Comprehensive TPM-based device fingerprinting with cryptographically enforced governance
Project description
๐ TrustCore-TPM
Hardware-Rooted Device Identity | Cryptographically Enforced Trust
TrustCore-TPM is a comprehensive Python library that revolutionizes device fingerprinting by leveraging TPM (Trusted Platform Module) hardware to create non-exportable, non-replayable device identities with automatic policy enforcement.
Features โข Installation โข Quick Start โข Architecture โข Documentation
๐ Key Innovations
This library introduces four patent-worthy innovations that fundamentally change how device fingerprinting works:
๐ Innovation 1: Cryptographically Enforced Fingerprint Governance
Paradigm Shift: From "identifier generation" to "hardware-attested identity lifecycle control"
stateDiagram-v2
[*] --> Generated: Device Enrollment
Generated --> Valid: TPM Sealing
Valid --> Valid: Successful Verification
Valid --> Expired: Boot State Change
Valid --> Expired: Firmware Update
Valid --> Expired: Policy Violation
Valid --> Expired: Time Limit Reached
Expired --> [*]: Requires Re-enrollment
note right of Valid
Fingerprint is alive and
bound to TPM hardware state
end note
note right of Expired
Automatic expiry enforced
by cryptographic operations
end note
Key Properties:
- โ Non-exportable: Sealed to TPM PCR state, cannot be extracted
- โ Non-replayable: Requires live TPM signing for each verification
- โ
Automatically expires on:
- Boot state change (PCR 0-3)
- Firmware update (PCR 0-2)
- Secure boot violation (PCR 7)
- Time-based expiry
- Custom policy conditions
- โ Hardware-enforced: Unseal operation fails if state changes
Traditional vs. Our Approach:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Traditional Fingerprinting โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1. Collect device attributes โ
โ 2. Hash them โ "fingerprint_abc123" โ
โ 3. Store in database โ
โ 4. Compare on verification โ
โ โ Fingerprint is just a value โ
โ โ Can be copied/replayed โ
โ โ No hardware binding โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Our TPM-Based Approach โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1. Collect device attributes + TPM quote โ
โ 2. Generate fingerprint ID (HMAC with TPM signature) โ
โ 3. Seal to TPM state (AES-GCM with PCR-derived key) โ
โ 4. Verification requires TPM to unseal (cryptographic proof) โ
โ โ
Fingerprint is a cryptographic capability โ
โ โ
Cannot be copied (requires TPM hardware) โ
โ โ
Automatically expires on state change โ
โ โ
Hardware-enforced governance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก๏ธ Innovation 2: TPM-Bound Anti-Cloning Fingerprint
Core Insight: The fingerprint is not a static valueโit is a provable capability
graph LR
A[Attacker] -->|1. Steals fingerprint data| B[Fingerprint File]
B -->|2. Copies to new device| C[Cloned Device]
C -->|3. Attempts unseal| D{TPM Check}
D -->|Different PCR values| E[โ Unseal Fails]
D -->|Same TPM required| E
F[Legitimate Device] -->|Verification| G{TPM Unseal}
G -->|Correct PCRs| H[โ
Success]
G -->|TPM generates proof| H
style E fill:#e74c3c,stroke:#c0392b,color:#fff
style H fill:#2ecc71,stroke:#27ae60,color:#fff
Why Cloning Fails:
Cloning Attempt Scenario:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Attacker extracts fingerprint file โ
โ โ Contains: sealed_data, PCR values, metadata โ
โ โ
โ 2. Copies to new device โ
โ โ New device has DIFFERENT TPM chip โ
โ โ Different PCR values (unique boot measurements) โ
โ โ
โ 3. Attempts verification โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Sealed Data Structure: โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ nonce(96-bit) || ciphertext || โ โ โ
โ โ โ authentication_tag โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ
โ โ Unsealing Process: โ โ
โ โ 1. Read current PCRs from TPM โ โ
โ โ 2. Derive key = KDF(PCR_0..PCR_7) โ โ
โ โ 3. Try AES-GCM decrypt โ โ
โ โ โ โ
โ โ Result: DECRYPTION FAILS โ โ โ
โ โ (PCRs don't match original) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ 4. Even with ALL software/data copied: โ
โ โ Cannot generate valid TPM quote โ
โ โ Cannot pass challenge-response โ
โ โ Cannot reproduce PCR measurements โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Challenge-Response Protocol (Anti-Replay):
Device Verification:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Verifier Device โ
โ โ โ โ
โ โโโโโ Challenge (32-byte nonce) โโโ>โ โ
โ โ โ โ
โ โ โโโโโโดโโโโโ โ
โ โ โ TPM โ โ
โ โ โ - Read PCRs โ
โ โ โ - Sign with HMAC โ
โ โ โโโโโโฌโโโโโ โ
โ โ โ โ
โ โ<โ Response: {signature, PCRs} โโโโค โ
โ โ โ โ
โ โโ Verify: โ
โ โ 1. Timestamp fresh? (< 5 min) โ
โ โ 2. Nonce matches? โ
โ โ 3. Signature = HMAC(nonce||PCRs||timestamp) โ
โ โ 4. PCRs match expected baseline? โ
โ โ โ
โ โโโ> โ Valid OR โ Invalid โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ๏ธ Innovation 3: Fingerprint + Policy + Consequence
Revolutionary Concept: Fingerprint change is not informationalโit is enforced
graph TD
A[Device Verification] --> B{Fingerprint Valid?}
B -->|Yes| C[โ
Access Granted]
B -->|No| D[Policy Violation Detected]
D --> E[Automatic Consequences]
E --> F[Revoke Credentials]
E --> G[Lock Vaults]
E --> H[Invalidate Tokens]
E --> I[Seal Audit Event]
E --> J[Force Re-enrollment]
F --> K[โ Access Denied]
G --> K
H --> K
I --> K
J --> K
style C fill:#2ecc71,stroke:#27ae60,color:#fff
style K fill:#e74c3c,stroke:#c0392b,color:#fff
style E fill:#f39c12,stroke:#e67e22,color:#fff
Enforcement Flow:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TRADITIONAL APPROACH โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Fingerprint Changed โ
โ โ โ
โ v โ
โ [Log Event] โ
โ โ โ
โ v โ
โ [Send Alert] โ
โ โ โ
โ v โ
โ [Wait for Admin] โ Manual intervention required โ
โ โ โ
โ v โ
โ [Admin Reviews] โ
โ โ โ
โ v โ
โ [Admin Takes Action] โ Hours or days later โ
โ โ
โ โ Detection without enforcement โ
โ โ Time gap allows attacker access โ
โ โ Requires manual intervention โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ OUR TPM-BASED APPROACH โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Fingerprint Change Detected (PCR Mismatch) โ
โ โ โ
โ v โ
โ [Unseal Fails] โ Cryptographic enforcement โ
โ โ โ
โ โโโโโโโโโโโโโ> [Revoke Credentials] โ Immediate โ
โ โ โ โ
โ โโโโโโโโโโโโโ> [Lock All Vaults] โ
โ โ โ โ
โ โโโโโโโโโโโโโ> [Invalidate Tokens] โ
โ โ โ โ
โ โโโโโโโโโโโโโ> [Seal Audit Event to TPM] โ
โ โ โ โ
โ v v โ
โ [Access Denied] โ [All Protected Resources Locked] โ
โ โ โ โ
โ v v โ
โ [Require Re-enrollment] โ Cryptographic proof needed โ
โ โ
โ โ
Automatic enforcement (milliseconds, not hours) โ
โ โ
No time gap for attackers โ
โ โ
No manual intervention needed โ
โ โ
Cryptographically guaranteed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Policy Actions Matrix:
| Violation Type | Automatic Actions |
|---|---|
| Boot State Changed | โข Invalidate fingerprint โข Revoke API credentials โข Lock data vaults โข Seal audit event โข Require re-enrollment |
| Firmware Updated | โข Expire fingerprint โข Log firmware version change โข Allow re-enrollment with new baseline |
| Secure Boot Disabled | โข Immediate lockdown โข Revoke all credentials โข Lock all vaults โข Alert + audit log |
| PCR Mismatch (>3 attempts) | โข Permanent lockdown โข Revoke credentials โข Seal denial event โข Admin intervention required |
| Time Expiry | โข Soft lock โข Allow re-validation โข Log expiry event |
๐ Innovation 4: TPM + Offline Enforcement
Breakthrough: Complete trust chain maintained locally via TPMโno server required
graph TB
subgraph "Traditional Architecture"
T1[Device] -->|Fingerprint| T2[Network]
T2 -->|Verify| T3[Cloud Server]
T3 -->|Database Lookup| T4[Central DB]
