3.1.5.1.1.3 Processing Details

  • Article

If the AttestationOperatingMode on the server is TPM and received URI terminate with "/domainattest” or “/hostkeyattest”, the server MUST return OperationModeErrorReply to the client.

If the AttestationOperatingMode on the server is TPM, the received URI terminate with "/attest" but the request received is not valid for TPM mode, the server MUST return PayloadErrorReply to the client.

If the request received is TpmRequestInitial, the server MUST perform the following:

§ Check if a matching entry is found between registered EKPub modules and the EKPub of the client that initiated the request.

§ If a matching entry is not found, set isauthorized to FALSE and return an UnauthorizedErrorReply message to the client.

If a matching entry is found, set isauthorized to TRUE and construct a TpmReplyContinue message in an implementation-specific manner to the client’s RtpmPublicEndorsementKey.

If the request received is TpmRequestContinue or AttestationRequest from the client, the server MUST process the following:

§ Check if a matching entry is found between registered EKPub modules and the EKPub of the client. Update isauthorized to TRUE if a matching entry is found.

§ If isauthorized is FALSE for RtpmPublicEndorsementKey received from client, return UnauthorizedErrorReply to the client.

§ If isauthorized is TRUE and RtpmNewContext received from the client is empty, return TpmReplyContinue message to the client with the empty context.

Otherwise,

§ Perform the policy evaluation against the list of policies the server is configured to, in an implementation-specific manner with the WBCL that is retrieved from the underlying RTPM protocol and the RtpmPublicEndorsementKey.

§ If the policy evaluation is successful, the server MUST do the following:

§ If AttestationResultType in AttestationRequest or TpmRequest is VSMIdentityEncryptionKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Encryption with AttestationHealthCertificate to the client.

§ If AttestationResultType in AttestationRequest or TpmRequest is VSMIdentitySigningKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Signing with AttestationHealthCertificate to the client.

§ If AttestationResultType in AttestationRequest or TpmRequest is VSMCAIntermediateCertificate (as specified in section 2.2.1.3), return a HealthCertificateReply in the form of intermediate certificate authority with AttestationHealthCertificate to the client.

Otherwise,

return PolicyEvaluationErrorReply with EvaluationLog to the client.