Hardware-based Security for Virtual Trusted Platform Modules by Alsouri, Sami et al.
Hardware-based Security for Virtual Trusted
Platform Modules
Sami Alsouri, Thomas Feller, Sunil Malipatlolla, and Stefan
Katzenbeisser
Technische Universita¨t Darmstadt
Center for Advanced Security Research Darmstadt - CASED
Mornewegstraße 32, 64293 Darmstadt, Germany
Abstract. Virtual Trusted Platform modules (TPMs) were proposed
as a software-based alternative to the hardware-based TPMs to allow
the use of their cryptographic functionalities in scenarios where multiple
TPMs are required in a single platform, such as in virtualized environ-
ments. However, virtualizing TPMs, especially virutalizing the Platform
Configuration Registers (PCRs), strikes against one of the core princi-
ples of Trusted Computing, namely the need for a hardware-based root
of trust. In this paper we show how strength of hardware-based security
can be gained in virtual PCRs by binding them to their corresponding
hardware PCRs. We propose two approaches for such a binding. For this
purpose, the first variant uses binary hash trees, whereas the other vari-
ant uses incremental hashing. In addition, we present an FPGA-based
implementation of both variants and evaluate their performance.
1 Introduction
The TPM chip provides secure storage for Platform Configuration Reg-
isters (PCRs), which are supposed to store integrity measurements in a
trustworthy manner. Trusted Computing requires for PCRs to be recorded
in shielded locations within the TPM. This provides a hardware-based
implementation for PCRs and makes them resistant against software at-
tacks.
Unfortunately, the concept of one hardware TPM for every platform
is not adequate in scenarios where multiple TPMs are needed on the same
platform, such as virtualization scenarios. To solve this problem, the con-
cept of virtual TPMs (vTPMs) [7] was proposed to allow the utilization
of TPM functionalities, such that each virtualized system is associated to
an isolated TPM instance. vTPMs are currently implemented in software.
However, virtualizing TPMs brings some important security chal-
lenges and problems. First, virtualization causes the loss of hardware-
based security of TPMs. That is, virtual PCRs (vPCRs) are prone to soft-
ar
X
iv
:1
30
8.
15
39
v1
  [
cs
.C
R]
  7
 A
ug
 20
13
ware attacks, which one tried to avoid using hardware TPMs. Second, vir-
tualizing TPMs increases the size of the Trusted Computing Base (TCB).
Therefore, hardware-based security for virtual PCRs is preferable.
Current approaches for virtualizing TPMs [7,13,11] do not provide –
to the best of our knowledge – hardware-based security for vPCRs. To
gain the strength of hardware-based security and to reduce the TCB, we
propose in this paper an approach to bind vPCRs to hardware PCRs.
More specifically, we provide two variants for this binding; the first uses
binary hash trees [9] and the second uses the concept of incremental
hashing [1,6]. In the first variant all vPCRs of the same index – on a
platform – are jointly hashed using binary hash trees. The root hash
value is stored in the hardware PCR. In the second variant, we use the
incremental hashing approach, so that an aggregated hash value can be
stored in the hardware TPM chip.
Both approaches require the calculation of the hash tree or the in-
cremental hash inside the TPM to guarantee the security of the hash
result. Unfortunately, the current TPM specification does not provide in-
terfaces for such operations. Thus, we propose some additions to the TPM
sepecifictions. While it is difficult to change deployed TPM chips, next-
generation TPMs [16] will allow specifying required cryptographic func-
tionalities; furthermore, the concept of reconfigurable TPM chips [3,5,4]
allows the implementation of new functionalities with relative ease.
We implement both approaches using a Virtex5 FPGA platform and
show that the application of both approaches can increase the security of
virtual TPMs with reasonable overhead.
