Other Privacy Considerations
The TPM owner can clear the storage hierarchy, changing the storage primary seed and effectively erasing all storage hierarchy keys.
The platform owner controls the endorsement hierarchy. The platform owner typically doesn't allow the endorsement primary seed to be changed, because this would render the existing TPM certificates useless, with no way to recover.
The user can create other primary keys in the endorsement hierarchy using a random number in the template. The user can erase these keys by flushing the key from the TPM, deleting external copies, and forgetting the random number. However, these keys do not have a manufacturer certificate.
When keys are used to sign (attest to) certain data, the attestation response structure contains what are possibly privacy-sensitive fields: resetCount (the number of times the TPM has been reset), restartCount (the number of times the TPM has been restarted or resumed), and the firmware version. Although these values don't map directly to a TPM, they can aid in correlation.
To avoid this issue, the values are obfuscated when the signing key isn't in the endorsement or platform hierarchy. The obfuscation is consistent when using the same key so the receiver can detect a change in the values while not seeing the actual values.
an attestation server polls a platform at set intervals, verifying either that the pCrs haven't changed or that the new pCr values are trusted. in tpM 1.2, the platform may have transitioned to an untrusted state and then rebooted back to a trusted state. the server can't detect the reboot.
in tpM 2.0, the attestation data includes boot-count information. although attestations in the storage hierarchy have the information obfuscated, the server can still tell that a value changed and thus that a reboot occurred.
here are the steps:
1. Execute the TPM2_Quote command periodically.
2. each quote returns a TPM2B_ATTEST structure.
3. the quote includes the TPM2B_ATTEST->TPMS_CLOCK_INFO-> resetCount value.
4. resetCount is obfuscated with a symmetric key based on the quote key Name.
5. For the same key, the obfuscated resetCount has the same value if resetCount doesn't change.
6. For a different key, the obfuscated resetCount has a different value, preventing correlation.
Separate from the three persistent hierarchies is the one volatile hierarchy, called the NULL hierarchy.