T4 -->|Decision| T3
T3 -->|Response| T2
T2 -->|Result| T1
end
subgraph "Our Offline Architecture"
O1[Device] -->|Read PCRs| O2[Local TPM]
O2 -->|Attestation| O3[Sealed Data]
O3 -->|Unseal| O2
O2 -->|Crypto Verify| O1
O1 -->|Decision| O1
end
style T3 fill:#e74c3c,stroke:#c0392b,color:#fff
style T4 fill:#e74c3c,stroke:#c0392b,color:#fff
style O2 fill:#2ecc71,stroke:#27ae60,color:#fff
Complete Offline Trust Chain:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ OFFLINE VERIFICATION BUNDLE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Hardware Root of Trust โ
โ โโโโโโโโโโโโโโโโโโโโ โ
โ โ TPM 2.0 Chip โ โ Endorsement Key (burned in hardware) โ
โ โ (Local Device) โ โ Storage Root Key (generated on-chip) โ
โ โโโโโโโโโโฌโโโโโโโโโโ โ
โ โ โ
โ v โ
โ โโโโโโโโโโโโโโโโโโโโ โ
โ โ Platform PCRs โ โ Boot measurements โ
โ โ (0,1,2,3,7) โ โ Firmware hashes โ
โ โโโโโโโโโโฌโโโโโโโโโโ โ Secure boot state โ
โ โ โ
โ v โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Sealed Fingerprint โ โ
โ โ โข Device attributes โ โ
โ โ โข TPM quote (signed) โ โ
โ โ โข PCR baseline โ โ
โ โ โข Encrypted with PCR-derived key โ
โ โโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ v โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Policy Definition โ โ
โ โ โข PCR baseline โ โ
โ โ โข Expiry conditions โ โ
โ โ โข Consequence rules โ โ
โ โโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ v โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Sealed Consequences โ โ
โ โ โข Credentials (encrypted) โ โ
โ โ โข Vault keys (TPM-sealed) โ โ
โ โ โข Access tokens (sealed) โ โ
โ โโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ v โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Audit Chain โ โ
โ โ โข HMAC-chained events โ โ
โ โ โข TPM-sealed logs โ โ
โ โ โข Tamper-evident history โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ โ
No network required โ
โ โ
No cloud dependency โ
โ โ
No central database โ
โ โ
Complete local trust chain โ
โ โ
Cryptographically verifiable โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Comparison:
| Feature | Cloud-Based | Our Offline Approach |
|---|---|---|
| Network Required | โ Yes | โ No |
| Server Dependency | โ Yes | โ No |
| Central Database | โ Yes | โ No |
| Latency | 100-500ms | <1ms |
| Offline Operation | โ No | โ Yes |
| Privacy | โ ๏ธ Data sent to server | โ Local only |
| Trust Anchor | โ๏ธ Cloud PKI | ๐ Local TPM |
| Single Point of Failure | โ ๏ธ Server outage | โ Distributed |
| Cost | ๐ฐ Server infrastructure | โ Zero ongoing cost |
๐ฆ Installation
# Clone repository
git clone <repository-url>
cd Device-fingerprinting-TPM
# Install dependencies
pip install -r requirements.txt
# Install the library
pip install -e .
๐ง Requirements & Dependencies
System Requirements
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Minimum Requirements โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Python: 3.8 or higher โ
โ TPM Version: 2.0 (hardware or software simulator) โ
โ RAM: 512 MB minimum โ
โ Storage: 50 MB for library + sealed data โ
โ OS: Windows 10+, Linux (kernel 4.0+), macOS โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Recommended Setup โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Python: 3.11+ โ
โ TPM: Hardware TPM 2.0 with firmware 1.38+ โ
โ RAM: 2 GB โ
โ Storage: 500 MB (with audit logs) โ
โ UEFI: Secure Boot enabled โ
โ TPM Tools: tpm2-tools 5.0+ (Linux) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Python Dependencies
# Core dependencies (required)
cryptography>=41.0.0 # AES-GCM encryption, HMAC signatures
pywin32>=300 # Windows TPM integration (Windows only)
# Optional enhancements
device-fingerprinting-pro>=1.0.0 # Enhanced device attributes
pqcdualusb>=1.0.0 # Post-quantum cryptography
tpm2-tools>=5.0 # Enhanced Linux TPM support
TPM Platform Support
| Platform | TPM Support | Status | Notes |
|---|---|---|---|
| Windows 10/11 | โ Native | Full | Via WMI & TPM Base Services |
| Linux | โ Native | Full | Via /dev/tpm0 + tpm2-tools |
| Azure VM | โ vTPM | Full | Virtual TPM 2.0 |
| AWS EC2 | โ vTPM | Full | Nitro-based instances |
| Docker | โ ๏ธ Emulated | Limited | Software TPM simulator |
| macOS | โ ๏ธ T2/M1 Chip | Partial | Secure Enclave (limited API) |
๐ TPM PCR Definitions
PCR Bank Overview
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TPM 2.0 PCR Banks โ
โ (Platform Configuration Registers) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ PCRs are extend-only registers that record platform state โ
โ measurements. Each PCR starts at 0 and is extended using: โ
โ โ
โ PCR[new] = SHA256(PCR[old] || measurement) โ
โ โ
โ This creates a tamper-evident chain of measurements. โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
PCR Usage by This Library
| PCR | Purpose | Measured By | Why We Use It |
|---|---|---|---|
| 0 | BIOS/UEFI firmware code | Platform firmware | Detects firmware tampering, rootkits in BIOS |
| 1 | Platform configuration | UEFI | Detects hardware changes, settings modifications |
| 2 | Option ROM code | UEFI | Detects peripheral firmware (network, storage) |
| 3 | Option ROM config | UEFI | Detects peripheral configuration changes |
| 7 | Secure Boot state | UEFI | Detects Secure Boot violations, unsigned kernels |
| 8 | Bootloader (GRUB/Windows) | OS loader | Detects bootloader modifications |
| 9 | Kernel code | OS loader | Detects kernel tampering |
Default Configuration: PCRs 0, 1, 2, 3, 7
Rationale:
- PCR 0-3: Core platform firmware (changes indicate hardware/firmware modifications)
- PCR 7: Secure Boot state (critical for OS integrity)
- PCRs 8-9: Optional (OS-specific, may change with updates)
PCR Extend Operation
Initial State (Power-On):
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PCR 0: 0000000000000000000000000000000000000000000000000โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Firmware Loads:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Measurement: BIOS code โ hash = abc123... โ
โ PCR 0 = SHA256(0000...000 || abc123...) โ
โ PCR 0: d3f4a6b8c9e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Option ROM Loads:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Measurement: NIC firmware โ hash = def456... โ
โ PCR 2 = SHA256(PCR[2] || def456...) โ
โ PCR 2: 8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Result: Each PCR is a cumulative hash chain of all measurements.
Any change in boot sequence produces completely different PCR values.
State Change Detection
graph TD
A[Boot Process Starts] --> B[UEFI Firmware]
B --> C{Measure Firmware}
C -->|Hash| D[Extend PCR 0]
D --> E{Load Option ROMs}
E -->|Measure| F[Extend PCR 2]
F --> G{Check Secure Boot}
G -->|Status| H[Extend PCR 7]
H --> I[Final PCR Values]
I --> J{Library Unseals}
J -->|PCRs Match| K[โ
Success]
J -->|PCRs Different| L[โ Unseal Fails]
style K fill:#2ecc71,stroke:#27ae60,color:#fff
style L fill:#e74c3c,stroke:#c0392b,color:#fff
Example: State Change Scenarios
| Scenario | Changed PCRs | Detection | Consequence |
|---|---|---|---|
| Normal Boot | None | โ PCRs match | Access granted |
| BIOS Update | 0, 1 | โ Mismatch | Fingerprint expires, re-enrollment |
| Secure Boot Disabled | 7 | โ Violation | Immediate lockdown |
| Hardware Added | 1, 2 | โ Config change | Re-validation required |
| Rootkit in Firmware | 0 | โ Tampering | Credentials revoked |
| Bootloader Modified | 8 | โ ๏ธ Optional | Log + alert (if monitored) |
๐ Quick Start
Installation
# Install from PyPI (recommended)
pip install trustcore-tpm
# Or install from source
git clone https://github.com/yourusername/trustcore-tpm.git
cd trustcore-tpm
# Install dependencies
pip install -r requirements.txt
# Install the library
pip install -e .