This paper is structured as follows: Section 2 gives a brief background
about Trusted Computing. In Section 3, we present our approaches to
bind virtual PCRs to hardware PCRs. Section 4 describes our implemen-
tation of both approaches. The evaluation of the approaches and their
implementations is carried out in Section 5. Finally, we conclude in Sec-
tion 6.
2 Background & Related Work
The standards and specifications of Trusted Computing (TC) [17], a
technology developed by the Trusted Computing Group (TCG)1, pro-
vide many functionalities to secure computing platforms. TC relies on
a cryptographic module, called TPM [17], that provides various secu-
rity functionalities. A TPM is a microcontroller-based chip with hard-
1 http://www.trustedcomputinggroup.org/
wired engines for various cryptographic functions such as RSA, SHA-1
and HMAC. It forms the trust anchor of a system by building a chain-
of-trust which includes all loaded software on the platform. The chain is
extended based on the principle hash then load : the executable code of
every loaded software is hashed using the SHA-1 algorithm before pass-
ing control to it. The computed hash values, representing the state of the
system, are stored in the PCRs of the TPM.
Remote Attestation is one important security function provided by
the TPM. In remote attestation, the system equipped with a TPM trust-
worthily reports its platform state to a remote challenger. For this, the
TPM provides a set of PCR values signed by an Attestation Identity Key
(AIK) and a Stored Measurement Log (SML) to the challenger. In turn,
the challenger decides on the trustworthiness of the system by compar-
ing them with well-known reference values stored in a public Reference
Measurement List (RML).
A conventional TPM is, in general, an Application Specific Integrated
Circuit (ASIC) [17] implementation and therefore cannot be updated af-
ter deployment. However, there exist approaches in literature for sup-
porting a flexible update of cryptographic algorithms on the TPM using
the reconfiguration technology such as Field Programmable Gate Array
(FPGA) as proposed by Malipatlolla et al. in [15].
Unfortunately, the current specification of the TPM does not support
hardware-based security for systems using virtualization and cloud com-
puting technologies. Though there exist in literature designs supporting
resource constrained embedded systems [4] and arbitrary number of vir-
tual TPMs [13], they do not address the above problem. Virtual TPMs
in these approaches belong therefore to the TCB of a platform.
The concept of hash trees has been used in many different contexts.
In the area of Trusted Computing, hash trees were applied in [19] to
protect memory regions using the region block size and the number of
memory updates as parameters for the hash tree. Schmidt et al. [14] used
hash trees during the integrity measurement process to create tree-formed
measurements, in which the measured components represent the leaves
and the PCR values represent the roots. The goal of this work was to
allow detecting the position of a possible manipulation of an SML, which
was possible in case of using linear ordered measurements (like in TCG
standard) only by checking the integrity value of each entry in the SML.
Another work applied the concept of hash trees in TC is the one presented
by Sarmenta et al. [12]. The objective of the authors was to create very
large number of virtual monotonic counters on an untrusted machine
with a TPM. The virtual counters can be then used to detect illegitimate
modifications to shared data objects (including replay attacks and forking
attacks) [18]. The authors proposed for this the use of additional TPM
commands to in order to calculate hash tree node and root values in a
secure manner. However, we apply hash trees in our approach to bind
virtual PCRs to hardware PCRs, which is a security problem of virtual
TPMs and therefore we fulfill other purposes.
3 Approach
To provide hardware-based security for virtual PCRs, we propose in this
section two different approaches. The first uses the well-known binary
hash trees and the second uses incremental hashing. Both approaches are
based on the idea of binding all virtual PCRs with a specific index to the
hardware PCR of the same index in such a way that any manipulation of a
virtual PCR can be detected by the help of the value of its corresponding
hardware PCR.
3.1 Hash Tree Based Binding
We propose the use of the concept of binary hash trees, as shown in
Figure 1. In the following, we explain our approach using three phases;
the setup phase, the integrity measurement phase, and finally the remote
attestation phase.
h0
h2
h6
...
vPCRnivPCR
n−1
i
...
h5
...
