5 Trusted Computing Platform – Trusted Computing

5Trusted Computing Platform


To address the trust issues of software and their computing environments, Trusted Computing Group (TCG) first put forth the idea of trusted computing platform (TCP) [108], which can be concretized into a trusted personal computer, a trusted server and a trusted mobile device. The aim of TCP is to achieve the trustworthiness of system behaviors, that is, to ensure that behavior of software is consistent with the expectation in a given operating environment. The basic idea to build TCP is to introduce a security chip (TPM/TCM) as the root of trust on the hardware platform, then extend the trust boundary based on the security chip and finally change all or part of the general computing platforms into “trusted” computing platform. The security of TCP is rooted in the security chip (TPM/TCM) in possession of the security defense capability. Based on the services of security chips, such as isolated computation, integrity protection of computing environment and remote attestation, the trustworthiness of entities behavior in TCP can be guaranteed.

TCP is a security architecture built for a general-purpose computing platform using a security chip. In order to build a TCP, there must be two basic elements: First, it must be equipped with a hardware security chip, which is the basis and premise to protect the security functions of the target platform; second, it has to implement appropriate trusted computing technologies, including the security mechanisms such as chain of trust, trust measurement and remote attestation, which is the concrete way to achieve a trusted computing platform environment [5]. In general, the TCP provides the following trust insurances for user environment:

(1)Based on the mechanism of trust measurement, TCP can construct a chain of trust for the platform’s start-up procedure, so as to establish the initial trust environment of platform. By verifying the integrity and trustworthiness of the runtime applications, TCP can ensure trusted execution of platform’s local applications. Based on the key operation ability provided by security chips, TCP can provide hardware-based protection for platform’s local data, thereby constructing platform’s local trust.

(2)Based on the anonymous and remote attestation mechanisms, TCP provides correctness proof of platform’s identity and software and hardware configuration. In this way, it constructs trust between platforms.

(3)Based on the integrity collection and remote attestation mechanisms of trusted computing platform, TCP verifies integrity status of the platform that will access to the network. It ensures trust of each node in the network and lays the foundation for constructing trust in the whole network.

5.1.1Development and Present Status

The demand of trusted computing platform stems from solving trust problems of terminal platform’s behaviors. Hence, early work is mainly driven by the IT industry, including many members of the TCG such as Microsoft, IBM, HP and Intel. TCP makes use of the hardware security chip to solve the trust problems of platform at the architecture level, which has obvious advantages compared with traditional software-based security solutions. As a security-enhanced platform architecture, TCP still faces many challenges in data protection, computing environment protection, remote trust, system security architecture and so on. These challenges promote research on trusted computing platform at home and abroad.

Cambridge, Carnegie Mellon, Stanford, IBM Institute and other well-known universities and research institutions have launched research projects related to trusted computing platform, and made a series of research results. TCG developed the specifications for trusted PC, trusted server, trusted mobile phone, virtualized trusted platform and other related technologies and products, respectively, for different forms of trusted computing platforms, and these specifications provide standard support for further promotion and application of trusted computing technology. The industry field had developed a series of TCP products; for example, IBM, HP and other computer manufacturers had introduced a number of TCP products varying from the desktop and the laptop to the server. With the rapid application of mobile devices and mobile applications, Nokia, Samsung and other mobile phone manufacturers are working on appropriate products on trusted phones.

On the one hand, many research institutions in China, such as Institute of Software, Chinese Academy of Science (ISCAS), conducted in-depth research in the TCP technology and architecture and laid a solid foundation for the development of independent trusted computing technology and product. On the other hand, Chinese TCP had got the support and promotion from the chip and computer vendors to application service providers and end users: Lenovo, Great Wall, Tsinghua Tongfang and other computer manufacturers had launched their own TCP products, which are widely used in military, bank, government and other key national departments. In 2007, the Office of Security Commercial Code Administration (OSCCA) launched some independent technical specifications for TCP products, which provide standard support for further development and promotion of TCP.

The technology research and industry promotion of TCP has formed a good interaction, and comes into being as a cycle-forward momentum of development in the research, product, evaluation and standard. The rapid development of the Internet of Things, cloud computing and other new technologies further leads the users to concern the security of their computing environment. To this end, manufacturers are gradually introducing new TCPs, including trusted mobile platform (TMP) and embedded trusted platform (automotive device). We believe that TCP will be further promoted and applied with the rapid development of the trusted computing technology.

5.1.2Basic Architecture

TCP is first proposed by TCG, which provides security enhancement for the general-purpose computing platform at the system architecture level. It takes the underlying security chip as the core and finally establishes a complete trusted running environment for the users’ computing platform combined with the upper key mechanism for trusted computing. We divide the architecture of TCP into three layers from bottom to up, which is shown in Figure 5.1.

These three layers are the underlying hardware layer, the trusted service layer and the security application layer. TCP covers the entire computing platform system from the underlying hardware, the intermediate operating system kernel and trusted functional interfaces to the upper trusted applications.

(1)Underlying hardware layer: This layer mainly includes the physical security chip, combined with trusted BIOS, security CPU, security I/O and other structures that provide the root of trust for the entire computing system.

(2)Trusted service layer: This layer spans system kernel layer and user application layer, including operating system kernel and trusted software interface. Operating system kernel is the basis for running a computing system, and trusted software interface provides calling interfaces of trusted computing service for upper applications, for example, the trusted software stack TSS/TSM for different security chip TPM/TCM.

Figure 5.1: Architecture of TCP.

(3)Security application layer: This layer is located in the highest layer of TCP architecture. Based on the root of trust and foundational trusted operating environment, it implements security features for various security requirements and protects the trusted running environment for the users’ applications by calling different trusted computing software interfaces.

Thus, it can be seen that, in the TCP architecture taking a security chip as the core, the underlying hardware layer provides the initial root of trust, which is a prerequisite for constructing TCP. The trusted service layer completes the establishment of chain of trust, integrity measurement and other key trusted mechanisms through the interaction with the hardware layer, and it provides a foundational trusted operating environment for the user applications. The security application layer implements the security user applications based on the trusted functions and calling interfaces provided by the hardware layer and service layer. The functions of each layer are complementary and indispensable, and eventually build a trusted computing platform meeting the security needs of the user.

5.2Personal Computer

PC is the most widely used computing platform. Users need an assurance mechanism that can provide trusted execution for applications and systems. A trusted PC built on a security chip meets these needs. Trusted PC should not affect the execution and implementation of the existing system. Therefore, it must enhance the security of original system under the premise of being compatible with the original architecture. To this end, TCG gives the security technology specifications and standards for trusted PC to guide the implementation and application of the corresponding products.


For the PC Client architecture of general users’ computing platform, TCG published PC Client Specific Implementation Specification [109], which has mainly been developed by HP, IBM, Intel and Microsoft. Its goal is to provide a reference implementation for the individual trusted computing platform. Since this specification should be independent of the platform architecture, it does not give out the specific implementation requirements in its abstract architecture.

The specification provides reference implementation for the specific PC platform, and its main contents include the basic components of PC Client, the start-up and configuration processes of host platform, the system state transition and the corresponding certificate definitions. It focuses on definition and description of PCR usage and the localities used by static and dynamic RTM. In addition, it provides a reference implementation architecture and application interfaces of trusted PC Client.

In order to provide better guidance for trusted PC Client, TCG also publishes other related auxiliary specifications:

(1) PC Client-Specific TPM Interface Specification [87]

TPM main specification defines a generic TPM interface used by a nonspecific platform, but it does not refer to special features of TPM (such as support for dynamic locality and resettable PCR) that relate to the specific platforms (such as personal PC or server). To this end, TCG develops this specification and defines the TPM interfaces supporting special features in a generic PC environment.