# Verify installation
python -c "from tpm_fingerprint_lib import OfflineVerifier; print('โ Installation successful')"
Basic Usage Flow
graph LR
A[Install Library] --> B[Enroll Device]
B --> C[Verify Device]
C --> D{Valid?}
D -->|Yes| E[โ
Access Granted]
D -->|No| F[โ Consequences Applied]
F --> G[Re-enrollment Required]
style E fill:#2ecc71,stroke:#27ae60,color:#fff
style F fill:#e74c3c,stroke:#c0392b,color:#fff
Example 1: Simple Enrollment & Verification
from tpm_fingerprint_lib import OfflineVerifier
# Initialize the verifier
verifier = OfflineVerifier()
# Enroll a device (creates TPM-bound fingerprint)
device_name = "workstation-001"
fingerprint = verifier.enroll_device(device_name)
print(f"โ Device enrolled successfully!")
print(f" Device ID: {fingerprint.device_id}")
print(f" TPM Bound: {fingerprint.tpm_bound}")
print(f" PCRs Used: {list(fingerprint.pcr_values.keys())}")
# Verify the device
result = verifier.verify_device(device_name)
if result.is_valid:
print(f"โ Verification successful!")
print(f" Status: {result.status}")
print(f" PCRs Match: {result.pcr_match}")
else:
print(f"โ Verification failed: {result.violation_type}")
Output:
โ Device enrolled successfully!
Device ID: fp_a1b2c3d4e5f6...
TPM Bound: True
PCRs Used: [0, 1, 2, 3, 7]
โ Verification successful!
Status: VALID
PCRs Match: True
Example 2: With Policy & Consequences
from tpm_fingerprint_lib import OfflineVerifier, Config
from tpm_fingerprint_lib.policy_engine import PolicyAction
from tpm_fingerprint_lib.exceptions import PolicyViolationError
# Configure with strict policies
config = Config()
config.STRICT_MODE = True
config.MAX_PCR_MISMATCH_ATTEMPTS = 3
verifier = OfflineVerifier(config=config)
# Enroll device with custom policy
device_name = "secure-server-001"
fingerprint = verifier.enroll_device(
device_name,
metadata={
"location": "datacenter-1",
"owner": "admin@company.com",
"criticality": "high"
}
)
# Register protected resources
verifier.consequence_handler.register_credential(
credential_id="db_master_key",
credential_type="database",
data={
"host": "db.internal.com",
"username": "admin",
"password": "super_secret_password"
},
fingerprint_id=fingerprint.device_id
)
verifier.consequence_handler.register_vault(
vault_id="secrets_vault",
name="Production Secrets",
fingerprint_id=fingerprint.device_id
)
print(f"โ Device enrolled with protected resources")
# Simulate verification after boot (PCRs unchanged)
try:
result = verifier.verify_device(device_name)
print(f"โ Verification passed - accessing credentials...")
# Access protected resources
credential = verifier.consequence_handler.get_credential("db_master_key")
print(f" Database: {credential['data']['host']}")
if verifier.consequence_handler.is_vault_accessible("secrets_vault"):
print(f" Vault: Accessible")
except PolicyViolationError as e:
print(f"โ Policy violated: {e}")
print(f" Consequences automatically enforced:")
print(f" - Credentials revoked")
print(f" - Vaults locked")
print(f" - Tokens invalidated")
Example 3: Challenge-Response (Anti-Replay)
from tpm_fingerprint_lib import OfflineVerifier
verifier = OfflineVerifier()
# Enroll device
device_name = "laptop-001"
fingerprint = verifier.enroll_device(device_name)
# Generate challenge for verification
challenge = verifier.fingerprint_engine.tpm.generate_challenge()
print(f"Challenge generated: {challenge[:16].hex()}...")
# Device responds to challenge
response = verifier.fingerprint_engine.tpm.sign_challenge(
challenge,
fingerprint.pcr_values
)
print(f"Response signature: {response['signature'][:32]}...")
# Verify response
is_valid = verifier.fingerprint_engine.tpm.verify_challenge_response(
challenge,
response
)
if is_valid:
print(f"โ Challenge-response verified - device is authentic")
else:
print(f"โ Challenge-response failed - potential replay attack")
Example 4: Offline Verification Bundle
from tpm_fingerprint_lib import OfflineVerifier
import json
verifier = OfflineVerifier()
# Enroll device
device_name = "edge-device-001"
fingerprint = verifier.enroll_device(device_name)
# Export offline verification bundle
# (Can be used without network connectivity)
bundle = verifier.export_offline_verification_bundle(device_name)
print(f"โ Offline bundle created:")
print(f" Fingerprint ID: {bundle['fingerprint_id']}")
print(f" PCR Baseline: {len(bundle['pcr_baseline'])} PCRs")
print(f" Policy Included: {bundle['policy_id']}")
print(f" Bundle Size: {len(json.dumps(bundle))} bytes")
print(f" Signature: {bundle['signature'][:32]}...")
# Save bundle for offline use
with open('offline_bundle.json', 'w') as f:
json.dump(bundle, f, indent=2)
print(f"\nโ Bundle saved - can verify offline without network")
# Later, verify using the bundle (no network required)
verification_proof = verifier.get_verification_proof(device_name)
print(f"\nโ Verification proof generated:")
print(f" Valid: {verification_proof['valid']}")
print(f" Proof Signature: {verification_proof['signature'][:32]}...")
๐ฏ Core Components
Component Overview
graph TB
subgraph "User Application"
APP[Your Code]
end
subgraph "High-Level API"
OV[OfflineVerifier<br/>Complete Solution]
end
subgraph "Core Engines"
FE[FingerprintEngine<br/>Identity Management]
PE[PolicyEngine<br/>Rule Enforcement]
CH[ConsequenceHandler<br/>Action Execution]
AL[AuditLogger<br/>Tamper-Proof Logs]
end
subgraph "Low-Level Operations"
TPM[TPMOperations<br/>Hardware Interface]
end
APP --> OV
OV --> FE
OV --> PE
OV --> CH
OV --> AL
FE --> TPM
PE --> TPM
CH --> TPM
AL --> TPM
1๏ธโฃ FingerprintEngine
Purpose: Generates and manages TPM-bound device fingerprints
from tpm_fingerprint_lib import FingerprintEngine, Config
# Initialize
config = Config()
engine = FingerprintEngine(config=config)
# Generate fingerprint
fingerprint = engine.generate_fingerprint(
metadata={
"device_name": "workstation-001",
"location": "office-5th-floor",
"owner": "john.doe@company.com"
},
pcr_indices=[0, 1, 2, 3, 7], # PCRs to bind to
validity_seconds=86400 # 24 hours
)
print(f"Fingerprint ID: {fingerprint.device_id}")
print(f"TPM Bound: {fingerprint.tpm_bound}")
print(f"Expires: {fingerprint.expires_at}")
# Verify fingerprint
verification = engine.verify_fingerprint(fingerprint)
print(f"Valid: {verification['is_valid']}")
# Load existing fingerprint
loaded = engine.load_fingerprint(fingerprint.device_id)
Key Features:
- โ Non-exportable (sealed to TPM PCRs)
- โ Non-replayable (requires live TPM attestation)
- โ Automatic expiry on boot state changes
- โ Challenge-response verification
- โ Integrates with device-fingerprinting-pro
Data Structure:
DeviceFingerprint:
device_id: str # Unique ID (HMAC of components)
pcr_values: Dict[int, str] # PCR baseline snapshot
components: Dict[str, Any] # Device attributes + TPM quote
metadata: Dict[str, Any] # User-defined metadata
tpm_bound: bool # True if sealed to TPM
created_at: datetime # Creation timestamp
expires_at: datetime # Expiry timestamp (optional)
2๏ธโฃ PolicyEngine
Purpose: Enforces cryptographic governance policies
from tpm_fingerprint_lib import PolicyEngine
from tpm_fingerprint_lib.policy_engine import PolicyAction, PolicyViolationType
# Initialize
policy_engine = PolicyEngine()
# Create policy
policy = policy_engine.create_policy(
name="Production Policy",
pcr_baseline={0: "abc...", 1: "def...", 7: "ghi..."},
auto_expire_on_boot_change=True,
require_secure_boot=True,
max_mismatch_attempts=3,
actions={
PolicyViolationType.BOOT_STATE_CHANGED: [
PolicyAction.REVOKE_CREDENTIALS,
PolicyAction.LOCK_VAULT
],
PolicyViolationType.SECURE_BOOT_DISABLED: [
PolicyAction.IMMEDIATE_LOCKDOWN
]
}
)
print(f"Policy ID: {policy.policy_id}")
# Validate fingerprint against policy
result = policy_engine.validate_fingerprint(fingerprint, policy)
if result['is_valid']:
print("โ Policy compliance verified")
else:
print(f"โ Violation: {result['violations']}")
