Driver Architecture

FlexTPM implements a TPM 2.0 device through the Windows driver stack. The driver registers through Plug and Play, surfaces through TBS, and handles the TPM 2.0 command interface used by Windows, applications, and system services.

The driver handles command dispatch, response construction, session management, and state persistence. Cryptographic operations such as RSA key generation, HMAC computation, and SHA-256 hashing use the Windows BCrypt API.

Signing and Trust Chain

FlexTPM is production-signed through Microsoft's driver signing infrastructure. The signing certificate chains to a Microsoft root CA, so Windows recognizes the driver through the standard publisher verification path.

The driver binary is timestamped via RFC 3161 so signature validity is preserved beyond certificate lifetime. The installer is signed separately with the same publisher identity.

TPM 2.0 Command Coverage

FlexTPM implements the TPM 2.0 command set as defined in the TCG TPM Library Specification. The implementation covers 276 command checks across 9 validation categories, including:

  • Key hierarchy operations such as CreatePrimary, Create, Load, and EvictControl.
  • Cryptographic operations such as Sign, VerifySignature, RSA Encrypt/Decrypt, and HMAC.
  • Attestation operations such as Quote, Certify, CertifyCreation, and GetSessionAuditDigest.
  • Session management, PCR operations, NV storage, and platform lifecycle operations.

Attestation Surface

The driver provisions a complete attestation environment on first boot. This includes owner hierarchy establishment, endorsement key generation, a TCG-standard certificate location, and a Windows-compatible event log.

Windows provisioning completes successfully with the resulting attestation state reporting ready in Windows security surfaces.

State Persistence

TPM state is encrypted and persisted to disk. The encryption key is derived from machine-specific hardware identifiers, binding TPM state to the system and preventing migration between machines.

Validation

FlexTPM is validated across TPM 2.0 command paths including hierarchy management, cryptographic operations, attestation, PCR operations, NV storage, sessions, and object lifecycle behavior.

Platform Compatibility

FlexTPM is compatible with x86-64 Windows systems that do not have a functioning hardware TPM 2.0, including Intel Macs, older PCs, custom builds, and virtual machines without TPM passthrough.