(2)PC Client Work Group Platform Reset Attack Mitigation Specification [110]

When a platform resets or turns off, the contents of the volatile memory RAM do not immediately disappear. Therefore, the attacker can reset the target platform and then rapidly activate an intrusion program to obtain the remaining memory contents, such as encryption keys and other secret information. In order to avoid this threat, this specification provides a solution that sets a bit called Memory Overwrite Request (MOR) for the resetting event of host platform. When the platform resets illegally, the existing contents of memory will be cleared before the platform loads the programs (e. g., rewriting the memory to zeros), which prevents an attacker from reading confidential information. For the case that the hosts are started by traditional BIOS and succeeding Unified Extensible Firmware Interface (UEFI), this specification gives the detailed interface definitions and methods of use for implementing the solution above.

(3)Two Specifications about EFI (Extensible Firmware Interface) [111, 112]

The TCG EFI Protocol Specification gives a standard interface definition for TPM usage on EFI platform in different scenarios. OS loader and relevant management components can measure and record the start-up events on EFI platform using these interfaces. TCG EFI platform specification gives detailed operational definitions for extending PCR for different types of events and adding new items to event log in the boot process of EFI platforms.

5.2.2Products and Applications

Using the proposed specifications, different computer manufacturers can develop their own implementation architecture and manufacture different trusted computers. Currently, many manufacturers, such as IBM, HP, Lenovo and Tongfang, have launched a series of trusted computer products for different security needs.

In November 2001, IBM launched the first desktop computer whose motherboard is embedded with a TPM chip. In 2004, it also launched TPM-embedded laptops. In June 2003, HP launched TPM-embedded computers. Fujitsu and Acer also launched TPM-embedded computers in 2004. Popular desktop computers in the market mainly include HP/Compaq’s dc7100, IBM’s Netvista desktops and Dell’s OptiPlex GX520; laptops include HP/Compaq’s nw8000, IBM’s T43 and Sony’s VAIO®BX Series.

Many manufacturers have also launched trusted computers with independent intellectual properties, such as Lenovo, Reida, Tsinghua Tongfang, Inspur, Great Wall and Founder. Lenovo builds some trusted computing platforms with TCM that has own intellectual properties, including Lenovo KT M8000 and Zhaoyang K42A. It also provides Lenovo Data Shield Security Suite for trusted computers, which is application software developed based on the security chip. This software integrates a series of host security protection tools to provide many security functionalities such as local encryption and sharing with specified user, which can be used to protect the users’ important files to prevent data leakage. Wuhan Ruida information security industry Co., Ltd. develops trusted computing platforms based on security chips with its own intellectual properties and launches the embedded cryptographic machines. Tongfang’s trusted computing platform built on security chip TCM with own intellectual properties is able to provide full protection for the user’s computer system and data, and support the functions such as security chip management, user file encryption and data recovery. It also provides a trusted network access services based on trusted computing platform. Westone company provides the security protection system that combines TCM and USB Key for PC operating system based on trusted computing platform, which provide security functions such as secure data storage and network access control.

In a word, the trusted computer merges multidisciplinary expertise, such as security chip, basic software, computer manufacturing, network equipment manufacturing and network application software. It integrates the corresponding trusted computing security chip, security middleware, security motherboard and platform software of chain of trust to meet military, finance, transportation and other specific industries’ needs in data migration and security protection. Trusted computers have been widely applied in the traffic management, on-site rescue, data acquisition, equipment testing, communication supporting and so on. After trusted computers are launched, they rapidly win approval and praise from the industry-related users in a short time. With the increasing protection needs of privacy and data security from users, the trusted computers will be further applied and promoted.


As a data control center, a server typically runs a number of key services and stores large amounts of data. Therefore, it leads to a large number of attacks against server systems. Like the personal computer, the server introduces the trusted computing technology to build a trusted execution environment in order to better protect the security of services and data located in the server.


Compared with trusted personal computers, trusted servers have many differences in aspects of the security chip TPM/TCM, chain of trust and TSS/TSM, including the following:

(1)Since the processing speed of a server is much more than of a normal PC, it requires the processing speed of the security chip, including the speed of cryptographic operation, to be fast enough. But the processing speed of existing security chips is quite slow.

(2)The security chip of a server should be able to support concurrency control. When multiple users simultaneously access a trusted server, security chip should be able to concurrently handle access requests, and to ensure the correctness of data and atomicity of operation. Servers often adopt multi-chip security mechanisms (physical security chip and virtual security chip). The change of a single security chip should not affect the security of other security chips. Moreover, security chips should also have the capabilities of migration, backup and recovery of confidential data.

(3)Now the connection between TPM and motherboard is through LPC bus, but the rate of LPC is not high, so it is not suitable for high-speed communication requirements of servers.

(4)Since a server typically has multiple processors and supports virtualization mechanism, its start-upmode is different from that of an ordinary PC. As a result, its chain of trust should also be different from ordinary PC.

(5)Because a server is not powered off in a long time after starting up, it requires the ability of performing trusted measurement multiple times.

To this end, TCG attempts to develop and publish the following series of server specifications that are independent of physical implementation architecture, which provide standard support for the development of trusted servers:

(1)Server Work Group Generic Server Specification [88]

Corresponding to the PC Client specification, this specification is developed according to the features of using TPMs in the servers, which is based on the main TPM specification. It gives the specific terms and function definitions based on the specific needs that servers use TPMs, such as server Trusted Building Block (TBB) and PCR usage. This specification is independent of specific server platform architecture. Therefore, each server vendor needs to define its own implementation architecture for a specific platform.

(2)Server Work Group Mandatory and Optional TPM Commands for Servers Specification [113]

For servers, the mandatory TPM commands that apply to the common PC platform can be optional, but the optional commands cannot be transformed into the mandatory commands. For this reason, this specification is developed to define server’s mandatory and optional TPM commands explicitly.

(3)Other relevant specifications

Combining with TCG main specifications, TCG has developed Advanced Configuration and Power Management Interface (ACPI) specification [114]. It provides a framework that satisfies TCG specification for a variety of platforms (including server and client) that are desirable to use ACPI, including ACPI tables and basic method definition. TCG also provides Server Work Group Itanium Architecture Based Server Specification [115], which can be used as a reference to realize other system architectures.

5.3.2Products and Applications

Driven by market demands, enterprises have begun to carry out the research and development of trusted servers. However, compared to the specification of trusted personal computers, the specifications related to servers lack definitions on implementation details. And the server is more complex than a personal computer and its technology performance requirements are much higher than a personal computer. Because of the characteristics of the server mentioned above, TSS for the server should also be different. Therefore, product development of trusted servers lags behind personal computers.

HP, IBM and many other well-known companies have also introduced some trusted server products. But these products mainly combine with the existing key mechanism of ordinary trusted platform and have not been widely used and promoted. For example, TPM chips are embedded into some products of HP ProLiant ML110 G6, HP ProLiant ML150 G6 series. In the applications, they are combined with BitLocker in Windows to provide security protection for servers’ data.

In 2011, Lenovo introduced a mainstream tower server T168 G7. In terms of security design, it adopts trusted encryption protection technology based on TCM, whose purpose is to build a trusted computing environment for servers. This design has three main advantages. First, it builds the trust of a server platform. The security chip will monitor the loading of system programs in the boot time, alarm and even prohibit the execution once it detects a program on the exception state. Second is the authentication of users’ identities in server. TCM stores a key to identify the platform and identifies itself with the outside world by signature or relevant digital certificate mechanisms. And the identification number is globally unique. The third advantage is encryption protection, the data encrypted by TCM can only be decrypted and processed on this server platform, and thereby confidential data are bound to this platform. Even if the encrypted data are stolen, they will not be identified since they are out of the corresponding platform and the attacker cannot access the decryption key, so that data protection is achieved. This product has been certified by the OSCCA and other authorities.

With the rapid development and application of server technology, the security requirements are also increasing. As the management center of data and services, servers are compelling to use trusted computing technology to provide security protection. Trusted servers meet these needs. On the one hand, they provide trusted execution environment for local services. On the other hand, they provide attestation of services and data for users, which allows users to verify the correctness and integrity of data located on a remote server.

