Is this page helpful?

Software Architecture#

The TPM component, either fTPM or a hardware-based discrete TPM (DTPM), relies on the TPM Software Stack (TSS) to communicate with the TPM. The fTPM software architecture includes an fTPM TA running in OP-TEE with TSS support in the non-secure world.

Non-secure World#

The software modules in the non-secure world:

TSS: User space applications depend on TSS to utilize the secure functionalities of the TPM. TSS combines multiple layers, including application-level APIs, underlying communication interfaces, and resource management frameworks. The open source implementation tpm2-software/tpm2-tss is available on GitHub and consists of the following components:
- System Level API (SAPI) provides low-level interfaces with 1-to-1 mapping to TPM 2.0 commands.
- Enhanced System API (ESAPI) is a higher-level interface than SAPI. It offers session management and cryptographic capabilities.
- Feature API (FAPI) provides high-level abstraction APIs for application development. It is designed to meet most TPM use cases.
- TPM Command Transmission Interface (TCTI) is an abstraction layer that provides a standardized interface for transmitting TPM commands between the APIs and the TPM device driver.
- TPM Access Broker (TAB) and Resource Manager (RM) are underlying framework components that handle multi-process access coordination and context management in the Linux kernel, enabling multiple applications to share TPM resources safely.
`TPM 2.0 tools <https://tpm2-tools.readthedocs.io/en/latest/>`__: A set of command-line tools for controlling the TPM. The open source implementation tpm2-software/tpm2-tools is available on GitHub.
fTPM driver: A client application (CA) that receives the TPM command byte stream and forwards it to the fTPM TA in the secure world.
OP-TEE driver: Provides the TA/CA communication interface.

Secure World#

The software modules in the secure world:

Secure Monitor: S-EL3 firmware that handles communication between secure and non-secure worlds.
Secure Partition Manager (SPM): S-EL2 firmware that manages secure partitions. For details, refer to Hafnium Secure Partition Manager.
OP-TEE OS: A Trusted OS (TOS) running in S-EL1 to provide security services in the TrustZone.
fTPM Helper PTA: Provides major functions to support fTPM provisioning, EPS generation, and EK certificate provisioning.
fTPM TA: Implements TPM command processing and platform-dependent TA functionality in accordance with the TCG TPM 2.0 specification, built on the TCG reference implementation from ms-tpm-20-ref and the platform-specific implementation from optee_ftpm.
MB2: The secure bootloader that derives the fTPM seed from the hardware fuse. The fTPM seed is a per-device, unique, secure value used for EPS generation.
Encrypted Keyblob (EKB): Packages per-device unique properties for fTPM provisioning support.