...
h1
h4
...
...
h3
...
...
vPCR2ivPCR
1
i · · ·
Fig. 1. Sample Binary Hash Tree
Setup Phase. We construct the hash tree in the following way: The leaves
at the top of the tree present all vPCRs of a specific index i of all ex-
isting vTPMs (1, . . . , n) on a platform. For instance, vPCR110 indicates
the vPCR number 10 of the vTPM number 1. To increase efficiency, we
propose using hash trees of fixed height l. That is, with l = 10, one can
run 1024 vTPMs on the same platform bound to a single hardware TPM.
This number is probably enough for single platforms (e.g., servers), in
case of using isolated vTPMs for virtual machines. Nodes further down
in the tree are the hashes of their respective child nodes. Figure 1 il-
lustrates this process; h0 represents the accumulated vPCR values (root
hash node) that will be stored in the hardware TPM; h0 is obtained by
combining the hashes h1 and h2, i.e.,
h0 ⇐ hash(h1||h2),
where || indicates the concatenation operation. Similar to h0 all inter-
mediate hashes are computed. That is, the calculation of h0 depends on
the calculation of the leaves and all intermediate nodes in the hash tree.
Consequentially, any manipulation to one of the leaves can be detected.
Integrity Measurement. Once a vPCR value needs to be updated, the
vTPM is notified about the new measurement and the new value of the
vTPM is bound to the corresponding hardware PCR as explained in the
setup phase. In addition, the SML of this vTPM is also updated.
More specific, the TSS notifies the underlying hardware TPM by start-
ing the procedure depicted in Algorithm 1, sending the old vPCR value
vPCRold, the new vPCR value vPCRnew, the height of the hash tree l
and the PCR index i of the hardware TPM that needs to be updated.
This algorithm is then executed inside the hardware TPM, which in turn
stores these provided values in temporary registers in the volatile stor-
age. The algorithm returns OK if and only if the process was successfully
finished and there is no hash tree updating process currently running for
this PCRi.
After providing the hardware TPM with the old and new vPCR val-
ues, re-calculation of the hash tree is required as shown in Algorithm 2.
Since the hash tree is located outside of the TPM and the algorithm must
be provided with all siblings located in the way to the root of the hash
tree, Algorithm 2 must be called l − 1 times, providing at each time the
correct sibling of the current hash tree level. First, the TPM is provided
with the sibling of the leaf (i.e., the vPCR) and hashes the old and the
new value of the vPCR with its sibling. The same process is repeated
until the root is reached (i.e., the tree height equals 0). If the old vPCR
value equals the value stored in PCRi, the hash tree is untampered and
the newly calculated root can be stored in PCRi, otherwise an error is
Algorithm 1: TPM Update Leaf Init
Input: old vPCR value vPCRold,
new vPCR value vPCRnew,
hardware PCR index i,
height of the tree l
Output: OK or error
if ci 6= 0 then // a hash tree execution is running
return error;
else
ci ← l // initialize counter with tree height
tmpold ← vPCRold;
tmpnew ← vPCRnew;
return OK;
Algorithm 2: TPM Update Leaf
Input: hardware PCR index i, sibling
Output: updated hardware PCR value PCR′i or error
tmpold = hash(tmpold||sibling);
tmpnew = hash(tmpnew||sibling);
ci ← ci − 1;
if ci = 0 then // root of tree reached
if tmpold = PCRi then
PCRi ← tmpnew;
return PCRi;
else
return error; // the hash tree is tampered
returned, indicating a potential software attack aiming at manipulating
the PCR values. It does not matter who calls Algorithm 2 in the hardware
TPM to provide the siblings values, more important is the provision of the
correct values to calculate a correct root value, which equals PCRi. That
is, an attacker which calls Algorithm 2 after the Algorithm 1 was called,
would have to deliver a collision to PCRi in order to successfully per-
form an attack on the TPM in order to update the root value to another
selected one. This is assumed to be hard when using a collision-resistant
hash function.
Note that it would be possible to provide the TPM with all required
siblings (from a leaf to the root) at once. Although this would reduce
the communication overhead with the TPM, it would require at the same
time the presence of enough temporary storage for all these values, which
could be a problem for resource constraint TPM implementations.
Remote Attestation. The remote attestation process is very similar to
the one described by TCG, with one more difference, which is verifying
the hash tree. In details, after sending a nonce and signing it together
with the requested vPCR by a vAIK of a particular vTPM, the nonce
is then forwarded to the hardware TPM. The hardware TPM also signs
the nonce and the value of the requested PCR (i.e., the root node of the
hash tree). The signatures, the SML and the hash tree are finally sent
to the challenger. The challenger verifies the signatures and the SML. In
addition, the challenger re-calculates the hash tree as described above. If
the signed root value equals the re-calculated value (which means that
the vPCR is untampered), the signed value can be considered trusted.
3.2 Incremental Hash Based Binding
Incremental hashing is another efficient way to aggregate hash values
of messages that change over time. More specific, an incremental hash
function produces an updated hash value of a modified message faster
than recomputing the hash from scratch. We propose here an approach
which uses incremental hashing to aggregate all vPCR values of a platform
and update the aggregated value after every extend operation performed
on any vTPM on the platform.
Algorithm 3 details the hash update procedure based on the incre-
mental hashing scheme of [1]. Modular multiplication was chosen as the
combining operation. To comply to TCG standards, the updated hash
will include the history (PCRi) of all measurements.
Algorithm 3: TPM Increment Hash
Input: hardware PCR index i, old hash-value vPCRold, new hash-value
vPCRnew
Output: updated hardware PCR value PCR′i
hi = mod div(PCRi, hash(i||vPCRold));
PCR′i = mod mult(hi, hash(i||vPCRnew||PCRi));
return PCR′i;
Setup Phase. The incremental hash-based binding approach presented
herein can be used with an arbitrary number of vTPMs. Adding and
removing PCR values of vTPMs is done by multiplying/dividing the cor-
responding hash values with the aggregated hardware PCR value. To bind
all vPCRs of a vTPM to the value of PCRi, all corresponding vPCRi of
each vTPM are combined according to the following equation, where m
is the prime modulus, i is the number of the PCR register and n is the
number of vTPM existing on the same platform:
PCRi ⇐
n∏
k=1
hash(k||vPCRki ) mod m
Integrity Measurement. For continuous integrity measurement the update
of a PCR value is performed according to Algorithm algorithm 3. In
addition, PCRi is included in the updated value PCR
′
i. This is very
important to do in order to avoid resetting a PCR value and to keep
track of the update history of a PCR.
Remote Attestation. The verification of the remote attestation process has
to include the integrity verification of the incremental hash. In addition
to the SML provided by a TSS of a vTPM, an SML for the incremental
hash updates is provided. As defined by TCG, a challenger first verifies
all signatures and the SML of the vTPM. In addition, the challenger uses
the SML of the hardware TPM, which has all incremental hash updates,
to verify the integrity of vTPM itself.
4 Implementation
4.1 Hash Tree Based Binding
To evaluate the feasibility of our approach we first implemented the hash-
tree based measurement scheme in hardware. For fair comparison we
throttled our design to comply to the TPM specifications, although our
FPGA-based implementation is able to operate at a higher frequency. An
off-the-shelf TPM is running at 33MHz whereas our SHA-1 implemen-
tation is operating at a maximum frequency of 128.7MHz on a Xilinx
Virtex5 FPGA. We assume that the implementation of the SHA-1 algo-
rithm present in the TPM features a similar performance as our straight
forward implementation.
Another important factor that is limiting the performance is that
currently the TPMs are connected to the system via the LPC-Bus (Low
Pin Count) [8]. Therefore, we calculated the ideal rates for LPC-Bus
transfers of the hash values from the software stack to a TPM. The width
of the LPC-Bus is 4 bit which leads to the fact, that the transfer of a
20 byte hash value takes 40 clock cycles without overhead. According to
the utilized transfer mode the overhead and total number of clock cyles is
depicted in Table 1. Although the DMA transfer is often not implemented
for current TPMs we included the slower I/O write for completeness. Note
that the number of clock cycles stated in Table 1 denotes only the time
required for the transmission of one hash value.
An overview of the TPM Update Leaf Init command structure is de-
picted in Figure 2. Each command is sent in 4 byte blocks with an over-
head of 24 clock cycles. The TPM Update Leaf Init message block size is
56 bytes, which results in a total transfer time of 112 + 14 * 24 = 448
clock cycles or 13.58µs. A TPM Update Leaf message block consists of 34
bytes of data, which results in 8.61µs (68 + 9 * 24 = 284 clock cycles)
transmission time.
Fig. 2. TPM Update Leaf input message block
We propose in this paper a specialized hardware architecture to speed
up the execution time of hash-tree computation by utilizing two parallel
SHA-1 modules. Although it is possible to execute the hash function in a
serial manner, the actual speed of the computation is of major importance
in performance-critical environments.
In Figure 3 the parallel datapath of our hash tree implementation is
depicted. As soon as the next sibling is written to the siblingi register and
the PCR registers contain the most recent values, the hash generation of
the supplied values begins. In Algorithm 2 the sibling is always appended
to the temporary PCR contents and then provided as an input to the
hash function.
Table 1. Clock Cycles for Hash Value Transmission
Mode Hash Overhead Total Time
(cf.[8]) @33MHz
I/O Write 40 20*11=220 260 7.88µs
DMA Write 40 5*24=120 160 4.84µs
4.2 Incremental Hash Based Binding
For the incremental hashing approach the output of a SHA-1 is too short.
Therfore, we utilize the SHA-2 512 bit variant to realize the incremental
hashing function. The modular multiplication is performed using an in-
terleaving multiplication algorithm as presented in [10]. We refused to use
the faster montgomery multiplication algorithm, as the overhead for en-
coding/decoding the operands/results is only bearable if a limited set of
operands is used, such as exponentiation. Therefore, the implementation
of the shift and add multiplication from [2] is used.
The computation of the hash value utilizes the multiplication algo-
rithm, whereas the slower division algorithm is used only for updating.
The computational complexity of updating hash values is constant for
the incremental hashing scheme, which counterbalances the operational
deficit of binary division. However the implementation of the algorithms
presented in this paper can still be optimized for better performance.
The implementation of the incremental hashing approach cannot be
transferred directly to an off-the-shelf TPM as done with the hash tree
based approach (c.f. Sec. 4.1), because hardware-based SHA-2, modu-
lar multiplication, and modular division implementations are missing.
Therefore, a comparison between an off-the-shelf TPM, supporting the
incremental hashing approach and the hardware based implementation
presented in this paper is not possible.
5 Evaluation
Binding using hash trees. The SHA-1 algorithm presented in this paper is
a rather straight forward design which was not optimized for performance
PCRold siblingi PCRnew
PCRold PCRnewsiblingi
SHA-1 SHA-1
PCR′old PCR
′
new
Fig. 3. Datapath for Hash-Tree
as there are various SHA-1 FPGA implementations available in literature
(cf. [10]). The overall computational time of an hash-tree update is de-
picted in Table 2. To compare our implementation with the modification
of a standard TPM, which executes the SHA-1 computations in serial
mode, we also listed the expected results in Table 2.