5.4Trusted Mobile Platform

With the rapid development of mobile communication technology, the utilization of mobile computing platform is more and more popular. Users install the programs of third-party service providers, such as applications and games, to extend the application function of mobile computing platform. So the mobile computing platform is not only a communication tool but is also used for operating (i. e., transmitting, receiving and storing) sensitive data, which leads to a big security risk of trusted mobile platforms. Security issues have become the focus of attention of mobile users. Particularly, users require mobile platforms to provide them with trusted assurance of high-quality services.

Due to differences between mobile computing platform and common computing platform in the hardware architecture, processing capability, storage space, communication bandwidth, production cost and other aspects, the way to build trusted execution environment using hardware security chip on a common computing platform is no longer suitable for mobile platform. Therefore, TCG and related mobile device manufacturers launch relevant specifications for trusted mobile computing platform together. At the same time, some research institutions also propose feasible implementation solutions of trusted mobile platform. The following section will briefly introduce trusted mobile platform in various aspects such as the specifications, system architecture, technology implementation and application.


Due to the special nature of mobile computing platform itself, we cannot directly use TPM/TCM to enhance the security of mobile platform. To this end, the relevant mobile device manufacturers and TCG have launched a series of specifications to meet the functional requirements of trusted mobile platform, while providing standard support for implementation of trusted mobile platform.

In October 2004, Intel, IBM, NTT DoCoMo and other companies developed the TMP specification for mobile platform based on trusted computing technology. In September 2006, TCG published Mobile Trusted Module (MTM) [84] specification by partially modifying the TPM specification according to the characteristics of mobile platform. This specification can be seen as the basis for building trusted mobile platform, and it has been updated recently [84]. Afterward, TCG also published the technology and implementation specifications related to trusted mobile platform and gave the following possible usage scenarios:

(1)TCG Mobile Reference Architecture Specification [116]

In order to provide the reference implementation for mobile trusted platform, TCG published Mobile Reference Architecture Specification. According to the initial startup procedure and usage of functionality of trusted mobile platform, the specification provides a reference architecture for trusted mobile platform based on the main specification of trusted mobile platform. It mainly gives a scheme to realize the specific functionalities of trusted mobile platform such as architecture for functionalities, measurement and verification methods, establishment of chains of trust, trusted boot and lifecycle management.

(2)TCG Mobile Abstraction Layer Specification [117]

In order to provide the manufacturers and developers with specific application interfaces, TCG also published Mobile Abstraction Layer Specification. Based on the MTM specification and reference architecture specification, this specification gives the definitions for the abstraction layer of trusted components of trusted mobile platform. Its main contents cover various data types and structures, various specific TSS interfaces in the process of using the MTM. It is used for providing a standardized reference for manufacturers to produce trusted mobile products.

(3)TCG Mobile Trusted Module 2.0 Use Cases Specification [118]

For security threats to mobile platforms and embedded systems, MTM could be considered for enhancing their security. The specification takes the specific scenarios of trusted mobile platform as examples (such as e-payment and e-health), and then gives some technical requirements and user guides to use trusted mobile platform.

5.4.2Generalized Architecture

According to the relevant mobile phone specifications of mobile platform and MTM specification, TCG proposed an abstract functional architecture for generalized trusted mobile platform, as shown in Figure 5.2. In this architecture, the trusted mobile platform is abstracted as a composite of trusted engines, and builds local or remote trusted mobile environment by mechanisms such as processing service requests, reporting current engine’s state and providing trusted attestation. This architecture consists of three parts: various abstracted functionalities engines, trusted services and MTM.

Figure 5.2: Generalized architecture of trusted mobile platform. Function Engines

The generalized architecture of trusted mobile platform contains multiple abstract function engines, each representing a different stakeholder in the mobile scenario and providing the relevant service. These engines are device engine, cellular engine, application engine and user engine, respectively. Each engine provides services to its user (i. e., stakeholder). The resources of each engine determine what services this engine can provide, and the owner of this engine determines how it provides services. The device engine provides basic platform resources, which include a user interface, debug connector, signal transmitter and receiver, random number generator, the International Mobile Equipment Identity (IMEI) and interfaces for a Subscriber Identity Module (SIM). The cellular engine takes charge of realizing data interaction interfaces, providing network connection and guaranteeing communication security. The application engine contains a number of extensible applications in a mobile platform, such as online game clients. The user engine directly provides services for users, and protects users’ data using other function engines. In short, the device engine provides the necessary hardware to the cellular engine; the cellular engine provides basic data interaction services to application engine; the application engine provides specific data application services to the user engine; and the user engine is in charge of providing users with rich functionalities of mobile platform. In Figure 5.2, the solid rectangles indicate interfaces and the arrows indicate their dependency. Services

Each abstract function engine corresponds to a trusted service, which measures each specific function module contained in the abstract engine, and extends those measurements to a MTM. Trusted Module (MTM)

As the root of trust in a trusted mobile platform, MTM is the core of the function architecture of trusted mobile platform. Considering that trusted mobile platforms need to provide trusted services to multiple stakeholders (such as mobile phone users and remote mobile operators), MTM can be divided into Mobile Remote-owner Trusted Module (MRTM) and Mobile Local-owner Trusted Module (MLTM), which serve as the trust anchors of remote and local platform users, respectively. The device, cellular (such as mobile phones) and application engines leverage MRTMs. These stakeholders do not have physical access to the mobile device and need a secure boot process to ensure that their engines execute as per their expectations. The user engine leverages a MLTM. The local user has physical access to the mobile device, and can load the software he wishes to execute. The MTMs can be trusted to report the current state of their engines, and provide attestation on the current state of the engines to remote verifiers.

Taking the MRTM as an example, we briefly introduce how a MTM could be used, as shown in Figure 5.3. As the root of trust for storage (RTS) and root of trust for reporting (RTR) of a trusted mobile platform, the MRTM provides storage protection and the corresponding trusted resources for other system components (such as PCRs and signing keys). As the basic function components of a trusted mobile platform, the root of trust for measurement (RTM) and root of trust for verification (RTV) are outside of the MRTM. They implement the measurement and verification using the protection mechanism that MRTM provides. When building a trusted mobile environment using MRTM, the RTM and RTV modules are loaded first, then they perform a diagnostic measurement on their execution states. If the diagnostic measurement matches reference integrity metrics (RIM) value stored in the MRTM, it will be extended to MRTM (Step 1). Then the RTM would measure the measurement and verification agent (Steps 2 and 3). If the measurement matches the RIM value, it will be extended to MRTM. Then the control would be passed to the measurement and verification agent. Finally, the measurement and verification agent measures, verifies and stores the integrity of the OS image in the similar way before passing control to the OS (Steps 4–6). After verification, the operating system will run. Remote stakeholders (such as device providers or communication service provides) can verify the measurement values after receiving them to determine whether the execution of engines is trustworthy (such as the device engine and cellular engine).

Figure 5.3: Overview of MRTM.

5.4.3Implementation of Trusted Mobile Platform

Due to the diversity of mobile platforms, TCG specifies neither the concrete implementation of MTM nor the definition of implementing the trusted mobile platform at the time of publishing the corresponding trusted mobile platform specifications. Thus, mobile device manufacturers can implement MTM in different ways and construct different trusted mobile platforms in accordance with the generalized architecture of the previous section.

The following section briefly describes two representative solutions for trusted mobile platform, in which the MTMs are implemented based on Java smart card and ARM TrustZone technology, respectively. Mobile Platform Based on Java Smart Card

Common mobile platforms usually provide extra smart cards (such as expansion cards or SIM cards), which can support many common cryptographic algorithms and provide certain capabilities of data storage and processing. These smart cards are fit for being hardware security components that run MTMs. They can provide independent hardware firmware that are similar with TPM chips for MTMs, such that MTM can be used as an independent hardware root of trust and establish a trusted execution environment for the mobile platform. We take the Java smart card as an example and briefly introduce the MTM architecture that is implemented based on Java smart card [119, 120], then we describe a method to build a trusted mobile platform using this kind of MTM [121].

