Open Source Summit + Embedded Linux Conference Europe 2020

The TPM contains two major features; a certain amount of NV memory and the so-called Enhanced Authorization framework. The former can be configured as simple storage, but also as monotonic counter, or bitfield. The latter can be used to implement fine-grained access policies for access TPM objects, such as NV memory. This presentation will give an introduction into these concepts and demonstrates how the features of TPM NV and E/A policies can easily be used via the TPM Software Stacks's (TSS) Feature API (FAPI). This API includes a declarative language and processing engine for TPM E/A policies which for the first time make their use very easy. In order to illustrate their usefulness, a set of example use cases and configurations, such as WriteOnceReadMany (WORM) storage (for device serial numbers) or role-based access on a per-operation level for NV storage will be presented.