Table 2. Computational time for Hash Tree updates
Clock Cycles Time
Design h SHA-1 Command Total @33MHz @128.7MHz
Transmission
parallel 2 2*175 448+2*284 1366 41.4µs 10.6µs
parallel 10 10*175 448+10*284 5038 152.7µs 39.2µs
parallel 20 20*175 448+20*284 9628 291.8µs 75.8µs
serial 2 4*175 448+2*284 1716 52µs 13.3µs
serial 10 20*175 448+10*284 6788 205.7µs 52.7µs
serial 20 40*175 448+20*284 13128 397.8µs 102.0µs
The parallel execution of the hash functions reduces the computa-
tional overhead to the minimum. The table clearly shows the bottleneck
is the communication over the LPC-Bus, which takes the most signifi-
cant amount of time. Choosing a faster SHA-1 implementation will only
reduce approximately 20% of the number of clock cycles, as the commu-
nication over the LPC-bus uses about 80% of the clock cycles. Therefore,
in addition to the parallel implementation of the hash tree scheme, the
communication interface has to be improved.
Binding using incremental hashing. In the following we give an estimation
on the implementation of an incremental hash based binding scheme.
Table 3 summarizes the resource consumption of the utilized algorithms.
Table 3. Resource consumption of Incremental Hashing
Scheme LUTs Registers Frequency Cycles
Shift and Add Mult. 14371 6175 323.415MHz 2053
Binary Div. Algorithm 4128 8430 32.275MHz 1563
SHA-512 1423 2744 128.617MHz 81
Comparison of both variants. A comparison of the overhead for the pro-
posed schemes is given in Table 4, where n represents the number of
vTPMs and u represents the average number of extend operations for
each vTPM. The table includes the order of complexity and the time
consumed per operation. Although the update operation of the incremen-
tal hash-based binding takes less time if there are more than 16 vTPMs
in use (i.e., the hash tree height equals 4), the time consumed by the
verify operation is at least an order of magnitude slower than the hash
tree-based approach.
The main issue of the incremental hashing approach is to keep track
of the stored values in the hash. The property of deleting values from
the hash by division is contrary to the trusted computing requirement,
as one could easily reset the stored hash. To mitigate this property of
incremental hashing, we included the history of the content, as it is done
in current TPMs. This leads to the fact that the incremental hashing
approach still features a constant complexity for the mostly utilized up-
date function, but the verification complexity becomes dependent on the
number of updates.
Table 4. Overhead of different Schemes
Hash-Tree Incremental Hashing
read/verify O(log(n)) O(n ∗ u)
complexity
write/update O(log(n)) O(1)
read/verify 1.4µs 55.4µs
time
write/update 1.4µs 6.9µs
6 Conclusion
The major contribution of this paper was to provide hardware-based se-
curity to the virtual TPMs by binding them to a single hardware TPM.
For this, two novel approaches, hash tree based binding and incremental
hash based binding, have been proposed. Both variants have been imple-
mented and evaluated on state-of-the-art Virtex5 FPGA platform. Our
evaluation shows that the update process of a hash tree based binding is
done with a complexity of O(log(n)). The same process for an incremen-
tal hashing based binding has complexity O(1). However, the verification
process of the incremental hashing based binding is much more expensive
than the hash tree based one. In general, our evaluation shows that the
approach is applicable with reasonable overhead.
References
1. M. Bellare and D. Micciancio. A new paradigm for collision-free hashing: incremen-
tality at reduced cost. In Proceedings of the 16th annual international conference
on Theory and application of cryptographic techniques, EUROCRYPT’97, pages
163–192, Berlin, Heidelberg, 1997. Springer-Verlag.
2. J.-P. Deschamps, J. L. Imana, and G. D. Sutter. Hardware Implementation of
Finite-Field Arithmetic. McGraw-Hill, Inc., New York, NY, USA, 2009.
3. T. Eisenbarth, T. Gu¨neysu, C. Paar, A.-R. Sadeghi, D. Schellekens, and M. Wolf.
Reconfigurable trusted computing in hardware. In Proceedings of the 2007 ACM
workshop on Scalable trusted computing, STC ’07, pages 15–20, New York, NY,
USA, 2007. ACM.