# Automatic consequences triggered!
# Register custom violation handler
def custom_handler(violation, policy, fingerprint):
print(f"Custom action for {violation.value}")
# Send email, log to SIEM, etc.
policy_engine.register_violation_handler(
PolicyViolationType.PCR_MISMATCH,
custom_handler
)
Policy Actions:
REVOKE_CREDENTIALS: Invalidate all credentials tied to fingerprintLOCK_VAULT: Lock all vaults tied to fingerprintINVALIDATE_TOKENS: Revoke all access tokensIMMEDIATE_LOCKDOWN: Full lockdown (all above)REQUIRE_REENROLLMENT: Force device re-enrollmentLOG_ONLY: Record but don't enforce
Violation Types:
BOOT_STATE_CHANGED: PCRs 0-7 changedFIRMWARE_UPDATED: PCRs 0-2 changedSECURE_BOOT_DISABLED: PCR 7 indicates disabledPCR_MISMATCH: Any PCR doesn't match baselineFINGERPRINT_EXPIRED: Time-based expiry reachedMAX_ATTEMPTS_EXCEEDED: Too many mismatch attempts
3๏ธโฃ ConsequenceHandler
Purpose: Manages and enforces consequences on policy violations
from tpm_fingerprint_lib import ConsequenceHandler
# Initialize
handler = ConsequenceHandler()
# Register credential (TPM-sealed)
credential = handler.register_credential(
credential_id="db_master_key",
credential_type="database",
data={
"host": "postgres.internal.com",
"port": 5432,
"username": "admin",
"password": "secure_password_123"
},
fingerprint_id=fingerprint.device_id,
metadata={"environment": "production"}
)
# Register vault
vault = handler.register_vault(
vault_id="secrets_vault",
name="Production Secrets",
description="API keys, certificates, tokens",
fingerprint_id=fingerprint.device_id
)
# Register token
token = handler.register_token(
token_id="api_access_token",
token_value="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
fingerprint_id=fingerprint.device_id,
expiry_seconds=3600
)
# Check status
if handler.is_credential_valid("db_master_key"):
cred = handler.get_credential("db_master_key")
print(f"Database: {cred['data']['host']}")
else:
print("Credential revoked")
if handler.is_vault_accessible("secrets_vault"):
print("Vault accessible")
else:
print("Vault locked")
# Enforce consequences (automatic on policy violation)
violations = [PolicyViolationType.BOOT_STATE_CHANGED]
handler.enforce_consequences(fingerprint.device_id, violations)
# โ All credentials revoked
# โ All vaults locked
# โ All tokens invalidated
Protected Resource Types:
Credential:
credential_id: str # Unique ID
credential_type: str # "database", "api_key", "certificate", etc.
data: Dict # Sealed credential data
fingerprint_id: str # Bound to this fingerprint
status: str # "active", "revoked"
created_at: datetime
revoked_at: datetime # If revoked
Vault:
vault_id: str # Unique ID
name: str # Human-readable name
description: str # Purpose
fingerprint_id: str # Bound to this fingerprint
is_locked: bool # Lock state
locked_at: datetime # If locked
Token:
token_id: str # Unique ID
token_value: str # Sealed token
fingerprint_id: str # Bound to this fingerprint
is_valid: bool # Validity state
expires_at: datetime # Expiry time
4๏ธโฃ OfflineVerifier
Purpose: Complete offline device identity verification
from tpm_fingerprint_lib import OfflineVerifier, Config
# Initialize with config
config = Config()
config.OFFLINE_MODE = True
config.STRICT_MODE = True
verifier = OfflineVerifier(config=config)
# Enroll device (returns DeviceFingerprint)
fingerprint = verifier.enroll_device(
device_id="server-001",
metadata={"role": "webserver", "datacenter": "us-east-1"}
)
# Verify device (offline, no network required)
result = verifier.verify_device("server-001")
print(f"Valid: {result.is_valid}")
print(f"Status: {result.status}")
print(f"PCR Match: {result.pcr_match}")
# Export offline bundle (portable verification)
bundle = verifier.export_offline_verification_bundle("server-001")
# Bundle contains: fingerprint, policy, PCR baseline, signature
# Can be transferred and verified without network
# Get verification proof (cryptographic proof of verification)
proof = verifier.get_verification_proof("server-001")
print(f"Proof signature: {proof['signature']}")
# Get device status
status = verifier.get_device_status("server-001")
print(f"Fingerprint valid: {status['fingerprint_status']['is_valid']}")
print(f"Credentials: {len(status['consequence_status']['credentials'])}")
print(f"Vaults: {len(status['consequence_status']['vaults'])}")
OfflineVerifier Orchestrates:
OfflineVerifier
โโโบ FingerprintEngine โ Generate & verify fingerprints
โโโบ PolicyEngine โ Validate against policies
โโโบ ConsequenceHandler โ Manage protected resources
โโโบ AuditLogger โ Record all events
5๏ธโฃ AuditLogger
Purpose: Tamper-evident, TPM-sealed audit logging
from tpm_fingerprint_lib.audit_logger import AuditLogger
# Initialize
logger = AuditLogger()
# Log events (automatically sealed to TPM)
logger.log_fingerprint_generated(
fingerprint_id="fp_abc123",
device_id="workstation-001",
details={"pcrs": [0,1,2,3,7]}
)
logger.log_verification_success(
fingerprint_id="fp_abc123",
details={"pcr_match": True}
)
logger.log_policy_violation(
fingerprint_id="fp_abc123",
violation_type="BOOT_STATE_CHANGED",
details={"pcr_0_changed": True}
)
# Get events
events = logger.get_events(
event_type="POLICY_VIOLATION",
start_time=datetime.now() - timedelta(days=7)
)
for event in events:
print(f"{event['timestamp']}: {event['event_type']}")
print(f" Details: {event['details']}")
# Verify audit chain integrity
verification = logger.verify_log_chain()
print(f"Chain valid: {verification['verified']}")
print(f"Total events: {verification['total_events']}")
# Get statistics
stats = logger.get_statistics()
print(f"Total events: {stats['total_events']}")
print(f"Events by type: {stats['by_type']}")
print(f"Last 24h: {stats['last_24h']}")
Audit Event Types:
FINGERPRINT_GENERATED: New fingerprint createdFINGERPRINT_VERIFIED: Successful verificationVERIFICATION_FAILED: Failed verificationPOLICY_VIOLATION: Policy rule violatedCREDENTIAL_REVOKED: Credential invalidatedVAULT_LOCKED: Vault access deniedTOKEN_INVALIDATED: Token revokedREENROLLMENT_REQUIRED: Device must re-enroll
Tamper-Evident Chain:
Event[0]: hash = HMAC(initial_key, event_0_data)
Event[1]: hash = HMAC(Event[0].hash, event_1_data)
Event[2]: hash = HMAC(Event[1].hash, event_2_data)
...