Figure 5.4: The software architecture of trusted mobile platform based on Java smart card.

MTM Based on Java Smart Card. The main idea behind taking Java smart card as security element to run MTM is to implement MTM as independent applications inside the smart card. These applications can support the commands in accordance with TCG specification. A mobile platform takes the smart card running the MTM as the root of trust and builds a required trusted mobile environment. The basic architecture is shown in Figure 5.4.

The functions of MTM are implemented inside the smart card, which can be divided into MRTM and MLTM that run in different Java applets of the smart card. It stores the endorsement key (EK) and authorization data (authdata) of MTM in the nonvolatile memory of the smart card, and implements cryptographic algorithms that MTM needs using the hardware cryptographic module. The MTM implemented based on Java smart card needs to provide calling interfaces for the upper users of a mobile platform, thus needs to provide relevant trusted software stack. Moreover, due to the limited resources of the mobile platform, it needs to redesign the communication protocols between MTM and the smart card. On the premise of ensuring data communication, these protocols should prevent the attacks on the MTM of the smart card.

Trusted Mobile Platform Built on a Java Smart Card. In a mobile platform using a Java smart card, the smart card can provide a variety of services for the mobile platform, and the MTM acting as the root of trust is just one important functionality of services. Therefore, when the above mobile platform uses trusted computing technology, it cannot affect the execution of other common applications. The trusted applications on a mobile device require the use of MTM’s trusted software stack and corresponding abstract interfaces to invoke the underlying trusted computing services. These interfaces include the upper calling interfaces, MTM abstraction layer and the underlying communication interfaces. The MTM abstraction layer is similar to the Trusted Device Driver Library (TDDL), and provides a class library interface for access to the underlying implementation of MTM. It receives commands from upper applications and converts them to the format that MTM needs. It also takes charge of processing the sending and receiving of MTM commands. The underlying communication interfaces are used to ensure secure exchange of data between the smart card and user-trusted applications. The current data communication interface between the smart card and the outside world adopts the standard data communication protocol Application Protocol Data Units (APDU).

In order to build a trusted mobile platform, it must guarantee the security of MTM. The method implementing MTM based on a Java smart card can meet this security demand. The use of hardware protection mechanism of a smart card can prevent the MTM implementation from being tampered. At the same time, the two functions of MTM (MRTM and MLTM) concurrently run in the form of Java applets inside the virtual machines of the Java smart card and take advantage of the security mechanisms provided by virtual machines to ensure their isolated execution. In addition, the implementation of MTM based on a smart card also makes it inherit inherent security properties of the smart card. The mature methods of security assessment for a smart card also provide convenience to assess the security of the MTM based on a smart card. Mobile Platform Based on TrustZone

Using ARM TrustZone to implement MTM is another common way to build the trusted mobile platform [120]. ARM TrustZone technology is proposed by ARM company for the embedded system field, which aims at providing a secure and trusted environment for the sensitive applications in a specific resource-constrained platform such as a mobile phone, a PDA, a set-top box. The platform’s microprocessor (CPU) is added with domain isolation to provide isolated environment and security services for codes. This feature of the TrustZone can be used to provide security assurance for running an MTM, which could build a trusted mobile platform based on TrustZone. We will introduce the basic principles of protecting sensitive code execution by TrustZone technology, and then describe the basic process to build a trusted mobile platform based on MTM in the following section.

MTM Based on TrustZone. TrustZone technology carries out further security enhancement over a general ARM processor. The secure configuration register of the system control coprocessor inside an ARM processor adds an NS (non-secure) bit that is used to indicate the processor mode. The NS bit divides the processor into secure mode and non-secure mode (or normal mode), which correspond to the “secure area” and “non-secure area” of a platform, respectively. A processor in the secure mode can access all resources, while in non-secure mode it can access only the hardware and software resources of non-secure areas. The modes switch would be handled by a privilege code of CPU and must be executed under a special mode of the processor – “Monitor Mode.” The processor may enter the monitor mode from the non-secure mode via a secure monitor call (SMC) executed by software or an interrupt caused by hardware.

When MTM is implemented by TrustZone, the software codes of its functions would be resided in the secure area. On the one hand, the hardware-based isolation ensures the security of MTM, on the other hand, the applications in a non-secure area can access MTM functions by switching the mode. In a specific implementation, because the secure area and non-secure area have their own privileged kernel layer and non-privileged layer, MTM can be used as a security application in the secure area, and the kernel of secure area ensures the trusted execution of the MTM.

Trusted Mobile Platform Built on TrustZone. The secure mode and non-secure mode established by TrustZone can be used to achieve hardware-based isolation between MTM and common applications. It provides a secure execution environment for MTM implemented by pure software. When an application needs to call the trusted services based on MTM, it applies to the monitor for switching to a secure area for processing. The basic architecture of trusted mobile platform based on TrustZone is shown in Figure 5.5.

In the two isolated areas called secure area and non-secure area, which are divided by TrustZone, there run two modified Linux kernels, respectively, for providing execution environment for MTM/user applications in the secure and non-secure areas. In the secure area, MTM relies on the features of process isolation and access control provided by the secure kernel to ensure its own security. This hardware-based isolation mechanism ensures that the malicious codes of non-secure area cannot tamper software of secure area. In the non-secure area, there run common user applications. If unauthorized, these applications cannot directly access the data and codes in the secure area. When a user application running in non-secure area requires the use of a trusted computing service running in secure area, it needs to first establish communication connection between the secure area and non-secure area by trusted API, and then applies for a session to the trusted service. After receiving the request, the trusted services establish a communication channel with the user application by the shared memory technology and realize data exchange between secure area and non-secure area, whose security is guaranteed by the TrustZone technology.

The above trusted mobile platform built on TrustZone-based MTM supports the following secure start-up process. First, it executes the secure bootloader program fused in the ROM after system is powered on. The ARM TrustZone technology prevents this program from being tampered. Next, the bootloader will pass control to MTM. Then, MTM performs the measurement on subsequent loaded program and passes control to it. Eventually, it builds a complete secure boot for mobile platform. We divide this start-up process into three phases:

Figure 5.5: Software architecture of trusted mobile platform based on ARM TrustZone.

(1)Bootloader first calculates the measurement value of the operating system kernel in the secure area, and then compares with the corresponding standard RIM value. If the verification succeeds, bootloader will load the operating system and transfer control to it, otherwise it hangs up. This is the operation carried out in the privileged kernel layer of the secure area (i.e., a)).

(2)Then it needs to verify the applications in the non-privileged layer (i. e. application layer) of secure area, including Init process, MTM main process and the relevant auxiliary process, whose verification processes are dependent on the respective standard RIM values. When these verifications succeed, execution control is passed to these processes, otherwise they hang up (i.e., b), c)).

(3)After the above programs of secure area are successfully loaded, it begins to initialize the programs of non-secure area, such as operating system and trusted applications, and compares the measurements of these programs with the standard RIM values to complete the platform start-up process (i. e. d)). Analysis

Unlike TPM/TCM security chip used on a common PC platform, TCG does not give a concrete implementation of MTM in consideration of the special nature of a mobile platform. However, no matter how MTM is implemented, we must first protect its security to ensure that it can act as the root of trust for trusted mobile platform, and then build trusted mobile platform based on MTM. Both the MTM schemes based on Java smart card and TrustZone technology above protect the security execution of the software-based MTMs using security mechanisms provided by hardware. Throughout the existing MTM implementation methods, the implementation based on composite of hardware and software is the mainstream way of building trusted mobile platform. The two representative schemes have their advantages, and their brief comparison is as follows:

Implementation Scheme Based on Java Smart Card. The implementation scheme of MTM based on a smart card makes use of the hardware cryptographic algorithms and protection capability provided by the smart card. While inheriting the security features of smart card, it also provides customizable trusted computing functionalities for the mobile platform. The development technology based on smart card on mobile platforms develops rapidly at present, and it also provides technology foundation for this scheme. A significant feature of implementing trusted mobile platform based on a Java smart card is that it has a strong flexibility and a better application and prospect. The drawback is that the MTM on Java smart card is mainly implemented as multiple isolated small applications (applets) in a Java virtual machine, whose processing speed is influenced by the limited resources of mobile devices. It makes the effective use of resources in the mobile terminal more important. Moreover, we also need to consider using optimized bytecode on the Java smart card to improve performance.

