GM/T 0011-2023 可信计算 可信密码支撑平台功能与接口规范

ICS35.030

CCSL80

中华人民共和国密码行业标准

GM/T0011—2023

代替GM/T0011—2012

可信计算

可信密码支撑平台功能与接口规范

Trustedcomputing—Trustedcomputingfunctionalityandinterface

specificationofcryptographicsupportplatform

2023⁃12⁃04发布2024⁃06⁃01实施

国家密码管理局发布

GM/T0011—2023

目次

前言··························································································································Ⅲ

引言··························································································································Ⅴ

1范围·······················································································································1

2规范性引用文件········································································································1

3术语和定义··············································································································1

4缩略语····················································································································3

5可信计算密码支撑平台概述·························································································4

5.1可信计算···········································································································4

5.2可信构件···········································································································4

5.3可信计算基········································································································4

5.4可信边界···········································································································4

5.5可信传递···········································································································5

5.6可信授权···········································································································5

6可信计算密码支撑平台功能·························································································5

6.1平台体系结构·····································································································5

6.2平台接口功能·····································································································7

7可信密码模块接口···································································································11

7.1通用要求··········································································································11

7.2启动命令··········································································································11

7.3检测命令··········································································································12

7.4会话命令··········································································································14

7.5对象命令··········································································································16

7.6复制命令··········································································································23

7.7非对称算法命令·································································································25

7.8对称算法命令····································································································29

7.9随机数发生器命令······························································································30

7.10杂凑/HMAC命令·····························································································31

7.11证明命令········································································································36

7.12临时EC密钥命令·····························································································39

7.13签名及签名验证命令·························································································41

7.14度量命令········································································································42

7.15增强授权命令··································································································44

7.16分层命令········································································································53

7.17字典攻击命令··································································································58

7.18管理功能命令··································································································59

7.19上下文管理命令·······························································································60

7.20属性命令········································································································62

7.21NV操作命令···································································································64

Ⅰ

GM/T0011—2023

8可信密码模块证实方法·····························································································73

8.1概述················································································································73

8.2符合性实现原理说明···························································································73

附录A（规范性）数据结构···························································································76

附录B（资料性）可信密码模块证实实例········································································134

附录C（资料性）与参考标准章条编号对照情况·······························································152

附录D（资料性）典型应用中接口依赖关系示例······························································154

参考文献··················································································································159

