FlexTPM Technical Overview

Driver Architecture

FlexTPM implements a TPM 2.0 device through the Windows driver stack. The driver registers via Plug and Play, surfaces through TBS (TPM Base Services), and handles the full TPM 2.0 command interface. Windows, applications, and system services interact with FlexTPM through the same interfaces they use for hardware TPM devices.

The driver handles command dispatch, response construction, session management, and state persistence. All cryptographic operations (RSA key generation, HMAC computation, SHA-256 hashing) are performed using the Windows BCrypt API, the same cryptographic subsystem the OS kernel uses internally.

Signing and Trust Chain

FlexTPM is production-signed through Microsoft's driver signing infrastructure. The signing certificate chains to a Microsoft root CA, which means Windows recognizes the driver as publisher-verified. The signature can be independently verified through the standard Windows Authenticode verification path (signtool verify /pa).

The driver binary is timestamped via RFC 3161 to ensure signature validity beyond the certificate lifetime. The installer is separately signed with the same publisher identity.

TPM 2.0 Command Coverage

FlexTPM implements the TPM 2.0 command set as defined in the TCG TPM Library Specification. The implementation covers 276 individual commands across 9 validation categories, including:

• Key hierarchy operations (CreatePrimary, Create, Load, EvictControl)
• Cryptographic operations (Sign, VerifySignature, RSA Encrypt/Decrypt, HMAC)
• Attestation operations (Quote, Certify, CertifyCreation, GetSessionAuditDigest)
• Session management (StartAuthSession, PolicyPCR, PolicySecret, PolicyCommandCode)
• PCR operations (PCR_Read, PCR_Extend with SHA-1 and SHA-256 banks)
• NV storage (NV_DefineSpace, NV_Write, NV_Read, NV_Increment)
• Platform operations (Startup, Shutdown, Clear, HierarchyChangeAuth, ReadClock)

Attestation Surface

The driver provisions a complete attestation environment on first boot. This includes owner hierarchy establishment, endorsement key generation with an X.509 certificate at the TCG-standard NV index, and a TCG event log (WBCL) with proper Spec ID header, platform measurements, separator events, and boot boundary markers.

Windows provisioning (TpmCoreProvisioning) completes successfully with zero IsReadyInformation flags. The resulting attestation state satisfies tpmtool getdeviceinformation reporting Ready For Attestation: True, and Windows Security displaying Attestation: Ready in the Device Security panel.

State Persistence

TPM state (hierarchy auth values, persistent objects, NV indices, clock counters, PCR snapshots) is encrypted and persisted to disk. The encryption key is derived from machine-specific hardware identifiers, binding TPM state to the physical system. This prevents offline extraction of TPM state from disk images or migration between machines.

Compliance Validation

FlexTPM passes all 9 TPM 2.0 compliance validation categories. The full compliance results, including per-command pass/fail status and assertion verification counts, are published in the compliance report.

Platform Compatibility

FlexTPM is compatible with any x86-64 Windows system that does not have a functioning hardware TPM 2.0. This includes Boot Camp Macs (Intel), older PCs without TPM 2.0 support, custom builds with disabled or absent firmware TPM, and virtual machines without TPM passthrough. The driver installs through standard PnP infrastructure and requires a single reboot to initialize.