Implementation Scheme Based on TrustZone. This implementation scheme is based on additional security features of the hardware processor such as memory management and process isolation; it leverages fine-grained control mechanisms over trust boundary and thus ensures the security execution of the MTM. A significant advantage of building trusted mobile platform based on this method is that it does not require any additional MTM hardware for implementing the trusted computing functions. The drawback is that this method should be implemented in a specific hardware architecture (such as TrustZone or M-Shield chip), so there are some application limitations.


At present, mobile computing platforms such as mobile phones, tablet computers, personal digital assistants (PDA) and embedded devices can deal with user-friendly business such as office work, communication and data publishing. But there also exit numerous attacks against mobile computing platforms. This situation has attracted users’ attention and has become a huge obstacle in insensitive application fields. Using trusted computing technology to build trusted mobile platforms can enhance the security of the mobile computing platforms, so that the mobile platforms are further applied in the field of user privacy involved, such as banks, supervision and medical field. Unlike TPM/TCM security chips used in the common trusted computing platforms, current trusted computing specifications do not give a specific implementation of MTM. Therefore, manufacturers can produce their own MTM according to their own requirements, so as to realize different forms of trusted mobile platforms.

Based on different implementations of MTM, there are different application modes of trusted mobile platform. In 2007, Nokia company proposed a solution of software-based MTM [122]. This solution ensures the security of MTM based on a special hardware processor such as TI M-Shield, realizes the secure boot of smartphones, ensures the trustworthiness of the initial computing environment in mobile terminals and supports the mobile security applications at upper layer through the extended interfaces. This solution provides an important reference for the development of trusted mobile phones. Austria IAIK institute also studied the architecture of trusted mobile terminal based on Nokia 6131 development board [120]. On the one hand, they customized MTM module functions based on the existing mobile security extensions, on the other hand they designed and implemented MTM architecture of dynamic secure loading using ARM TrustZone technology, which provides effective trusted computing services to user applications of mobile devices. The solution further promotes the research and application of trusted mobile phones.

Like building trust in common computing platforms, it requires not only the theoretical and technical support in academic field but also the joint efforts of manufacturers, mobile operators and service providers to make use of trusted computing technology to build a trusted mobile environment, including hardware, operating systems, applications and network systems. We believe that trusted mobile platform and the Internet applications based on this platform will be rapidly promoted and developed with the increasing security requirements of applications in mobile platforms and the deepening studies of trusted mobile platform technology.

5.5Virtualized Trusted Platform

Virtualization technology can effectively improve the utilization of system resources, lower application costs, reduce the complexity of configuration and management and provide an independent execution environment (guest virtual machine) for different users and applications. It is now widely used in many computing platforms such as servers, data centers and personal computers. Therefore, more and more enterprises and users store important data and deploy critical services on virtualization platforms, which lead to increasing attacks against virtualization platforms and great threats to users’ data security. Thus, there is a need to provide security protection for virtualization platforms. The introduction of trusted computing technology to build a virtualized trusted platform has become one of the research hotspots in security of virtualization platform. Some research institutions have proposed implementation schemes of virtualized trusted platforms. Meanwhile, TCG also introduced an architecture specification for virtualized trusted platform. This following section will briefly introduce the virtualized trusted platform from the perspectives of specification, common architecture, technological realization and application.

5.5.1Requirements and Specification

The implementation architecture of a platform that supports virtualization technology is different from that of a common computing platform. For example, a virtualized platform simultaneously executes multiple guest virtual machines, each of which requires providing the same security guarantees as the common computing platform. If we use the method of a common computing platform to build a trusted environment in the virtualized platform where multiple concurrent guest virtual machines directly access the single security chip, it will result in access conflicts of internal resources of the security chip (such as PCR operations and key operations) and a direct threat to security assurances provided by the platform based on security chip. Moreover, since the running status of guest virtual machines on the virtualized platform is uncertain (turn off and start up at any time), the direct use of the traditional chain of trust may lead to a loop of trust relationship. Therefore, when building a virtualized trusted platform, new standards and specifications support are needed.

In September 2011, TCG published the Virtualized Trusted Platform Architecture Specification for virtualized platforms [105]. It proposes the required functionalities of virtualized trusted platform such as trusted measurement, security migration and remote attestation by defining functions of various components of virtualized trusted platform and the interactive interfaces between these components. It proposes a generalized architecture of virtualized trusted platform and multiple optional deployment models and provides a general reference to design and develop a virtualized trusted platform. This specification does not focus on the specific implementation of each module in the virtualized trusted platform, but only gives the basic function definitions and an abstract architecture, which lays the foundation for a more detailed implementation specification of virtualized trusted platform in the future.

5.5.2Generalized Architecture

The Virtualized Trusted Platform Architecture Specification takes into account many different ways that implement the virtualized trusted platforms in practice, so it only gives a conceptual abstract architecture to build trust in a virtual machine environment. It mainly defines what functional components should be included in a virtualized trusted platform and how to achieve the sharing of security chip by the interaction of these functional components. Taking into account the special nature of virtualized platform, the specification presents multilevel generalized architectures of virtualized trusted platform, including the architecture with privileged domain (i. e., a privileged virtual machine that is responsible for management functions) and the architecture without privileged domain. As an example, we briefly describe the functional hierarchy and key components of the three-layered virtualized trusted platform architecture with privileged domain (see Figure 5.6).

The virtualized trusted platform architecture in the figure includes three layers. The top layer provides execution environment to each virtual machine (VM). Each VM is isolated from the other VMs and operates independently, but all of them leverage the management services provided by the virtual machine monitor (VMM). In these VMs, there is a privileged VM as a management console that provides users with the management functions and interfaces of the whole virtualized platform. These management functions are achieved by executing VMM’s privileged commands. The migration engine of virtualized platform is mainly used for migration of guest VMs, while the component for attestation service provides proof of trust in a single guest VM or the whole virtualized platform by the interaction with the underlying VMM.

Figure 5.6: Three-layered virtualized trusted platform architecture with privileged domain.

The second layer mainly includes the VMM. The VMM can provide the support of execution environment isolation for multiple VMs of upper layer. It is responsible to create, initialize, delete and manage the trust services related to each VM, such as creating a virtualized root of trust vTPM and a virtualized root of trust for measurement vRTM for a VM. Because of the complexity of this management service, this architecture uses a privileged VM (administrative domain) to implement the management and control of the requests from non-privileged VMs for a VMM.

The bottom layer is the physical hardware. This layer provides the physical roots of trust for the virtualized trusted platform (including a security chip and the root of trust for measurement). The physical roots of trust typically offer the basic trusted platform services for the upper-layer VMM, while the VMM constructs vTPM based on the physical root of trust and finally provides concurrent and collision-free trusted services to each VM.

The diversity of the virtualized platform architecture that makes the corresponding virtualized trusted platform can be implemented in different ways. These different platform architectures include the presence/absence of privileged administrative domain and the VM layer embedded in a new VM (i. e., virtualized platform architecture with nested N layer). In order to implement a virtualized trusted platform that is fit for the above architecture, TCG specially published the Virtualized Trusted Platform Architecture Specification. This specification gives corresponding abstract models for multiple virtualized platform architectures, and defines different layers of functional modules for each model, such as the root of trust, attestation agents and migration agents, which provides a reference to build different virtualized trusted platforms.