4. T. Feller, S. Malipatlolla, D. Meister, and S. A. Huss. TinyTPM: A Lightweight
Module aimed to IP Protection and Trusted Embedded Platforms. In IEEE In-
ternational Symposium on Hardware Oriented Security and Trust (HOST 2011),
June 2011.
5. B. Glas, A. Klimm, O. Sander, K. Mu¨ller-Glaser, and J. Becker. A system archi-
tecture for reconfigurable trusted platforms. In Proceedings of the conference on
Design, automation and test in Europe, DATE ’08, pages 541–544, New York, NY,
USA, 2008. ACM.
6. B.-M. Goi, M. U. Siddiqi, and H.-T. Chuah. Incremental hash function based on
pair chaining & modular arithmetic combining. In Proceedings of the Second Inter-
national Conference on Cryptology in India: Progress in Cryptology, INDOCRYPT
’01, pages 50–61. Springer-Verlag, 2001.
7. IBM Research, Inc. Virtual Trusted Platform Module. http://domino.research.
ibm.com/comm/research_projects.nsf/pages/ssd_vtpm.index.html, 2008.
8. Intel Corporation. Intel Low Pin Count (LPC) Interface Specification. www.intel.
com/design/chipsets/industry/lpc.htm, 2002.
9. R. C. Merkle. Secrecy, authentication, and public key systems. PhD thesis, Stan-
ford, CA, USA, 1979. AAI8001972.
10. F. Rodr´ıguez-Henr´ıquez, N. A. Saqib, A. Dı´az-Pe`rez, and C. K. Koc. Cryptographic
Algorithms on Reconfigurable Hardware (Signals and Communication Technology).
Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2006.
11. A.-R. Sadeghi, C. Stu¨ble, and M. Winandy. Property-based tpm virtualization. In
Proceedings of the 11th international conference on Information Security, ISC ’08,
pages 1–16, Berlin, Heidelberg, 2008. Springer-Verlag.
12. L. F. G. Sarmenta, M. van Dijk, C. W. O’Donnell, J. Rhodes, and S. Devadas. Vir-
tual monotonic counters and count-limited objects using a tpm without a trusted
os. In Proceedings of the first ACM workshop on Scalable trusted computing, STC
’06, pages 27–42. ACM, 2006.
13. V. Scarlata, C. Rozas, M. Wiseman, D. Grawrock, and C. Vishik. TPM Virtual-
ization: Building a General Framework. In N. Pohlmann and H. Reimer, editors,
Trusted Computing, pages 43–56. Vieweg, 2007.
14. A. U. Schmidt, A. Leicher, Y. Shah, and I. Cha. Tree-formed verification data for
trusted platforms. CoRR, abs/1007.0642, 2010.
15. M. Sunil, F. Thomas, S. Abdulhadi, A. Tolga, and S. A. Huss. A novel architecture
for a secure update of cryptographic engines on trusted platform module. In IEEE
International Conference on Field Programmable Technoology (FPT), Dec. 2011.
16. I. Trusted Computing Group. Summary Of Features Under Consideration For The
Next Generation Of TPM, 2009.
17. Trusted Computing Group, Inc. TPM Main Specification Level 2 Version 1.2,
march 2011. Revision 116.
18. M. van Dijk, J. Rhodes, L. F. G. Sarmenta, and S. Devadas. Offline untrusted
storage with immediate detection of forking and replay attacks. In Proceedings
of the 2007 ACM workshop on Scalable trusted computing, STC ’07, pages 41–48.
ACM, 2007.
19. D. Williams and E. G. Sirer. Optimal parameter selection for efficient memory
integrity verification using merkle hash trees. In Network Computing and Applica-
tions, 2004. (NCA 2004). Proceedings. Third IEEE International Symposium on,
pages 383 – 388, aug.-1 sept. 2004.