Any modification breaks the chain โ detected on verification
6๏ธโฃ TPMOperations
Purpose: Low-level TPM hardware interface
from tpm_fingerprint_lib.tpm_ops import TPMOperations
# Initialize
tpm = TPMOperations()
# Read PCR values
pcr_values = tpm.read_pcrs([0, 1, 2, 3, 7])
print(f"PCR 0: {pcr_values[0]}")
print(f"PCR 7: {pcr_values[7]}")
# Seal data to TPM
sealed_blob = tpm.seal_data(
data=b"sensitive_data",
pcr_indices=[0, 1, 2, 3, 7],
pcr_values=pcr_values
)
# Unseal data (requires matching PCRs)
try:
unsealed = tpm.unseal_data(sealed_blob)
print(f"Unsealed: {unsealed}")
except Exception as e:
print(f"Unseal failed (PCR mismatch): {e}")
# Generate challenge
challenge = tpm.generate_challenge()
# Sign challenge (for challenge-response)
response = tpm.sign_challenge(challenge, pcr_values)
print(f"Signature: {response['signature']}")
# Verify challenge response
is_valid = tpm.verify_challenge_response(challenge, response)
print(f"Valid: {is_valid}")
# Get TPM quote (attestation)
quote = tpm.get_tpm_quote([0, 1, 2, 3, 7], challenge)
print(f"Quote: {quote['quote']}")
print(f"Signature: {quote['signature']}")
Cryptographic Operations:
read_pcrs(): Read PCR values from TPMseal_data(): Encrypt with AES-GCM using PCR-derived keyunseal_data(): Decrypt (fails if PCRs changed)generate_challenge(): Create 32-byte random noncesign_challenge(): HMAC-SHA256 signature with PCR keyverify_challenge_response(): Verify HMAC signatureget_tpm_quote(): Get TPM attestation quote
๐ Documentation
Complete Documentation Suite
| Document | Description | Link |
|---|---|---|
| README.md | This file - overview and quick start | README.md |
| QUICKSTART.md | 5-minute getting started guide | QUICKSTART.md |
| USAGE_GUIDE.md | Comprehensive usage guide with examples | USAGE_GUIDE.md |
| ARCHITECTURE.md | System architecture and design | ARCHITECTURE.md |
| PATENTS.md | Patent-relevant innovations | PATENTS.md |
| PRODUCTION_VERIFICATION.md | Production readiness report | PRODUCTION_VERIFICATION.md |
| PROJECT_SUMMARY.md | Project overview and summary | PROJECT_SUMMARY.md |
| FILE_INDEX.md | Complete file index | FILE_INDEX.md |
Examples
Comprehensive examples in the examples/ directory:
# Basic enrollment and verification
python examples/basic_usage.py
# Policy enforcement with consequences
python examples/advanced_policy_enforcement.py
# Complete offline operation demo
python examples/offline_verification.py
Example Scenarios Covered:
- Device enrollment with TPM binding
- Fingerprint verification with challenge-response
- Policy violation detection and automatic consequences
- Credential and vault management
- Offline verification bundle creation
- Audit log verification
- Custom violation handlers
- State change detection
๐งช Testing & Validation
Run Production Verification Tests
# Full verification test suite
python test_library.py
Tests Include:
โ AES-GCM Encryption/Decryption (256-bit)
โ HMAC-SHA256 Signatures
โ PCR-Derived Key Generation
โ Challenge-Response Authentication
โ Library Initialization
โ TPM Detection & Fallback
Run Unit Tests
# Run full test suite
pytest tests/
# Run specific test class
pytest tests/test_library.py::TestTPMOperations
# Run with coverage
pytest --cov=tpm_fingerprint_lib tests/
# Verbose output
pytest -v tests/
Test Coverage:
- โ TPM operations (read PCRs, seal/unseal, challenge-response)
- โ Fingerprint generation and verification
- โ Policy enforcement and violations
- โ Consequence management
- โ Audit logging and chain verification
- โ Offline verification bundles
- โ Error handling and exceptions
๐ Security Features
Security Guarantees
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Security Properties โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โ
Non-Exportable Fingerprints โ
โ โ Sealed to TPM PCR state โ
โ โ Cannot be unsealed if boot state changes โ
โ โ Requires live TPM hardware โ
โ โ
โ โ
Anti-Replay Protection โ
โ โ Fresh challenge-response for each verification โ
โ โ Nonce-based with timestamp validation โ
โ โ 5-minute nonce lifetime โ
โ โ Prevents fingerprint replay attacks โ
โ โ
โ โ
Tamper-Evident Audit Logs โ
โ โ HMAC-chained events โ
โ โ TPM-sealed log rotation โ
โ โ Cannot modify without detection โ
โ โ Cryptographic proof of integrity โ
โ โ
โ โ
Automatic Consequence Enforcement โ
โ โ Not just detection - automatic enforcement โ
โ โ Credentials revoked immediately โ
โ โ Vaults locked automatically โ
โ โ No manual intervention required โ
โ โ Millisecond response time โ
โ โ
โ โ
Cryptographic Binding โ
โ โ AES-256-GCM authenticated encryption โ
โ โ HMAC-SHA256 signatures โ
โ โ PCR-derived keys (KDF-SHA256) โ
โ โ NIST-approved algorithms โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Cryptographic Algorithms
| Operation | Algorithm | Key Size | Notes |
|---|---|---|---|
| Encryption | AES-GCM | 256-bit | Authenticated encryption with 96-bit nonce |
| Signatures | HMAC-SHA256 | 256-bit | PCR-derived keys |
| Key Derivation | KDF-SHA256 | 256-bit | From PCR values |
| Hashing | SHA-256 | 256-bit | PCR measurements |
| Nonces | CSPRNG | 256-bit (32 bytes) | Challenge generation |
| TPM Quote | HMAC-SHA256 | 256-bit | Attestation signatures |
All algorithms are:
- โ NIST-approved
- โ Quantum-resistant (symmetric crypto)
- โ Industry-standard
- โ Peer-reviewed
Threat Model
Protected Against:
- โ Fingerprint cloning: TPM binding prevents replication
- โ Replay attacks: Challenge-response with nonce expiry
- โ Data exfiltration: Sealed data cannot be decrypted elsewhere
- โ Firmware tampering: PCR changes detected, fingerprint expires
- โ Secure Boot bypass: PCR 7 monitoring
- โ Credential theft: Sealed to fingerprint, auto-revoked on violation
- โ Audit log tampering: HMAC chain detects modifications
- โ Time-based attacks: Timestamp validation (5-minute window)
Attack Scenarios Mitigated:
Scenario 1: Attacker Steals Fingerprint Data
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Attacker extracts fingerprint file โ
โ 2. Copies to malicious device โ
โ 3. Attempts verification โ
โ 4. TPM unseal fails (different PCRs) โ
โ 5. Challenge-response fails (no TPM quote) โ
โ Result: โ
Attack Failed โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scenario 2: Firmware Rootkit Installation
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Attacker modifies BIOS/UEFI firmware โ
โ 2. System reboots โ
โ 3. PCR 0 value changes (firmware hash diff) โ
โ 4. Fingerprint unseal fails โ
โ 5. Credentials auto-revoked โ
โ 6. Vaults auto-locked โ
โ Result: โ
Attack Detected & Mitigated โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scenario 3: Secure Boot Bypass Attempt