5.5.3Implementation of Virtualized Trusted Platform

In order to implement a virtualized trusted platform, we must solve the issue that multiple guest VMs simultaneously use a single physical root of trust in the virtualized platform. The following section first introduces several implementation methods of the root of trust for the virtualized platform, and then describes how to build a virtualized trusted platform based on a virtualized TPM. TPM (vTPM)

As the unique root of trust for the common platform, it was not considered that the hardware security chip provides trusted services simultaneously for multiple OS instances (such as guest VMs) at the beginning. To meet the above requirements, obviously we can make use of the security features offered by a virtualized platform to provide trusted computing services for multiple VMs by virtualizing the hardware security chip.

There are two main approaches to virtualizing the security chip: software virtualization and hardware virtualization:

Software-based Virtualized Security Chip. The main purpose of software-based virtualized security chip is to provide an instance of the virtualized root of trust for each VM on VMM. In order to ensure that the virtualized root of trust has the same security features as the physical one, it requires that the design of virtualized root of trust should achieve the following security objectives:

(1)The virtualized root of trust should provide the same usage model and operation command set as the physical one.

(2)The virtualized root of trust should be correlated with VM’s life cycle, for example, VM migration requires the entire migration of corresponding instance of virtualized root of trust and its status.

(3)It must maintain the strong correlation between virtualized root of trust and the TCB of virtualized platform.

(4)The security properties of virtualized root of trust and physical security chip are the same and indistinguishable.

The researchers at the University of Cambridge have implemented software vTPM for the TPM security chip based on the above-mentioned ideas. This solution is proposed based on separation device driver model provided by the XEN-based virtualized platform, whose core idea is to provide trusted computing services based on TPM emulator [123] and implement the management of multiple concurrent instances of vTPM in the administrative domain of virtualized platform. The basic architecture of vTPM is shown in Figure 5.7.

The architecture consists of two parts: vTPM manager and vTPM instances. There is only one vTPM manager, which is mainly used to manage vTPM instances of multiple guest VMs, including the creation, deletion and maintenance of these instances. There are multiple vTPM instances, each of which is corresponding to a guest VM. It requires that each user’s vTPM instance runs independently. When implementing the architecture based on XEN virtualized platform, the vTPM can be seen as a special device of guest VM, whose functions are divided into two parts: one is located in privileged VM, namely, vTPM back-end drivers; the other one is located in guest VM, namely, vTPM front-end drivers. Using the communication mechanisms and isolation characteristics provided by XEN itself, a guest VM can use the corresponding vTPM instance to build its own trusted environment.

Hardware-based Virtualized TPM. The main purpose of the hardware-based virtualized security chip is to provide a vTPM instance for each VM inside the hardware security chip, and then add a layer to provide interfaces of vTPM above the VMM for the upper guest VMs, which aim to coordinate the switching between multiple vTPMs inside the physical security chip.

Figure 5.7: vTPM architecture.

The hardware virtualization needs to modify the existing structure of a security chip, thus it is necessary to update the existing trusted computing specifications and consult with the manufacturers, which makes it relatively difficult. This method has no substantive progress. IBM released the relevant extended draft specification for the TPM security chip in 2005. The specification defines the vTPM-related commands such as TPM_CreateInstance, which creates a vTPM instance inside the TPM and TPM_SetupInstance, which initializes a vTPM instance. Realizing that the TPM 1.2 specification does not provide enough support for virtualization platforms, TCG has presented enhancement and extension in the TPM 2.0 specification. Virtualized Trusted Platform

The typical virtualized trusted platforms are all designed based on the vTPM mentioned above and built on the XEN virtualized platform [18]. XEN is a VM monitor developed by the University of Cambridge. As an open-source para-virtualization scheme, it uses the four-ring privilege levels of X86 architecture to let VMM take complete control of other components. The privileged administrative domain dom0 interacts with VMM to achieve management function such as the creation, deletion and migration of the guest VMs. XEN offers a specific front-end and back-end driver model to a device, which also provides sophisticated technical support for deployment of virtualized security chip.

Figure 5.8: XEN-based virtualized trusted platform architecture.

Basic Architecture. The XEN-based virtualized trusted platform architecture is shown in Figure 5.8. It is similar to the generalized architecture mentioned in the Virtualized Trusted Platform Architecture Specification and mainly divided into three layers: hardware layer, VMM layer and VM layer.

In the above architecture, the hardware layer includes physical devices such as CPU, memory and the TPM chip. TPM is the hardware root of trust for building trusted environment of a virtualized platform and is the basis for building a virtualized trusted platform. VMM layer guarantees communication and isolation between the upper-layer guest VMs based on shared memory and event channel mechanism, including communication between vTPM front-end and back-end driver and monitoring and management of each guest VM’s running. VM layer is divided into privileged administrative domain and guest VM. The administrative domain installs the driver of physical TPM chip, and creates corresponding vTPM back-end driver for each guest VM, which is managed and scheduled by the management process. The guest VM runs vTPM’s front-end driver and uses the trusted computing functions by the communication between front-end and back-end drivers.

In the above XEN-based virtualized trusted platform, there are two phases to build trust. The first one is to construct a basic trusted operating environment based on the TPM chip, which includes a VMM, administrative domain kernel and key application tools (such as xend). The second one is the trusted execution environment of multiple guest VMs, that is, from the start-up process of guest VMs to the running of applications within them. The two phases of trust are based on hardware security chip TPM and virtualized root of trust vTPM, respectively. Cooperation of two phases of trust is needed to build a complete virtualized trusted platform environment.

vTPM Access Process. To make the applications of guest VMs be able to use trusted computing services, multiple interactions between vTPM’s front-end and back-end is needed. The underlying communication interaction process is transparent to users. In the virtualized trusted platform, the main process that the applications of guest VMs use trusted computing services is illustrated as follows:

(1)Users use TSS to call the corresponding interfaces of trusted computing services and send a request using vTPM’s front-end device (i. e., the device file /dev/tpm0).

(2)The vTPM’s front-end first applies for and initializes memory pages used for shared data between front-end and back-end. When trusted computing services request transferring data that will be copied to shared pages, they authorize the permission to access the shared pages for the back-end driver by sharing memory mechanism. Then they use event channel mechanism to notify vTPM’s back-end driver to obtain the TPM request.

(3)Upon receiving the TPM request from the front-end driver, the back-end driver uses the function packet_read () to read it from the shared memory pages, copies it to a designated buffer and then delivers it to the vTPM management program. The vTPM management program distributes the request to the corresponding vTPM instance for processing according to the vTPM instance identifier.

(4)When the request has been processed, the back-end driver receives a response from the vTPM management program. It uses the function packet_write () to copy the response to shared pages, allows the front-end driver of guest VM to access the shared pages through authorization and uses the event channel to generate an interrupt to notify the front-end driver.

(5)Upon receiving the TPM response from the back-end driver, the vTPM front-end driver uses the function vtpm_recv () to read data from the shared memory, copies the data to the specified buffer and finally hands it to the application that initiates the TPM request. Virtualized Trusted Platform

With the increasing trusted computing functions, the daemon that handles the requests of trusted computing services becomes larger and larger in the amount of code. Such a growing process with large amount of code will lead to some problems such as reducing the running efficiency of the virtualized platform administrative domain and increasing the possibility of attacks. Research institutions improve and extend the above virtualized trusted platform architecture, whose main idea is to separate trusted computing functions from the administrative domain of virtualized platform.

Figure 5.9: Architecture of extended virtualized trusted platform.

The trusted computing functions will serve as an independent functional domain that runs on the virtualized platform, so the functions are isolated from other management functions of administrative domain within the architecture of XEN-based virtualized trusted platform [124, 125]. The concept of driver domain presented in XEN-based virtualized platform provides technical support for the implementation of the above idea. Taking XEN-based virtualized platform as example, we briefly introduce the extended virtualized trusted platform architecture as follows, which is shown in Figure 5.9.

