TPM V2.0 Command and Signal Profile
This document specifies the TPM signaling interface supported by Windows 8 and lists TPM 2.0 commands that:
Are used by Windows 8 and hence required to be implemented for Windows Hardware Certification;
Are not used by Windows 8 but are recommended to implement for other reasons (e.g. TPM management, expected 3rd party app usage and OEM usage.); and
Are not used by Windows 8 but are optional to implement.
No other signaling interface is supported but additional TPM 2.0 commands that are not used by Windows may be implemented in a TPM 2.0 device that is compliant with this specification. Please contact Microsoft for more information about vendor-specific command ranges.
Command and Signal Profile
Requirements
This profile requires that a TPM 2.0 implemented to support Windows 8:
Implements the TCG TPM 2.0 Library Specification including critical security patches (for compatibility with later version of the specification, please contact Microsoft. For certifying TPMs in 2015, requirement is to implement v0.99 along with required security patches. For information about the required security patches, please contact Microsoft.)
Is always active; i.e. no need for programmatic or user-driven activation.
Is provisioned with a primary seed for Endorsement and Storage.
Requirements Matrix
| Signals and Indications | Included | Optional | Notes |
|---|---|---|---|
_TPM_Init |
X |
||
_TPM_Hash_Start |
X |
||
_TPM_Hash_Data |
X |
||
_TPM_Hash_End |
X |
| Commands | Included | Optional | Notes |
|---|---|---|---|
Start Up Commands |
|||
TPM2_Startup |
X |
Used by the firmware only |
|
TPM2_Shutdown |
X |
||
Testing Commands |
|||
TPM2_SelfTest |
X |
||
TPM2_IncrementalSelfTest |
X |
||
TPM2_GetTestResult |
X |
||
Session Commands |
|||
TPM2_StartAuthSession |
X |
||
TPM2_PolicyRestart |
X |
||
Object Commands |
|||
TPM2_Create |
X |
||
TPM2_Load |
X |
||
TPM2_LoadExternal |
X |
Recommended |
|
TPM2_ReadPublic |
X |
||
TPM2_ActivateCredential |
X |
||
TPM2_MakeCredential |
X |
Recommended |
|
TPM2_Unseal |
X |
||
TPM2_ObjectChangeAuth |
X |
||
Duplication Commands |
|||
TPM2_Duplicate |
X |
||
TPM2_Rewrap |
X |
||
TPM2_Import |
X |
||
Asymmetric Primitives |
|||
TPM2_RSA_Encrypt |
X |
||
TPM2_RSA_Decrypt |
X |
||
TPM2_ECDH_KeyGen |
X |
||
TPM2_ECDH_ZGen |
X |
||
TPM2_ECC_Parameters |
X |
||
Symmetric Primitives |
|||
TPM2_EncryptDecrypt |
X |
||
TPM2_Hash |
X |
||
TPM2_HMAC |
X |
||
Random Number Generator |
|||
TPM2_GetRandom |
X |
||
TPM2_StirRandom |
X |
||
Hash/HMAC/Event Sequences |
|||
TPM2_HMAC_Start |
X |
||
TPM2_HashSequenceStart |
X |
Recommended |
|
TPM2_SequenceUpdate |
X |
Recommended |
|
TPM2_SequenceComplete |
X |
Recommended |
|
TPM2_EventSequenceComplete |
X |
Recommended |
|
Attestation Commands |
|||
TPM2_Certify |
X |
||
TPM2_CertifyCreation |
X |
||
TPM2_Quote |
X |
||
TPM2_GetSessionAuditDigest |
X |
||
TPM2_GetCommandAuditDigest |
X |
||
TPM2_GetTime |
X |
||
Anonymous Attestation Commands |
|||
TPM2_Commit |
X |
||
Signature Verification Commands |
|||
TPM2_VerifySignature |
X |
Recommended |
|
TPM2_Sign |
X |
||
Command Audit |
|||
TPM2_SetCommandCodeAuditStatus |
X |
||
Integrity Collection |
|||
TPM2_PCR_Extend |
X |
||
TPM2_PCR_Event |
X |
||
TPM2_PCR_Read |
X |
||
TPM2_PCR_Allocate |
X |
||
TPM2_PCR_SetAuthPolicy |
X |
||
TPM2_PCR_SetAuthValue |
X |
||
TPM2_PCR_Reset |
X |
||
Enhanced Authorization Commands |
|||
TPM2_PolicySigned |
X |
Recommended |
|
TPM2_PolicySecret |
X |
||
TPM2_PolicyTicket |
X |
Recommended |
|
TPM2_PolicyOR |
X |
||
TPM2_PolicyPCR |
X |
||
TPM2_PolicyLocality |
X |
||
TPM2_PolicyNV |
X |
||
TPM2_PolicyCounterTimer |
X |
Recommended |
|
TPM2_PolicyCommandCode |
X |
||
TPM2_PolicyPhysicalPresence |
X |
||
TPM2_PolicyCpHash |
X |
Recommended |
|
TPM2_PolicyNameHash |
X |
Recommended |
|
TPM2_PolicyDuplicationSelect |
X |
Recommended |
|
TPM2_PolicyAuthorize |
X |
Recommended |
|
TPM2_PolicyAuthValue |
X |
||
TPM2_PolicyPassword |
X |
Recommended |
|
TPM2_PolicyGetDigest |
X |
||
Hierarchy Commands |
|||
TPM2_CreatePrimary |
X |
||
TPM2_HierarchyControl |
X |
||
TPM2_SetPrimaryPolicy |
X |
||
TPM2_ChangePPS |
X |
||
TPM2_ChangeEPS |
X |
||
TPM2_Clear |
X |
||
TPM2_ClearControl |
X |
||
TPM2_HierarchyChangeAuth |
X |
||
Dictionary Attack Functions |
|||
TPM2_DictionaryAttackLockReset |
X |
||
TPM2_DictionaryAttackParameters |
X |
||
Miscellaneous Management Functions |
|||
TPM2_PP_Commands |
X |
||
TPM2_SetAlgorithmSet |
X |
||
Field Upgrade |
|||
TPM2_FieldUpgradeStart |
X |
Microsoft strongly recommends some update mechanism is provided |
|
TPM2_FieldUpgradeData |
X |
||
TPM2_FirmwareRead |
X |
||
Context Management |
|||
TPM2_ContextSave |
X |
||
TPM2_ContextLoad |
X |
||
TPM2_FlushContext |
X |
||
TPM2_EvictControl |
X |
||
Clocks and Timers |
|||
TPM2_ReadClock |
X |
Used to read the boot counter |
|
TPM2_ClockSet |
X |
Likely used by firmware only |
|
TPM2_ClockRateAdjust |
X |
||
Capability Commands |
|||
TPM2_GetCapability |
X |
||
TPM2_TestParms |
X |
||
Non-volatile Storage |
|||
TPM2_NV_DefineSpace |
X |
||
TPM2_NV_UndefineSpace |
X |
Win 8 may use Clear instead |
|
TPM2_NV_UndefineSpaceSpecial |
X |
||
TPM2_NV_ReadPublic |
X |
||
TPM2_NV_Write |
X |
Likely used by OEM only |
|
TPM2_NV_Increment |
X |
||
TPM2_NV_Extend |
X |
||
TPM2_NV_SetBits |
X |
||
TPM2_NV_WriteLock |
X |
||
TPM2_NV_GlobalWriteLock |
X |
||
TPM2_NV_Read |
X |
||
TPM2_NV_ReadLock |
X |
||
TPM2_NV_ChangeAuth |
X |
||
TPM2_NV_Certify |
X |