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Attacker disables Secure Boot โ
โ 2. Attempts to boot unsigned kernel โ
โ 3. PCR 7 value changes โ
โ 4. Policy violation: SECURE_BOOT_DISABLED โ
โ 5. IMMEDIATE_LOCKDOWN triggered โ
โ 6. All resources locked โ
โ Result: โ
Attack Blocked โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scenario 4: Replay Attack with Captured Traffic
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Attacker captures verification response โ
โ 2. Attempts to replay response later โ
โ 3. Nonce check fails (expired/different) โ
โ 4. Timestamp check fails (> 5 minutes old) โ
โ 5. Verification rejected โ
โ Result: โ
Replay Detected & Blocked โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ๏ธ Configuration
Configuration Options
from tpm_fingerprint_lib.config import Config
# Create config instance
config = Config()
# Customize settings
config.DEFAULT_PCRS = [0, 1, 2, 3, 7] # PCRs to use
config.FINGERPRINT_VALIDITY_SECONDS = 86400 # 24 hours
config.CHALLENGE_NONCE_SIZE = 32 # 32 bytes
config.MAX_PCR_MISMATCH_ATTEMPTS = 3 # Max failures
config.OFFLINE_MODE = True # No server needed
config.STRICT_MODE = True # Enforce all policies
config.CONSEQUENCES_ENABLED = True # Auto-enforcement
config.ENABLE_AUDIT_LOGGING = True # TPM-sealed logs
config.NONCE_LIFETIME_SECONDS = 300 # 5 minutes
# Use with OfflineVerifier
verifier = OfflineVerifier(config=config)
Environment Variables
# TPM Configuration
export TPM_PCRS="0,1,2,3,7"
export TPM_DEVICE_PATH="/dev/tpm0"
# Fingerprint Settings
export FINGERPRINT_VALIDITY_SECONDS=86400
export MAX_PCR_MISMATCH_ATTEMPTS=3
# Security Settings
export OFFLINE_MODE=true
export STRICT_MODE=true
export CONSEQUENCES_ENABLED=true
# Paths
export TPM_STORAGE_PATH="$HOME/.tpm_fingerprint"
export AUDIT_LOG_PATH="$HOME/.tpm_fingerprint/audit.log"
# Logging
export LOG_LEVEL=INFO
export ENABLE_AUDIT_LOGGING=true
Load from Environment
from tpm_fingerprint_lib.config import Config
# Automatically load from environment variables
config = Config.from_env()
# Override specific settings
config.STRICT_MODE = False
config.MAX_PCR_MISMATCH_ATTEMPTS = 5
Configuration Presets
# Development preset (lenient)
config_dev = Config()
config_dev.STRICT_MODE = False
config_dev.MAX_PCR_MISMATCH_ATTEMPTS = 10
config_dev.FINGERPRINT_VALIDITY_SECONDS = None # No expiry
config_dev.CONSEQUENCES_ENABLED = False
# Production preset (strict)
config_prod = Config()
config_prod.STRICT_MODE = True
config_prod.MAX_PCR_MISMATCH_ATTEMPTS = 3
config_prod.FINGERPRINT_VALIDITY_SECONDS = 86400
config_prod.CONSEQUENCES_ENABLED = True
config_prod.AUTO_REVOKE_CREDENTIALS = True
config_prod.AUTO_LOCKDOWN_VAULT = True
config_prod.FORCE_REENROLLMENT = True
# High-security preset (paranoid)
config_hisec = Config()
config_hisec.STRICT_MODE = True
config_hisec.MAX_PCR_MISMATCH_ATTEMPTS = 1
config_hisec.FINGERPRINT_VALIDITY_SECONDS = 3600 # 1 hour
config_hisec.REQUIRE_SECURE_BOOT = True
config_hisec.SEAL_AUDIT_LOGS = True
config_hisec.DEFAULT_PCRS = [0, 1, 2, 3, 4, 5, 7, 8, 9] # More PCRs
๐ Integration
With device-fingerprinting-pro
# Install device-fingerprinting-pro
pip install devicefingerprintingpro
# Library automatically detects and uses it
from tpm_fingerprint_lib import FingerprintEngine
engine = FingerprintEngine()
fingerprint = engine.generate_fingerprint()
# Enhanced device attributes collected automatically:
# - Advanced CPU features
# - GPU information
# - Peripheral devices
# - Network interfaces
# - Storage devices with serial numbers
With pqcdualusb
# Install post-quantum crypto library
pip install pqcdualusb
# Enable post-quantum signatures in config
config = Config()
config.ENABLE_POST_QUANTUM = True # Future feature
# TPM signatures enhanced with PQ algorithms
REST API Integration
from flask import Flask, jsonify, request
from tpm_fingerprint_lib import OfflineVerifier
app = Flask(__name__)
verifier = OfflineVerifier()
@app.route('/api/enroll', methods=['POST'])
def enroll():
data = request.json
device_id = data.get('device_id')
metadata = data.get('metadata', {})
fingerprint = verifier.enroll_device(device_id, metadata)
return jsonify({
'status': 'success',
'device_id': fingerprint.device_id,
'tpm_bound': fingerprint.tpm_bound
})
@app.route('/api/verify/<device_id>', methods=['GET'])
def verify(device_id):
result = verifier.verify_device(device_id)
return jsonify({
'status': 'success' if result.is_valid else 'failed',
'is_valid': result.is_valid,
'pcr_match': result.pcr_match,
'violation_type': result.violation_type
})
@app.route('/api/status/<device_id>', methods=['GET'])
def status(device_id):
status = verifier.get_device_status(device_id)
return jsonify(status)
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
Docker Integration
FROM python:3.11-slim
# Install TPM tools
RUN apt-get update && apt-get install -y \
tpm2-tools \
&& rm -rf /var/lib/apt/lists/*
# Install library
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
RUN pip install -e .
# Mount TPM device
# docker run --device=/dev/tpm0:/dev/tpm0 ...
CMD ["python", "examples/basic_usage.py"]
Kubernetes Integration
apiVersion: v1
kind: Pod
metadata:
name: tpm-fingerprint-app
spec:
containers:
- name: app
image: tpm-fingerprint-lib:latest
volumeMounts:
- name: tpm-device
mountPath: /dev/tpm0
securityContext:
privileged: true
volumes:
- name: tpm-device
hostPath:
path: /dev/tpm0
type: CharDevice
๐จ Exception Handling
Exception Hierarchy
TPMFingerprintError (base)
โโโ TPMNotAvailableError # No TPM detected
โโโ PCRMismatchError # PCR values don't match
โโโ FingerprintExpiredError # Time-based expiry
โโโ PolicyViolationError # Policy rule violated
โ โโโ BootStateChangedError # Boot state changed
โ โโโ SecureBootDisabledError # Secure Boot off
โ โโโ FirmwareUpdatedError # Firmware changed
โโโ AttestationFailedError # TPM quote verification failed
โโโ SealingError # TPM sealing failed
โโโ UnsealingError # TPM unsealing failed
โโโ ChallengeResponseError # Challenge-response failed
Exception Handling Examples
from tpm_fingerprint_lib import OfflineVerifier
from tpm_fingerprint_lib.exceptions import (
TPMNotAvailableError,
PCRMismatchError,
PolicyViolationError,
BootStateChangedError,
SecureBootDisabledError,
FingerprintExpiredError
)
verifier = OfflineVerifier()
try:
result = verifier.verify_device("device-001")
print(f"โ Verification successful")
except BootStateChangedError as e:
print(f"โ Boot state changed - re-enrollment required")
# Firmware/BIOS was updated
new_fp = verifier.enroll_device("device-001")
except SecureBootDisabledError as e:
print(f"๐จ SECURITY ALERT: Secure Boot disabled!")
