 AIK 在平台识别的过程中保证了隐私性,AIK 凭证能够保证 AIK 和一个授权的 TPM 绑定,但是除了用户本身和 CA,没有人知道和哪个 TPM 绑定的。 |
| Attestation of the Platform | 对一组平台完整性度量值提供证据的过程,通过 TPM 的 AIK 对 PCRs进行签名实现。 | |
| Attestation to the Platform | An operation that provides proof that a platform can be trusted to report integrity measurements; performed using the set or subset of the credentials associated with the platform; used to create an AIK credential. | |
| Authenticated Boot | A boot after which the platform's Root-of-Trust-for-Reporting (RTR) can report an accurate record of the way that the platform booted. | |
| AC | Authenticated Code | Authenticated code is comprised of an executable module plus a value that attests to the authenticity of the module. The value is signed with a private key corresponding to a public key known to a computing device that is to execute the module. If the module is able to verify the signature, the computing device may execute the module. |
| Authentication | The process of verifying the claimed attributes, such as an identity, of an entity or user | |
| Authentication of the Platform | Provides proof of a claimed platform identity. The claimed identity may or may not be related to the user or any actions performed by the user. Platform Authentication is performed using any non-migratable signing key (e.g., an AIK). Since there are an unlimited number of non-migratable keys associated with the TPM there are an unlimited number of identities that can be authenticated. | |
| Authorization | Granting access to a resource based on an authenticated identity | |
| BLOB | Binary Large OBject | Encrypted or opaque data of fixed or variable size. The meaning and interpretation of the data is outside the scope and context of any entity other than the Subsystem (the TPM in this case) that created the BLOB. |
| BORE | Break Once Run Everywhere | A security design that includes a critical security value that is the same on all instances of the design. If an attacker can access that critical security value on any instance of the design, that information can be used to compromise every instance of the design. For example, a product is designed to use encryption to protect user information and the same encryption key is hardcoded in all instances of the product. If the attacker can acquire the key from one copy of the product, he can use that key to access personal information in all copies of the product. |
| CMK | Certified Migration Key | A key whose migration from a TPM requires an authorization token created with private keys. The corresponding public keys are incorporated in the CMK and referenced when a TPM produces a credential describing the CMK. If a CMK credential is signed by an AIK, an external entity has evidence that a particular key (1) is protected by a valid TPM and (2) requires permission from a specific authority before it can be copied. |
| Challenger (Identity Challenger) | An entity that requests and has the ability to interpret integrity metrics. See also “Integrity Challenge” | |
| CRTM | Code Root of Trust for Measurement | The instructions executed by the platform when it acts as the RTM. [Formerly described as “Core Root of Trust for Measurement”. Code Root of Trust for Measurement is the preferred expansion.] This acronym expansion is preferred. |
| DAA Issuer | A known and recognized entity that interacts with the TPM to install a set of DAA-credentials in the TPM. The DAA issuer provides certification that the holder of such DAA-credentials meets some criteria defined by the Issuer. In many cases the Issuer will be the platform manufacturer, but other entities can become issuers. | |
| Delegation | A process that allows the Owner to delegate a subset of the Owner's privileges (to perform specific TPM operations). | |
| DAA | Direct Anonymous Attestation | A protocol for vouching for an AIK using zero-knowledge-proof technology. |
| DMA Mapping | Controls how hardware devices access Host Platform memory; DMA requests to access memory may be mapped to an alternate memory address. Similar to user mode processes use of virtual memory where page tables control the mapping to physical memory pages. Examples are IOMMU or VT-d. | |
| DMA Protections | Provide a mechanism to allow a Host Platform to prevent hardware devices from accessing certain Host Platform memory. Examples are a DMA exclusion scheme or DMA mapping. | |
| Duplicable Object | In TPM 2.0, a key or data object that is not bound to a specific TPM and with suitable authorization can be used outside a TPM or moved (copied) to another TPM. (See Migratable) | |
| D-HRTM | Dynamic Hardware Root of Trust for Measurement | A D-RTM implemented using an HRTM. |
| DL | Dynamic Launch | This describes the process of starting a software environment at an arbitrary time in the runtime of a system. |
| D-RTM | Dynamic Root of Trust for Measurement | A platform-dependent function that initializes the state of the platform and provides a new instance of a root of trust for measurement without rebooting the platform. The initial state establishes a minimal Trusted Computing Base.This is a function that is built into the Host Platform and is started by the Dynamic Launch Event (DL Event). This function is a Trusted Process. Even though the D-RTM executes after the S-RTM, the D-RTM’s transitive trust chain will not necessarily have a trust dependency on the S-RTM’s transitive trust chain. |
