2.2.2.5 KeyAttestationStatement

The KeyAttestationStatement structure is defined as follows:<7>

 typedef struct  {
   UINT32 Magic;
   UINT32 Version;
   UINT32 Platform;
   UINT32 HeaderSize;
   UINT32 cbIdBinding;
   UINT32 cbKeyAttestation;
   UINT32 cbAIKOpaque;
   BYTE idBinding[cbIdBinding];
   BYTE keyAttestation[cbKeyAttestation];
   BYTE aikOpaque[cbAIKOpaque];
 } KeyAttestationStatement;

Magic: The value MUST be 0x5453414B.

Version: The value MUST be 1.

Platform: The value MUST be either 1 or 2 indicating the TPM platform.

HeaderSize: An integer value denoting the size of the header.

cbIdBinding: An integer value denoting the size of the idBinding field.

cbKeyAttestation: An integer value denoting the size of the keyAttestation field.

cbAIKOpaque: An integer value denoting the size of the aikOpaque field.

idBinding: When the Platform member equals 1, a byte array containing the signature of a TPM_IDENTITY_CONTENTS structure, as defined in [TCG-Struct] section 12.5. When Platform equals 2, a byte array containing a concatenation of the following structures:<8>

  • A TPM2B_PUBLIC structure defined in [TCG-Struct-V2] section 12.2.5.

  • A TPM2B_CREATION_DATA structure defined in [TCG-Struct-V2] section 15.2.

  • A TPM2B_ATTEST structure defined in [TCG-Struct-V2] section 10.12.9.

  • A TPMT_SIGNATURE structure defined in [TCG-Struct-V2] section 11.3.4.

For information on how this signature is constructed, see the following references:

keyAttestation: A structure that is defined as follows:

 typedef struct {
   UINT32 Magic;
   UINT32 Platform;
   UINT32 HeaderSize;
   UINT32 cbKeyAttest;
   UINT32 cbSignature;
   UINT32 cbKeyBlob;
   BYTE keyAttest[cbKeyAttest];
   BYTE signature[cbSignature];
   BYTE keyBlob[cbKeyBlob];
 } keyAttestation;

Magic: The value MUST be 0x5344414B.

Platform: The value MUST be either 1 or 2 indicating the TPM platform.

HeaderSize: An integer value denoting the size of the header.

cbKeyAttest: An integer value denoting the size of the keyAttest array.

cbSignature: An integer value denoting the size of the signature array.

cbKeyBlob: An integer value denoting the size of the keyBlob array.

keyAttest: MUST be a TPM_CERTIFY_INFO structure if the Platform field equals 1, or a TPM_CERTIFY_INFO2 structure if Platform equals 2, as defined in [TCG-Struct] sections 11.1 and 11.2.

signature: Contains the signature of the keyAttest array using the AIK private key.

keyBlob: Contains a CSP-specific opaque format of the attested key.

aikOpaque: Contains a CSP-specific opaque format of the AIK private key.