The above architecture adds a new trusted VM in addition to the original privileged administrative domain dom0 and the guest VM domU. The trusted VM is a virtualized domain with specific function, which mainly achieves the original trusted computing functions such as key generation and management. To ensure security, this domain is designed to be a lightweight and customizable function domain. In addition to the necessary libraries for trusted computing services and data communication, this domain does not run other application codes. Therefore, there still exists vTPM manager and vTPM daemon in the privileged administrative domain, which are used for coordination and management of user requests from guest VM.

When a user uses trusted computing functions in the extended virtualized trusted platform, the platform still uses the original vTPM’s front end and back end to complete the user request, but the request is processed by the trusted service process within the trusted VM. It uses inter domain communication (IDC) mechanism between the trusted VM and the privileged administrative domain to complete data exchange. The administrative domain is more like a data-transfer agent in this process.

Based on the original vTPM’s design, the architecture of extended virtualized trusted platform separates trusted computing function from the administrative domain. On the one hand, it reduces the amount of code of daemon within the administrative domain and reduces the possibility of attacks. On the other hand, it makes the running of trusted computing service independent of the other domain. Each trusted computing service component can be protected by using the isolation characteristics of virtualized platform. Based on this idea, HP’s researchers built an extended virtualized trusted platform, namely, trusted virtual platforms (TVP), and tested its secure communication mechanism. Practices have proved that this approach is suitable for existing virtualized computing platform no matter in terms of security or performance.


Rapid application of virtualized platform attracts a number of attacks and leads to serious disasters that heavily threaten the security of critical services and application data. To enhance the security of virtualized platform, trusted computing technology is introduced. With the special requirement of building trust for the virtualized platform, there needs to be designed a virtualized root of trust that can support multiple guest VMs concurrently, so as to realize a virtualized trusted platform to meet the requirements.

The research and application of virtualized trusted platform has made great progress, and has been promoted and applied in many fields. In addition to above vTPM-based solutions of virtualized trusted platform, a solution proposed by Sirrix AG company in Germany provides strongly isolated execution and ensures trusted enforcement of security policy for virtualized platform (L4-Microkernel or XEN) by combining trusted computing technology with Turaya security kernel. It also provides trusted application services such as trusted virtualized desktop and trusted virtualized storage for virtualized platform users. IBM proposes a concept of Trusted Virtualized Domain (TVD) on the virtualized platform. It uses the centralized trusted service manager components to extend trust from a single virtualized platform to multiple virtualized platforms, so as to meet the requirement that multiple guest VMs in different virtualized platforms are located in the same logic trust domain. The solution has been promoted and applied in the large virtualized data centers.

A virtualized trusted platform is different from a common trusted computing platform. As a system architecture, it can be applied to different forms of computing platforms, such as the personal computing platform, the large server and even the mobile platform, all of which can use virtualized trusted platform to enhance their security. Virtualized trusted platform provides isolation protection for different guest VMs running concurrently on the one hand, and builds trust environment for the entire virtualized platform based on virtualized root of trust on the other hand. With the popularity of virtualization technology in large data centers, cloud computing environment and mobile computing environment, virtualized trusted platform will be further applied and promoted.

5.6Applications of Trusted Computing Platform

Trusted computing platform takes a hardware security chip as the root of trust. It uses various trusted computing security mechanisms such as chains of trust, integrity measurement and remote attestation to establish a trusted execution environment for the local platform on the one hand, and to provide trust proof of its own environment to a remote platform on the other hand, which effectively enhances the platform security. With the rapid development of information technology, different forms of trusted computing platforms have appeared one after another, such as trusted personal computers, trusted servers, trusted mobile platforms and trusted embedded devices. Applications of trusted computing platform have gradually popularized into various industries and fields and provide security protection for state confidential information, corporate sensitive data and user privacy data. The following sections briefly describe the main applications of trusted computing platform in different fields.

5.6.1Data Protection

Users need to protect sensitive data in the computing platforms. Trusted computing platform can be used to realize a data protection scheme more secure than traditional software-based encryption scheme. On the one hand, since data encryption keys are stored in a tamper-resistant security chip, attackers cannot crack encrypted file contents; on the other hand, it is assured that only a system passing the integrity check can decrypt the encrypted data by combining the integrity measurement mechanism during the operating system boot process.

Microsoft’s Windows BitLocker is a full disk encryption scheme based on trusted computing platform, which can effectively prevent the data such as operating system data, user application data, and memory image data from being tampered with and stolen by attackers. It uses the key provided by TPM security chip to encrypt the entire disk, which can protect all of the data including operating system, Windows Registry and temporary files. Moreover, it compares the integrity of system start-up with the expected integrity in the release process of decryption key, and only a verified system can decrypt the data. This mechanism enhances the strength to protect operating system and user data. If the verification fails, then it refuses to release the secret key and terminates the system start-up. Since the required key to decrypt the disk data locates in the tamper-resistant TPM security chip, even if the user platform is stolen, the attacker cannot decrypt the data stored on the disk. In order to facilitate management of the platforms that use trusted computing services, Wave company has provided a management software named Wave for the BitLocker Management, which can provide centralized management for large enterprises’ trusted computing platforms and remotely monitor users who use Windows BitLocker frequently.

The application of data protection scheme based on trusted computing platform is very popular. In China, Lenovo, Tongfang and other companies launched data protection applications and tools based on TCM. These applications include Wuyou U disk and secure cloud disk (data safe box). These applications mainly protect data such as user passwords and user sensitive files.

Compared with the pure software-based data encryption scheme, data protection implemented on a trusted computing platform has a higher security. Even if an attacker steals the trusted computing platform, he is unable to decrypt the encrypted data on the platform. Now, the data protection schemes based on trusted computing platform have been widely used in key fields such as health care, education, government and business, so as to provide protection for the sensitive data of these applications.

5.6.2Security Authentication

Before using sensitive data or applications, there is a need to authenticate user or platform identities, especially when accessing critical sensitive application services, which requires two-factor authentication for user identities and platform identities. As traditional authentication schemes based on tokens or smart cards only provide user identity authentication, it cannot meet the high security authentication requirements. Authentication schemes based on trusted computing platform can simultaneously provide dual authentication of platform identity and user identity. By combining with fingerprint system, PIN code and the integrity measurement and verification mechanism, these schemes also can provide multifactor authentication (user, platform, environment, etc.) and implement platform authentications such as secure boot and network access.

Authentication schemes based on trusted computing platform have been promoted and applied. In China, Westone company implements the two-dimension (terminal and user) authentication system based on TCM security chip and USBKEY. This authentication system provides security control and protection for the use of terminals and removable storage devices and guarantees their resources to be used in a security and controlled environment, and prevents the lost token from being leaked and tampered. This system is the first security defending system that has been put into practice in China and is being used in many industries such as government, bank, taxation and aviation. Lenovo has launched a client security software CSS (Client Security Solution) based on trusted computing platform. The solution uses TPM security chip to provide password protection for users. The password inputted by the user is stored in the encrypted form on disk. The decryption key is always protected by hardware security chip to ensure the security of the password data. Moreover, combining with user fingerprint system, it can also provide single sign-on mechanism for multiple applications that require the user password. This allows the user to quickly access applications while ensuring the security of user password.

5.6.3System Security Enhancement

User platforms are vulnerable to some attacks such as malicious codes and Trojan horses, resulting in a large number of sensitive data leaking and critical applications failing. In order to effectively solve these security problems, trusted computing mechanism based on hardware security chip is introduced to implement security enhancement for user platform. Starting from the operating system, the enhancement based on trusted computing platform mainly makes use of chain of trust and integrity measurement mechanism and combines some traditional security technologies such as authentication and access control to build a trusted execution environment for operating system and applications, which enhances the security of system services and data.