| DCE | Dynamic Root of Trust for Measurement Configuration Environment | The software/firmware that executes between the instantiation of the D-RTM CPU instruction and the transfer of control to the Dynamically Launched Measured Environment (DLME). The DCE is responsible for ensuring the platform is in a trustworthy state. Normally this is defined by the CPU manufacturer, chipset manufacturer, and the platform manufacturer. |
| DLME | Dynamically Launched Measured Environment | The software executed after the DCE- instantiated TCB is established. The DLME would nominally be supplied by an OS vendor. |
| EK | Endorsement Key | An asymmetric Key pair composed of a public key (PubEK) and private (PrivEK). The EK is used to prove the TPM is genuine. |
| Endorsement Key Credential | A credential associated with an PubEK. The credential asserts that the associated PrivEK is unique to a security device conforming to TCG specifications. | |
| H-CRTM | A synonym for the S-HRTM. The preferred term is S-HRTM. | |
| HRTM | Hardware Root of Trust for Measurement | An RTM where hardware performs the initial measurement. |
| Immutable | Unchangeable | |
| ILP | Initiating Logical Processor | The processor that initiates the D-RTM |
| Integrity Challenge | A process used to send accurate integrity measurements and PCR values to a challenger. | |
| Integrity Logging | The storage of integrity metrics in a log for later use. | |
| Integrity Measurement (Metrics) | A value representing a platform characteristic that affects the integrity of a platform | |
| Integrity Reporting | The process of attesting to the contents of integrity storage. | |
| Locality | A mechanism for supporting a privilege hierarchy in the platform | |
| Migratable (key) | A key which is not bound to a specific TPM and with suitable authorization can be used outside a TPM or moved to another TPM. | |
| Non-duplicable Object | In TPM 2.0, a statistically unique object (usually a key) that may only be used on the TPM that created the object. | |
| Non-migratable (key) | A key which is bound to a single TPM; a key that is (statistically) unique to a single TPM. In TPM 1.2, the key may be moved between TPMs using the maintenance process | |
| NV (storage) | Non-volatile (shielded location) | A shielded storage location whose contents are guaranteed to persist between uses by Protected Capabilities. |
| Operator | Anyone who has physical access to a platform | |
| Owner | The entity that has administrative rights over the TPM | |
| Platform | A platform is a collection of resources that provides a service | |
| PCR | Platform Configuration Register | A shielded location containing a digest of integrity measurements |
| Platform Credential | A credential, typically a digital certificate, attesting that a specific platform contains a unique TPM and TBB.A credential that states that a specific platform contains a genuine TCG Subsystem. | |
| PCA | Privacy CA | An entity that issues an Identity Credential for a TPM based on trust in the entities that vouch for the TPM via the Endorsement Credential, the Conformance Credential, and the Platform Credential. |
| PrivEK | Private Endorsement Key | The private portion of the EK. |
| Protected Capabilities | The set of commands with exclusive permission to access shielded locations | |
| PubEK | Public Endorsement Key | The public portion of the EK. |
| RoT | Root of Trust | A component that performs one or more security-specific functions, such as measurement, storage, reporting, verification, and/or update. It is trusted always to behave in the expected manner, because its misbehavior cannot be detected (such as by measurement) under normal operation. |
| RTC | Root of Trust for Confidentiality | An RoT providing confidentiality for data stored in TPM Shielded Locations. |
| RTI | Root of Trust for Integrity | An RoT providing integrity for data stored in TPM Shielded Locations |
| RTM | Root of Trust for Measurement | An RoT that makes the initial integrity measurement, and adds it to a tamper- resistant log. Note: A PCR in a TPM is normally used to provide tamper evidence because the log is not in a shielded location. |
| RTR | Root of Trust for Reporting | An RoT that reliably provides authenticity and non-repudiation services for the purposes of attesting to the origin and integrity of platform characteristics. |
| RTS | Root of Trust for Storage | The combination of an RTC and an RTI |
| RTU | Root of Trust for Update | An RTV that verifies the integrity and authenticity of an update payload before initiating the update process. |
| RTV | Root of Trust for Verification | An RoT that verifies an integrity measurement against a policy. |
| Shielded Location | A place (memory, register, etc.) where it is safe to operate on sensitive data; data locations that can be accessed only by Protected Capabilities. | |
| S-CRTM | Static Code Root of Trust for Measurement | An S-RTM implemented using a CRTM. |
| S-HRTM | Static Hardware Root of Trust for Measurement | An S-RTM implemented using an HRTM. [NOTE: The TPM 2 Library Specification uses the term H-CRTM introduced in Revision 116.] |
