The session audit digest is read using the TPM2_GetSessionAuditDigest command. In the typical use case, a signing key is supplied and the response is signed.
The digital signature isn't merely over the audit digest. As with other attestation functions, the TPM wraps the digest in a structure that includes other information. The
TPM specification Part 2 describes this wrapping, where a TPMS_ATTEST wraps a TPMU_
ATTEST union, which is a TPMS_SESSION_AUDIT_INFO structure.
The TPMS_ATTEST fields were covered in Chapter 12, including TPM_GENERATED, the qualified name of the signing key, the “extra data,” the clock, and firmware information. Their security properties are the same here.
TPMS_SESSION_AUDIT_INFO includes, as expected, the session audit digest. It also includes a flag indicating the “exclusive” status of the session. See the following section.
Exclusive audit permits an auditor to validate that a sequence of commands in an audit log was contiguous—that no other commands were interleaved with the exclusive sequence. A caller can designate only one session as an exclusive session. The caller sets
the audit session auditExclusive attribute as part of a command. Assuming there was no exclusive session already in progress, this session becomes the exclusive session, and the attribute is echoed in the response.
Once a session becomes the exclusive session, it can be used for several commands.
However, any intervening command not using this exclusive audit session causes it to no longer be the exclusive session. That is, an exclusive session in progress doesn't block another command but does record that another command intervened.
When the audit digest is returned, the structure includes a flag, exclusiveSession, which is true if there were no intervening commands.
a user wants to run a sequence of commands at a specific trust state. pCr values indicate the trust state of the platform. the user therefore wants to ensure that pCr values don't change during a sequence of commands. the user runs the sequence in an exclusive session. if there was a pCr extend between two commands, it changes the current exclusive session. When the caller next tries to use the original exclusive session, the tpM returns an error, indicating an intervening command.
the tpM commands are as follows:
• TPM2_StartAuthSession: starts a session to be used for the exclusive audit.
• tpM command sequence that should be run without an intervening pCr extend. set the audit and auditExclusive session attributes.
• if there was an intervening command, the request for an exclusive audit session returns TPM_RC_EXCLUSIVE.
Audit in the TPM is the process of logging command and response parameters. The TPM logs these parameters with an extend operation, similar to that used for PCRs, while the host saves the actual parameters. Later, the TPM can return a signed digest of the audit log. The recipient can validate the signature and thus verify the integrity of the log.
The TPM offers two audit options. Command audit records all instances of a selected group of commands, regardless of the session. Session audit records all commands in a session, regardless of the command. An exclusive session permits the recipient to detect whether an audit session was interrupted by an intervening, non-audited command. It can also provide a guarantee that there was no intervening command.