# Immediate lockdown triggered automatically
# Manual investigation required
except PCRMismatchError as e:
print(f"โ PCR mismatch: {e}")
# Hardware or firmware changed
print(f" Changed PCRs: {e.changed_pcrs}")
except FingerprintExpiredError as e:
print(f"โฐ Fingerprint expired - time limit reached")
# Re-validate or re-enroll
except PolicyViolationError as e:
print(f"โ Policy violation: {e.violation_type}")
print(f" Consequences enforced: {e.actions_taken}")
# Check what was locked/revoked
except TPMNotAvailableError as e:
print(f"โ TPM not available: {e}")
# Fallback to software simulation or deny access
except Exception as e:
print(f"โ Unexpected error: {e}")
# Log and investigate
๐ Monitoring & Observability
Status Dashboard
from tpm_fingerprint_lib import OfflineVerifier
verifier = OfflineVerifier()
# Get comprehensive device status
status = verifier.get_device_status("device-001")
print("=== Device Status ===")
print(f"Device ID: {status['device_id']}")
print(f"Fingerprint Valid: {status['fingerprint_status']['is_valid']}")
print(f"TPM Bound: {status['fingerprint_status']['tpm_bound']}")
print(f"Created: {status['fingerprint_status']['created_at']}")
print(f"Expires: {status['fingerprint_status']['expires_at']}")
print("\n=== Policy Status ===")
print(f"Policy Active: {status['policy_status']['is_active']}")
print(f"PCR Match: {status['policy_status']['pcr_match']}")
print(f"Mismatch Attempts: {status['policy_status']['mismatch_attempts']}")
print("\n=== Protected Resources ===")
print(f"Credentials: {len(status['consequence_status']['credentials'])}")
for cred in status['consequence_status']['credentials']:
print(f" - {cred['id']}: {cred['status']}")
print(f"Vaults: {len(status['consequence_status']['vaults'])}")
for vault in status['consequence_status']['vaults']:
print(f" - {vault['name']}: {'๐ Locked' if vault['is_locked'] else '๐ Open'}")
print("\n=== Recent Activity ===")
print(f"Last Verification: {status['last_verification']}")
print(f"Verification Count: {status['verification_count']}")
print(f"Recent Attestations: {len(status['recent_attestations'])}")
Audit Log Analysis
from tpm_fingerprint_lib.audit_logger import AuditLogger
from datetime import datetime, timedelta
logger = AuditLogger()
# Get statistics
stats = logger.get_statistics()
print(f"Total events: {stats['total_events']}")
print(f"Events by type: {stats['by_type']}")
print(f"Last 24 hours: {stats['last_24h']}")
print(f"Last 7 days: {stats['last_7d']}")
# Get policy violations
violations = logger.get_events(
event_type="POLICY_VIOLATION",
start_time=datetime.now() - timedelta(days=7)
)
print(f"\nPolicy Violations (Last 7 days): {len(violations)}")
for event in violations:
print(f" {event['timestamp']}: {event['details']['violation_type']}")
# Verify audit chain integrity
verification = logger.verify_log_chain()
if verification['verified']:
print(f"โ Audit chain verified ({verification['total_events']} events)")
else:
print(f"โ AUDIT CHAIN COMPROMISED!")
print(f" Broken at event: {verification['first_broken_index']}")
Metrics Export (Prometheus-style)
from tpm_fingerprint_lib import OfflineVerifier
def export_metrics():
"""Export metrics in Prometheus format"""
verifier = OfflineVerifier()
# Collect metrics
all_devices = verifier.list_devices()
valid_count = sum(1 for d in all_devices if d['is_valid'])
invalid_count = len(all_devices) - valid_count
print("# HELP tpm_fingerprint_devices_total Total enrolled devices")
print("# TYPE tpm_fingerprint_devices_total gauge")
print(f"tpm_fingerprint_devices_total {len(all_devices)}")
print("# HELP tpm_fingerprint_devices_valid Valid fingerprints")
print("# TYPE tpm_fingerprint_devices_valid gauge")
print(f"tpm_fingerprint_devices_valid {valid_count}")
print("# HELP tpm_fingerprint_devices_invalid Invalid fingerprints")
print("# TYPE tpm_fingerprint_devices_invalid gauge")
print(f"tpm_fingerprint_devices_invalid {invalid_count}")
๐ Support & Contributing
Getting Help
- ๐ Documentation: See USAGE_GUIDE.md for detailed examples
- ๐ Bug Reports: Open an issue on GitHub with reproduction steps
- ๐ก Feature Requests: Open an issue describing the use case
- โ Questions: Check existing issues or start a discussion
Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Areas for Contribution:
- Additional TPM backend support (macOS Secure Enclave, etc.)
- Enhanced device attribute collection
- Post-quantum cryptography integration
- Additional policy templates
- Performance optimizations
- Documentation improvements
- Test coverage expansion
Development Setup
# Clone repository
git clone https://github.com/yourusername/trustcore-tpm.git
cd trustcore-tpm
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install in development mode
pip install -e .
pip install -r requirements-dev.txt
# Run tests
pytest tests/
# Run linting
flake8 tpm_fingerprint_lib/
mypy tpm_fingerprint_lib/
# Run security checks
bandit -r tpm_fingerprint_lib/
๐ License
This project is licensed under the MIT License - see the LICENSE file for details.
โ๏ธ Patent Notice
This library implements four patent-worthy innovations:
- Cryptographically Enforced Fingerprint Governance - Hardware-attested identity lifecycle control
- TPM-Bound Anti-Cloning Fingerprint - Provable capability requiring live TPM signing
- Fingerprint + Policy + Consequence - Automatic enforcement (not informational)
- TPM + Offline Enforcement - Complete local trust chain without server dependency
See PATENTS.md for detailed patent documentation.
Important: Review patent implications before commercial use.
๐ Citation
If you use this library in academic research, please cite:
@software{trustcore_tpm,
title = {TrustCore-TPM: Hardware-Rooted Device Identity},
author = {Your Name},
year = {2025},
url = {https://github.com/yourusername/trustcore-tpm},
note = {Cryptographically enforced device identity with TPM hardware binding}
}
๐ Acknowledgments
- Trusted Computing Group (TCG) for TPM 2.0 specifications
- cryptography library maintainers for robust crypto primitives
- device-fingerprinting-pro for enhanced device attribute collection
- The open-source community for feedback and contributions
๐ Security Disclosure
Found a security vulnerability? Please do not open a public issue.
Email security concerns to: security@yourdomain.com
We will respond within 48 hours and work with you on coordinated disclosure.
๐ Project Status
- โ Production Ready: All cryptographic operations use industry-standard implementations
- โ Actively Maintained: Regular updates and security patches
- โ Well Documented: Comprehensive guides and examples
- โ Tested: Extensive test coverage and verification
- โ Cross-Platform: Windows, Linux support with fallback mode
See PRODUCTION_VERIFICATION.md for detailed readiness report.
Built with security, innovation, and hardware trust at its core.
โญ Star us on GitHub | ๐ฆ Follow for updates | ๐ฌ Join the discussion
GitHub โข Documentation โข Examples
๐๏ธ System Architecture
High-Level Component Architecture
graph TB
subgraph "Application Layer"
APP[Your Application]
end
subgraph "Library API Layer"
OV[OfflineVerifier<br/>Orchestration Layer]
end
subgraph "Core Engine Layer"
FE[FingerprintEngine<br/>Identity Generation]
PE[PolicyEngine<br/>Governance & Rules]
CH[ConsequenceHandler<br/>Enforcement]
AL[AuditLogger<br/>Tamper-Evident Logs]
end
subgraph "TPM Abstraction Layer"
TPM[TPM Operations<br/>Crypto & Attestation]
end
subgraph "Hardware Layer"
HW[TPM 2.0 Chip<br/>Hardware Trust Anchor]
end
subgraph "Storage Layer"
FS[File System<br/>Sealed Data Storage]
end
APP --> OV
OV --> FE
OV --> PE
OV --> CH
OV --> AL
FE --> TPM
PE --> TPM
CH --> TPM
AL --> TPM
TPM --> HW
FE --> FS
PE --> FS
CH --> FS
AL --> FS
style HW fill:#e74c3c,stroke:#c0392b,stroke-width:3px,color:#fff
style TPM fill:#3498db,stroke:#2980b9,stroke-width:2px,color:#fff
style OV fill:#2ecc71,stroke:#27ae60,stroke-width:2px,color:#fff
Data Flow Architecture
sequenceDiagram
participant App as Application
participant OV as OfflineVerifier
participant FE as FingerprintEngine
participant TPM as TPM Operations
participant HW as TPM 2.0 Hardware
participant PE as PolicyEngine
participant CH as ConsequenceHandler
Note over App,CH: Device Enrollment Flow
App->>OV: enroll_device("device-001")
OV->>FE: generate_fingerprint()
FE->>TPM: read_pcrs([0,1,2,3,7])
TPM->>HW: Read PCR values
HW-->>TPM: PCR values
TPM-->>FE: PCR data
FE->>TPM: get_tpm_quote()
TPM->>HW: Generate attestation quote
HW-->>TPM: Signed quote
TPM-->>FE: TPM quote + signature
FE->>TPM: seal_data(fingerprint)
TPM->>HW: Seal to PCR state
HW-->>TPM: Sealed blob
TPM-->>FE: Sealed fingerprint
FE-->>OV: DeviceFingerprint
OV->>PE: create_policy()
PE-->>OV: Policy
OV-->>App: Enrollment complete
Note over App,CH: Verification Flow with Violation
App->>OV: verify_device("device-001")
OV->>FE: load_fingerprint()
FE->>TPM: unseal_data()
TPM->>HW: Unseal with current PCRs
Note over HW: PCR mismatch detected!
