www.openbsd.org

BSSSD: Trusted Computing for FreeBSD and OpenBSD

Architecture of the TCG Software Stack

Once the operating system is loaded, the method for accessing services of the TPM is called the TSS (TCG Software Stack).

The TSS is composed of several stacked components, where each layer has a specific interface to the next layer.

Simplified, the architecture looks like this:

_images/TSS.png

TSS Service Provider Interface

The application accesses the TPM device via the TSS Service Provider Interface (TSPI).

This application programming interface is defined in the include file <tss/tspi.h>, and implemented in libtspi.

TSS Core Services Interface

TCSI is an internal interface. The TrouSerS project includes a daemon process tcsd which implements the TSS Core Service. This service can be accessed by either opening the tpmd_socket socket or by accessing port 30003/tcp on the local machine.

The library libtspi calls the TSS Core Services Interface to access of tcsd services.

TPM Device Driver Library Interface

The tcsd daemon needs to access the kernel device driver. However, instead of an direct interface to the kernel device /dev/tpm, the TPM Device Driver Library Interface has been interposed as an intermediate layer.

This layer allows the TPMemulator to replace libtddl with its own version to communicate with the tpmd. It thus allows running the TPMemulator on platforms that do not permit loading of a special kernel module.

The tcsd daemon is linked against the libtddl library which describes this interface. More specifically, the TPM Device Driver Library Interface is defined in <tss/tddli.h>, and implemented in libtddl.so.

TPM Device Driver

The physical TPM device (chip) can only be accessed by the kernel.

Main function of the device driver is multiplexing the access to the TPM hardware.

For communication with TPM, applications need a kernel driver that implements /dev/tpm. The interface to the TPM is implemented by write() and read() system calls on the device driver.