Ⅱ

GM/T0011—2023

前言

本文件按照GB/T1.1—2020《标准化工作导则第1部分：标准化文件的结构和起草规则》的规

定起草。

本文件代替GM/T0011—2012《可信计算可信密码支撑平台功能与接口规范》，与GM/T0011—

2012相比，除结构调整和编辑性改动外，主要技术内容变化如下：

a）删除了“术语和定义”中的部件（见2012年版的3.1.1）、对象（见2012年版的3.1.3）、密码模块

密钥（见2012年版的3.1.12）、密钥管理中心（见2012年版的3.1.13）、平台身份密钥（见2012

年版的3.1.15）、平台加密密钥（见2012年版的3.1.16）、双证书（见2012年版的3.1.17）、实体

（见2012年版的3.1.18）；

b）增加了“术语和定义”中的背书密钥（见3.9）、授权值（见3.14）、授权策略（见3.15）、上下文

（见3.16）、背书授权（见3.17）、平台固件（见3.18）、主密钥（见3.19）、主对象（见3.20）、主种

子（见3.21）、存储密钥（见3.23）；

c）删除了缩略语NV、PIK和PEK（见2012年版的3.2）；

d）增加了缩略语AK、CRTM、DRTM、ECDH、EPS、GPIO、HMAC、IPL、KDF、MBR、PP、PPS、

RNG、RTM、RTR、RTS、SPS、SRTM、TBB、TCB和UEFI（见第4章）；

e）更改了“缩略语”EK的名称（见第4章）；

f）更改了“平台体系架构”和“功能原理”的一些内容（见6.1和6.2，2012年版的4.1和4.3）；

g）删除了“密码算法要求”（见2012年版的4.2）；

h）删除了“可信计算密码支撑平台功能接口”（见2012年版的第5章）；

i）增加了“可信计算密码支撑平台概述”（见第5章）；

j）增加了“可信计算密码支撑平台功能”（见第6章）；

k）增加了“可信密码模块接口”（见第7章）；

l）增加了SM2非对称加解密的指令实现要求（见7.7）；

m）增加了“可信密码模块证实方法”（见第8章）；

n）删除了规范性附录A、附录B和附录C（见2012版附录A、附录B和附录C）；

o）增加了规范性附录A（见附录A），定义了命令码、返回码、常量和数据结构。

请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别专利的责任。

本文件由密码行业标准化技术委员会提出并归口。

本文件起草单位：国民技术股份有限公司、中国科学院软件研究所、北京信息科技大学、联想（北

京）有限公司、中国电子技术标准化研究院、武汉大学、北京大学、北京奇虎科技有限公司、大唐高鸿信

安（浙江）信息科技有限公司、中电科技（北京）有限公司、神州网信技术有限公司、浪潮电子信息产业股

份有限公司、兴唐通信科技有限公司、阿里云计算有限公司、深圳数字电视国家工程实验室股份有限公

司、国家计算机网络与信息安全管理中心、公安部第三研究所、国民认证科技（北京）有限公司、北京蚂

蚁云金融信息服务有限公司、华为技术有限公司、郑州迪维勒普科技有限公司、北京卓识网安技术股份

有限公司、同方股份有限公司、长春吉大正元信息技术股份有限公司、联想（北京）信息技术有限公司、

新华三技术有限公司、中电科网络安全科技股份有限公司、无锡江南信息安全工程技术中心、中国人民

解放军国防科学技术大学。

本文件主要起草人：秦宇、刘鑫、付月朋、刘大遒、吴秋新、韦卫、李汝鑫、张严、王惠莅、孙彦、王娟、

严飞、沈晴霓、张晓磊、张屹、郑驰、张佳建、陈小春、孙亮、王强、杨尚欣、吴保锡、白欣璐、王悦、付颖芳、

Ⅲ

GM/T0011—2023

肖鹏、李新国、岳志军、王晖、陶源、柴海新、李俊、初晓博、张小虎、张梦良、许东阳、刘韧、刘锋、姚金龙、

吴会军、杜克宏、卢卫疆、冯伟、李为、张立强、余发江、赵波、李业旺、秦文杰、罗武。

本文件及所代替文件的历次版本发布情况为：

——2012年首次发布GM/T0011—2012；

——本次为第一次修订。

Ⅳ

GM/T0011—2023

引言

为满足可信计算产业不断发展的新需求，本文件以密码算法应用为核心，以可信计算技术应用需

求为基础，描述了可信计算密码支撑平台的功能，参考了我国密码算法在国际上可信计算标准中的采

纳情况及我国可信计算技术、国际上可信计算技术的应用成果，定义了可信计算密码支撑平台接口形

式。本文件符合不同应用场景下可信计算密码支撑平台设计需求，兼容各种硬件平台、宿主机软件系

统、应用系统，确保产业界产品的统一性和兼容性，用于指导我国可信计算相关产品开发和应用。

Ⅴ

GM/T0011—2023

可信计算

可信密码支撑平台功能与接口规范

1范围

本文件给出可信计算密码支撑平台的体系框架和功能原理，规定了可信密码模块的接口规范，描

述了对应的证实方法。

本文件适用于可信计算密码支撑平台相关产品的研制、生产、测评与应用开发。

2规范性引用文件

下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中，注日期的引用文

件，仅该日期对应的版本适用于本文件；不注日期的引用文件，其最新版本（包括所有的修改单）适用于

本文件。

GB/T20518信息安全技术公钥基础设施数字证书格式

GB/T25069信息安全技术术语

GB/T32905信息安全技术SM3密码杂凑算法

GB/T32907信息安全技术SM4分组密码算法

GB/T32915信息安全技术二元序列随机性检测方法

GB/T32918.2信息安全技术SM2椭圆曲线公钥密码算法第2部分：数字签名算法

GB/T32918.3信息安全技术SM2椭圆曲线公钥密码算法第3部分：密钥交换协议

GB/T32918.4信息安全技术SM2椭圆曲线公钥密码算法第4部分：公钥加密算法

GB/T35276信息安全技术SM2密码算法使用规范

GM/T0012可信计算可信密码模块接口规范

GM/T0058可信计算TCM服务模块接口规范

GM/Z4001密码术语

3术语和定义

GB/T25069和GM/Z4001界定的以及下列术语和定义适用于本文件。

3.1

存储主密钥storagemasterkey

用于保护操作系统密钥和用户密钥的主密钥。

3.2

可信计算平台trustedcomputingplatform

构建在计算系统中，用于实现可信计算功能的支撑系统。

3.3

可信计算密码支撑平台cryptographicsupportplatformfortrustedcomputing

可信计算平台的重要组成部分，包括密码算法、密钥管理、证书管理、密码协议、密码服务内容，为

可信计算平台自身的完整性、身份真实性和数据保密性提供密码支持。

1