HW-->>TPM: Error: PCR mismatch
TPM-->>FE: UnsealError
FE-->>OV: FingerprintInvalid
OV->>PE: validate_fingerprint()
PE-->>OV: PolicyViolation: PCR_MISMATCH
OV->>CH: enforce_consequences()
CH->>CH: revoke_credentials()
CH->>CH: lock_vaults()
CH->>CH: invalidate_tokens()
CH-->>OV: Consequences enforced
OV-->>App: PolicyViolationError
Component Interaction Matrix
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโ
โ Component โ Fingerprint โ Policy โ Consequence โ Audit โ TPM Ops โ
โ โ Engine โ Engine โ Handler โ Logger โ โ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ FingerprintEngineโ - โ Validates โ - โ Logs to โ Read PCRs โ
โ โ โ against โ โ โ Seal data โ
โ โ โ โ โ โ Get quote โ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ PolicyEngine โ Loads FP โ - โ Triggers โ Logs to โ Read PCRs โ
โ โ Validates FPโ โ on violationโ โ โ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โConsequenceHandlerโ Binds to FP โ Triggered โ - โ Logs to โ Seal creds โ
โ โ โ by โ โ โ โ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ AuditLogger โ Logs FP ops โ Logs policy โ Logs enforceโ - โ Seal logs โ
โ โ โ events โ events โ โ Chain verifyโ
โโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ TPM Operations โ Provides to โ Provides to โ Provides to โ Provides to โ - โ
โ โ all layers โ all layers โ all layers โ all layers โ โ
โโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโ
Trust Chain Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Hardware Root of Trust โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
v
โโโโโโโโโโโโโโโโโโ
โ TPM 2.0 Chip โ โโโ Endorsement Key (EK)
โ (Hardware) โ โโโ Storage Root Key (SRK)
โโโโโโโโโโฌโโโโโโโโ
โ
โโโโโโโโโโโโดโโโโโโโโโโโ
โ โ
v v
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ
โ Platform PCRs โ โ TPM Attestation โ
โ (0,1,2,3,7) โ โ Identity Key โ
โโโโโโโโโโฌโโโโโโโโโ โโโโโโโโโโฌโโโโโโโโโ
โ โ
โโโโโโโโโโโโฌโโโโโโโโโโโ
โ
v
โโโโโโโโโโโโโโโโโโโโโโ
โ Sealed Fingerprintโ
โ (Bound to PCRs) โ
โโโโโโโโโโฌโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโ
โ โ โ
v v v
โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ
โ Policy โ โCredentialsโ โAudit Logs โ
โ Rules โ โ(Sealed) โ โ(Chained) โ
โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ
โ โ โ
โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโ
โ
v
โโโโโโโโโโโโโโโโโโโโโโโโ
โ Application Trust โ
โ (Derived from TPM) โ
โโโโโโโโโโโโโโโโโโโโโโโโ
Cryptographic Operations Flow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Fingerprint Generation โ
โโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโบ 1. Read PCR Values (0,1,2,3,7) from TPM
โ โโโบ SHA-256 hash values from hardware registers
โ
โโโบ 2. Collect Device Attributes
โ โโโบ CPU ID, MAC addresses, disk serial, etc.
โ
โโโบ 3. Generate TPM Quote (Attestation)
โ โโโบ TPM signs: HMAC-SHA256(PCRs || timestamp || nonce)
โ
โโโบ 4. Create Fingerprint ID
โ โโโบ HMAC-SHA256(components || tpm_quote_signature)
โ
โโโบ 5. Seal Fingerprint to TPM
โ โโโบ Key = KDF-SHA256(PCR_values)
โ โโโบ Encrypt with AES-256-GCM(key, fingerprint_data)
โ โโโบ Store: nonce(96-bit) || ciphertext || auth_tag
โ
โโโบ 6. Store Sealed Blob
โโโบ File system with PCR binding metadata
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Verification Flow โ
โโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโบ 1. Read Current PCR Values
โ โโโบ Query TPM hardware for current state
โ
โโโบ 2. Attempt Unseal
โ โโโบ Derive key from current PCRs
โ โโโบ Try AES-256-GCM decrypt
โ โโโบ If PCRs changed: decryption fails โ
โ โโโบ If PCRs match: fingerprint unsealed โ
โ
โโโบ 3. Challenge-Response (Anti-Replay)
โ โโโบ Generate nonce(32-byte)
โ โโโบ TPM signs: HMAC-SHA256(nonce || PCRs || timestamp)
โ โโโบ Verify signature with PCR-derived key
โ โโโบ Check timestamp freshness (< 5 minutes)
โ
โโโบ 4. Policy Validation
โ โโโบ Compare PCR baseline vs current
โ โโโบ Check boot state changes
โ โโโบ Validate expiry conditions
โ
โโโบ 5. Result
โโโบ VALID: Access granted
โโโบ INVALID: Trigger consequences
โโโบ Revoke credentials
โโโบ Lock vaults
โโโบ Invalidate tokens
โโโบ Seal audit log event to TPM
Storage Architecture
~/.tpm_fingerprint/
โ
โโโ fingerprints/ # TPM-sealed device fingerprints
โ โโโ device-001.json # Sealed blob + metadata
โ โ {
โ โ "sealed_data": "base64(nonce||ciphertext||tag)",
โ โ "pcr_indices": [0,1,2,3,7],
โ โ "pcr_values": {"0": "abc...", "1": "def...", ...},
โ โ "timestamp": "2025-12-21T10:30:00",
โ โ "algorithm": "AES-256-GCM"
โ โ }
โ โโโ device-002.json
โ
โโโ policies/ # Policy definitions
โ โโโ policy-001.json # Policy rules + PCR baselines
โ โ {
โ โ "policy_id": "pol_abc123",
โ โ "name": "Strict Policy",
โ โ "pcr_baseline": {"0": "abc...", "1": "def...", ...},
โ โ "auto_expire_on_boot_change": true,
โ โ "require_secure_boot": true,
โ โ "max_mismatch_attempts": 3,
โ โ "actions": ["REVOKE_CREDENTIALS", "LOCK_VAULT"]
โ โ }
โ โโโ policy-002.json
โ
โโโ sealed/ # TPM-sealed sensitive data
โ โโโ credentials.json # Sealed credentials
โ โ {
โ โ "cred_001": {
โ โ "sealed_data": "base64(...)",
โ โ "fingerprint_id": "fp_abc123",
โ โ "status": "active|revoked"
โ โ }
โ โ }
โ โโโ vaults.json # Sealed vault states
โ
โโโ audit.log # Tamper-evident audit chain
[
{
"event_id": "evt_001",
"timestamp": "2025-12-21T10:30:00",
"event_type": "FINGERPRINT_GENERATED",
"details": {...},
"log_hash": "HMAC-SHA256(prev_hash, event_data)",
"sealed_to_pcrs": [0,1,2,3,7]
},
...
]
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
tpm_fingerprint_lib-1.0.0.tar.gz
(114.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tpm_fingerprint_lib-1.0.0.tar.gz.
File metadata
- Download URL: tpm_fingerprint_lib-1.0.0.tar.gz
- Upload date:
- Size: 114.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9029adae5fed5e4054b2559ab02daea9083279fe4ccbb050d17458cfc516b904
|
|
| MD5 |
d12d084850267192d9e934ce21d98b1d
|
|
| BLAKE2b-256 |
38440d459085e1db59712b0d9555690506bed961b6e38a7a338e70cfc95c9f74
|
File details
Details for the file tpm_fingerprint_lib-1.0.0-py3-none-any.whl.
File metadata
- Download URL: tpm_fingerprint_lib-1.0.0-py3-none-any.whl
- Upload date:
- Size: 57.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8e13616b009e8d0e64a6310b36fc77c538bb55ca1b18f9c413f89bd45839913a
|
|
| MD5 |
8cf9cb216062caa52e4782905919b7a0
|
|
| BLAKE2b-256 |
8510b6712f35f5c165c2fc4f063e180432606ce99d509f29534d04c2502e66c8
|