System security enhancement schemes based on trusted computing platform have been widely used. Platform vendors such as IBM and HP have launched a series of security enhancement products for terminal and server, such as HP ProLiant ML110 G6 and HP ProLiant ML150 G6. In China, typical applications are as follows:

(1)Tongfang company develops an EFI firmware supporting the full verification of chain of trust based on TCM. Under the premise of ensuring quick boot, this product provides integrity verification of the system’s configuration. At the same time, they introduce security technology platform TST2.0, which provides system security enhancement based on TCM security chip. This platform stores the confidential information in a specific security area and enhances the usability for users by combining the user’s fingerprint, such as binding the online banking payment and email login process with the user’s fingerprint to complete sensitive operations.

(2)Lenovo also introduces a TCM-based security enhancement server (e. g., T168 G7 tower server). It can systematically solve key problems such as platform malicious code prevention, trusted identity identification and sensitive data protection and has been widely used in government, military and other classified industries.

5.6.4Trusted Cloud Services

Cloud computing has become a hotspot in the current development of information technology. Many fields such as industry, academia and government pay close attention to its development, but its application has not been completely accepted. This is mainly because it cannot effectively solve the security problems when processing large-scale shared resource. Compared with traditional computing environment, cloud environment makes users lose control of data and applications. A privileged manager is free to read and disclose user data, which is a serious threat to the security of user privacy information and application data. For this reason, many cloud service providers (such as Amazon Elastic Compute Cloud EC2, IBM Blue Cloud, Google App Engine and Microsoft Azure), cloud computing organizations (such as Cloud Security Alliance CSA [126]) and research institutions (HP Research Institute) are looking forward to building a trusted cloud environment using the trusted computing technology to improve the security of cloud environments.

To build trusted cloud based on trusted computing technology, it mainly makes use of trusted computing mechanisms such as chain of trust establishment, integrity measurement, remote attestation and trusted network connection, so as to provide trusted execution environment for cloud servers (such as data storage server and business process server). Trusted cloud provides trust attestation of cloud environment for cloud service users on the one hand and verifies the trustworthiness of user platforms trying to use cloud services on the other hand. Many cloud service providers and research institutions have launched and popularized a number of trusted cloud schemes.

(1)In 2009, the University of Maryland proposed a solution to build trust environment for cloud infrastructure [127]. In this solution, before using cloud services, cloud users can take advantage of the Private Virtual Infrastructure (PVI) of cloud environment to measure and verify the integrity of cloud environment, so as to ensure the security of user applications and data in the cloud environment. Since cloud users are involved in the process of building trusted cloud environment, they build trust with cloud services.

(2)In 2010, Santos et al. proposed Trusted Computing Cloud Platform. This solution focuses on the issue that the privileged administrators of cloud services can maliciously tamper or steal the data of cloud users. They use the trusted computing services provided by TPM-embedded cloud service platform to implement the trusted registration and migration processes of VM instances in cloud service, and ensure the security of user data and applications in the cloud.

(3)The Cloud Security Alliance is a mainstream cloud security research organization, whose members include numerous security agencies and device manufacturers. The organization devotes to security enhancement of cloud computing environment, and puts forward a series of implementation schemes of secure cloud. The Trusted Cloud Initiative (TCI) program expects to use trusted computing technology based on hardware security chip to enhance authentication and access control of cloud devices and improve the security of cloud services.

(4)In China, DaoliNet Information Technology (Beijing) Co., Ltd. together with a number of scientific research institutions presented a relevant research project of trusted cloud. The project was expected to enable cloud users to verify the isolated execution and behavior security of cloud applications through a combination of trusted computing technology and hardware virtualization technology. Implementation of the project can strengthen the user data protection in the cloud storage services and enhance the trustworthiness and reliability of the execution of cloud environment.

Trusted clouds can establish basic trust environment for cloud services, enhance the security of cloud services and eliminate users’ concern on the security of cloud applications. Therefore, no matter whether ordinary public clouds or private clouds used internally by some industries such as enterprises, government and health care, they make great efforts to promote research and application of trusted clouds. In 2010, TCG announced the establishment of a Trusted Multi-Tenant Infrastructure (TMI) working group. They want to solve the trust-establishment problem in the trusted cloud execution environment by integrating a variety of trusted computing mechanisms and provide a generalized reference model for building trusted cloud environment. With the rapid development and application of cloud computing, the trusted computing platforms meeting their security requirements will be further promoted.

5.6.5Other Applications

With the increasing user demand for security, trusted computing platform is also used in mobile and embedded environments, such as mobile health, vehicle equipment and video processing. This improves the security of user sensitive data by providing a trusted execution environment for these applications. Mobile Applications

Many business applications are integrated into mobile platforms, such as mobile bank, mobile health and mobile software downloading. In the process of using these applications on mobile platforms, users require protecting the security of their privacy data, and mobile application service providers also require preventing malicious users from breaking the application servers. For this reason, MTM-based trusted mobile platforms appear, which can satisfy above security requirements of mobile platform users and service providers. We can take mobile application downloading as example. On the one hand, the trusted mobile platform ensures the trustworthiness of its own execution environment by some mechanisms, such as secure boot and trusted measurement, and effectively prevents malicious software from damaging the client system. On the other hand, the trusted mobile platform proves to the application server that it satisfies some security properties based on the remote attestation mechanism and builds the trust from service providers to mobile user platforms. Embedded Applications

Trusted computing platform can also be used to improve the security of embedded devices. Take as an example the embedded surveillance cameras used in transportation, automation control and so on. They are the target of many attackers who threaten the security of video data due to the sensitivity of video information. For this reason, trusted embedded video devices based on trusted computing technology have come up, which perform security monitoring on the running state of camera system and ensure the authenticity, confidentiality and integrity of video information to meet the security demands of embedded video devices.

With the rapid development of applications and increasing improvement of security requirements, application service providers together with many research institutions devote to the establishment, application and promotion of trusted computing platform.

(1)TCG together with platform vendors launched a series of trusted computing platform specifications and relevant products, and applied them in practice. Governments also supported major projects related to trusted computing platform to improve the security of information services. For example, the OpenTC project supported by European Commission [128] enhances the security of traditional computing platforms, mobile platforms and embedded systems via the introduction of trusted computing technology. Results of this project have been widely used in various fields such as servers, grid, mobile communication and industrial automation.

(2)In China, platform vendors such as Lenovo and Tongfang together with ISCAS (Institute of Software, Chinese Academy of Sciences) carried out research on trusted computing platform with independent intellectual properties and had made major breakthroughs in key technologies, standards, application and promotion. Trusted computing platform based on the independent security chip TCM has been applied in government, medical treatment, military and other industries.

With the rapid development of new computing models (such as cloud computing and Internet of Things) and applications (such as mobile and embedded devices), users have increasing requirements on information security. Trusted computing platform will be more widely applied in various fields of information technology because of its unique trust insurance mechanisms.


This chapter introduces the trusted computing platform. It first gives the basic concept and function architecture of trusted computing platform. According to different forms of trusted computing platforms, it elaborates related specifications, basic principles and applications of trusted mobile platforms such as trusted personal computer, trusted server, trusted mobile platform and virtualized trusted platform. It focuses on the key technologies of trusted computing platform in the mobile and virtualization scenarios. Finally, a brief description of prospects of the application and development of trusted computing platform is presented.

Trusted computing platform based on embedded security chip is a concrete representation of trusted computing technology. It can build a trusted execution environment for a user and an enterprise, and provide trust attestation to achieve security assurance for the execution of sensitive service. At present, a series of mature products of trusted computing platform have been launched and been widely used in many areas such as government, military and enterprise. However, it should be noted that there is still lack of trusted computing platform products that can be directly deployed in new application scenarios such as mobile and embedded devices. In addition, for the testing and evaluation of different trusted computing platforms, it also needs to develop appropriate verification criteria to provide security assessments support for manufacturers and users. Compared with the traditional system security technology, trusted computing platform can provide a trust-establishment mechanism based on a tamper-resistant security chip with a higher security level. With the increasing security requirements of various application fields, we believe that the trusted computing platform will be further promoted and applied.