Base and Delta Platform Certificates
The Platform Certificate provides the foundation for binding the identity of the platform to the TPM and the Trusted Building Block of the platform. The TCG Platform Certificate Profile introduced the concept of the Base and Delta Certificates:
- A Base Platform Certificate is the original Platform Certificate issued by the Platform Manufacturer.
- A Delta Platform Certificate attests to specific changes made to the platform that are not reflected in the original Platform Certificate. A system integrator or value added retailer (VAR) can make modifications to a platform by issuing a Delta Platform Certificate.
The Delta Platform Certificate has references to the Base Platform Certificate. The collection of Base and Delta Platform Certificates associated with a given device is referred to as a “chain” of Platform and Delta Platform certificates (aka the “Platform cert chain”).
ACA Rules for processing Platform Certificate Chains:
- The Trust Chains (Root and intermediate CA certificates) for all Base and Delta Platform Certificates must be uploaded to the ACA trust stores prior to performing a tpm_aca_provision on the client device.
- The HIRS provisioner will attempt to load a single Platform Certificate from the TPMs NvRAM. All other Platform Certificates must be uploaded in to the ACA via the Platform Certificate page.
- There must be only one Base Platform certificate. Not having a Base Platform Certificate for a specific device will result in an error. The Platform Certificate Upload function will reject a second Base Platform Certificate if it has the same holder field (TPM EK Certificate serial number).
- A Base certificate needs to be loaded before a corresponding Delta Certificate. The Platform Certificate Upload function will reject a Delta Platform Certificate if there is no corresponding Base Certificate in its database.
- Any component attempting to be removed (in a Delta Platform Certificate) without the component existing in the Base Platform Certificate or added in another Delta Platform Certificate will result in a failure.
- Any component attempting to be added (in a Delta Platform Certificate) with an existing component (same manufacturer, make, model, and serial number) in the Base Platform Certificate or added in another Delta Platform Certificate will result in a failure.
- The ACA will process the entire list of components from a Platform Certificate Chain (that has not been removed within a Delta Platform Certificate) and attempt to match each component against information from the device. Any component within the list of components that cannot be verified against a device will result in a failure.
- The Platform Attribute Column has been removed from the Validation Report page to accommodate multiple Platform Certificates with the Platform Certificate Chain. One icon will be shown for each platform Certificate processed.
- When a Platform Certificate validation occurs each platform certificate that had a verification failure will show a failure icon. The tool tip that occurs when the icon is highlighted will show the specific error with that certificate.
- Selecting the icon will bring up the Platform Certificate page for that specific Base or Delta Platform Certificate. There are several changes to the Platform Certificate page:
a. A new column has been added to show the Base/Delta Platform Certificate designation:
b. A new row has been added to show the number of Platform Certificates in the Platform Certificate chain. Each certificate number has a hyperlink to the corresponding platform certificate:
c. The information being displayed for each component reflects changes to the componentIdentifier field within the specification. Specifically The top border now holds the Component class information (CPU in this example).
For Delta Platform Certificates the Status field is also displayed:
