Making TPM 2.0 extended authorization practical

Thumbnail Image

Files

master_Ghozal_Mostafa_2025.pdf (3.59 MB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-11-24

Department

Major/Subject

Security and Cloud Computing

Mcode

Degree programme

Master's Programme in Security and Cloud Computing
Master's Programme in Security and Cloud Computing
Master's Programme in Security and Cloud Computing

Language

en

Pages

53

Series

Abstract

The Trusted Platform Module (TPM) provides hardware roots of trust for modern computing platforms, enabling secure key management, system integrity verification and a variation of use cases. However,TPM 2.0’s flexible and expressive policy mechanisms introduce significant complexity, making policy construction and debugging difficult for practitioners. Existing tools such as tpm2-tools expose low-level interfaces that are powerful yet not intuitive, offering limited support for developers to understand, construct, or visualize Extended Authorization (EA) policies. In this thesis, we present TPM Studio,a tool designed to simplify TPM policy construction through visualization, interactive tooling and a simplified Domain-Specific Language (DSL). The system consists of a Rust-based core library, a DSL for concise policy description,a command-line interface, Web-Assembly mediator code ,ReactJS web interface for graphical policy visualization. The tool parses DSL-based policies, marshals them into TPM-compliant binary structures, and computes policy digests according to the TPM 2.0 specification, enabling users to understand and generate policies without dealing with tpm2tools complexity. To assess correctness and usability, we evaluated TPM Policy Studio against tpm2-tools using canonical and combinatorial policy sets. Across 38 test cases, the tool achieved full digest agreement for all supported commands, correctly handling nested constructs. A expected, mismatches occurred only for commands requiring TPM-internal state that cannot be reproduced offline. These results demonstrate both functional correctness and practical value for learners and professionals constructing TPM 2.0 policies.

Description

Supervisor

Gunn, Lachlan

Thesis advisor

Gligoroski, Danilo

Keywords

Trusted Platform Module (TPM), trusted computing, Extended Authorization (EA), Platform Configuration Registers (PCR), web assembly, visualization

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202512159152

Collections

[dipl] Perustieteiden korkeakoulu / SCI