| S-RTM | Static Root of Trust for Measurement | An RTM where the initial integrity measurement occurs at platform reset. The S-RTM is static because the PCRs associated with it cannot be re-initialized without a platform reset. |
| SRK | Storage Root Key | A key with no parent that is the root key of a hierarchy of keys associated with a TPM's Protected Storage function. |
| TSS | TCG Software Stack | Untrusted software services that facilitate the use of the TPM and do not require the protections afforded to the TPM. |
| TPM Shielded Location | A location within a TPM that contains data that is shielded from access by any entity other than the TPM and which may only be operated on by a Protected Capability | |
| TSS | TPM Software Stack | An unofficial alias of the term TCG Software Stack. TCG specifications should not use the term TPM Software Stack when referring to the TSS |
| TPM-Protected Capability | An operation performed by a TPM on data in a Shielded Location, usually in response to a command sent to the TPM | |
| Transitive Trust | Also known as "Inductive Trust", in this process a Root of Trust gives a trustworthy description of a second group of functions. Based on this description, an interested entity can determine the trust it is to place in this second group of functions. If the interested entity determines that the trust level of the second group of functions is acceptable, the trust boundary is extended from the Root of Trust to include the second group of functions. In this case, the process can be iterated. The second group of functions can give a trustworthy description of the third group of functions, etc. Transitive trust is used to provide a trustworthy description of platform characteristics, and also to prove that non-migratable keys are non-migratable | |
| Trust | Trust is the expectation that a device will behave in a particular manner for a specific purpose. | |
| TBB | Trusted Building Block | The parts of the Root of Trust that do not have shielded locations or protected capabilities. Typically platform-specific. An example of a TBB is the combination of the CRTM, connection of the CRTM storage to a motherboard, the connection of the TPM to a motherboard, and a mechanisms for determining Physical Presence. |
| Trusted Component | A Trusted Device within a Trusted Platform or another Trusted Device. | |
| Trusted Computing Platform | A Trusted Computing Platform is a computing platform that can be trusted to report its properties | |
| Trusted Device | A Trusted Platform that is not intended to reprogrammed except through a maintenance process. | |
| Trusted Platform | A platform that uses Roots of Trust to provide reliable reporting of the characteristics that determine its trustworthiness. | |
| TPM | Trusted Platform Module | A composite of the RTR and the RTS |
| TPM | Trusted Platform Module | An implementation of the functions defined in the TCG Trusted Platform Module Specification; the set of Roots of Trust with Shielded Locations and Protected Capabilities. Normally includes just the RTS and the RTR. The set of functions and data that are common to all types of platform, which must be trustworthy if the Subsystem is to be trustworthy; a logical definition in terms of protected capabilities and shielded locations. |
| TPS | Trusted-Platform Support Services | The set of functions and data that are common to all types of platform, which are not required to be trustworthy (and therefore do not need to be part of the TPM). |
| User | An entity that is making use of the TPM capabilities. An entity that uses the platform in which a TPM is installed. The only rights that a User has over a TPM are the rights given to the User by the Owner. These rights are expressed in the form of authentication data, given by the Owner to the User, which permits access to entities protected by the TPM. The User of the platform is not necessarily the “owner” of the platform (e.g., in a corporation, the owner of the platform might be the IT department while the User is an employee). There can be multiple Users. | |
| Validation Credential | A credential that states values of measurements that should be obtained when measuring a particular part of the platform when the part is functioning as expected. | |
| Validation Data | Data inside a Validation Credential; the values that the integrity measurements should produce when the part of a platform described by the Validation Credential is working correctly. | |
| Validation Entity | An entity that issues a Validation Certificate for a component; the manufacturer of that component; an agent of the manufacturer of that component | |
| Verifier | An entity that evaluates credentials to produce a credential. Example 1: the entity that interacts with the TPM using the DAA protocol to verify that the TPM has a valid set of DAA-credentials. The verifier may then produce an AIK credential, without reference to the platform EK. Example 2: the entity that requests, receives, and evaluates attestation information based on the EK. A trusted third party (such as a Privacy CA) may then produce an AIK credential, after verifying the platform EK. |
皮格马利翁效应心理学指出,赞美、赞同能够产生奇迹,越具体,效果越好~
“收藏夹吃灰”是学“器”练“术”非常聪明的方法,帮助我们避免日常低效的勤奋~
