TCG Platform Certificate Profile

Specification

A Platform Certificate asserts that a specific platform contains one or more unique Roots of Trust (TPM, DICE, etc.), Trusted Building Block(s), and a specific set of components. Platform Configuration attributes within the Platform Certificate can contain a list of individual components that constitute the platform. The component list attribute supports recent calls for a Hardware Bill of Material (HBOM) artifact. Each component has an extendable set of information that can include currently defined attributes such as manufacturer, model, serial number, and network adapter MAC addresses.

Delta Platform Certificates are used to reflect platform changes made by system integrators, resellers, and other entities after the platform has left the manufacturer’s facility. Any entity can issue a Platform Certificate: the initial Platform Certificate is typically issued by the platform manufacturer (for example, an OEM).

Platform Certificates may be in the form of a Key Certificate compliant with RFC 5280 or may be in the form of an Attribute Certificate compliant with RFC 5755. An Attribute Certificate is warranted when the attributes listed in the certificate have a different lifecycle than the key they would be bound to in a Key Certificate.

Platform Certificates, including Delta Platform Certificates, are Endorsements that a Verifier uses when evaluating the Evidence provided by an Attester. A Verifier determines whether the issuer of a Platform Certificate or Delta Platform Certificate is trusted, and by extension whether the assertions contained therein can be trusted, based on the Appraisal Policy it uses that can be provided by the Relying Party.

Component Class Registries allow the issuer to convey how device information was collected. This helps verifiers match detailed component information independent of the Operation system and hardware related libraries.  Currently defined Component Class Registries include:
1.    TCG Component Class Registry
2.    SMBIOS-based Component Class Registry
3.    Storage Component Class Registry
4.    PCIe-based Component Class Registry

Requirements for Platform Certificates have been documented in the  TCG Platform Requirements for Certificates and RIMs specification.