Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 11889-2-16: Trusted Platform Module Library – Part 2: Structures – Technical Overview
Core Data Structures and Compliance Essentials for TPM 2.0 Implementations
Scope and Context
The standard IEC 11889-2-16 (formally adopted in Canada as CAN/CSA-ISO/IEC 11889-2-16) constitutes Part 2 of the multipart Trusted Platform Module (TPM) library specification. This document is technically equivalent to ISO/IEC 11889-2:2016 and defines all data structures, constants, unions, and enumerations used throughout the TPM 2.0 ecosystem. It provides the foundational type system that enables interoperability between TPM firmware, kernel drivers, and application software across different vendors and platforms.
The standard is essential for anyone developing TPM 2.0-compliant software stacks, embedded firmware, or security applications that interact with a discrete TPM, firmware TPM (fTPM), or virtual TPM. By specifying structures such as handles, key blobs, authorization packets, and command buffers, IEC 11889-2-16 ensures a common language for all TPM communications.
Technical Requirements
Core Data Structures
The standard defines over 300 distinct types, including structures (TPMS_*), unions (TPMU_*), and sized buffers (TPM2B_*). Each structure is explicitly tagged with a TPM_ST_* identifier to allow runtime type checking. The structures are grouped into categories:
| Structure Category | Example Types | Function |
|---|---|---|
| Handle & Resource Types | TPM_HANDLE, TPM_RH_OWNER | Identify persistent objects, sessions, and hierarchy roots |
| Key & Data Blobs | TPM2B_PUBLIC, TPM2B_PRIVATE | Represent public/private key pairs, seeds, and sensitive data |
| Algorithm Identifiers | TPM_ALG_ID, TPM_ECC_CURVE | Designate cryptographic algorithms, hash functions, and elliptic curves |
| Authorization | TPMS_AUTH_COMMAND, TPMS_AUTH_RESPONSE | Carry session handles, nonces, and HMACs for proof of authorization |
| Capability Reporting | TPMS_CAPABILITY_DATA | Return TPM properties, algorithm sets, and command attributes |
| Command Header | TPM2_CMD_HEADER | Wrap each command with tag, size, and code |
Implementation Tip: When coding in C, use the
TPM2B_* structures with explicit size fields to prevent buffer overflows. Always assume little-endian byte order for all multi-byte integers, and rely on the provided TPM2B_MAX_BUFFER constants for static allocation. Marshaling and Serialization
All exchanges with a TPM are serialized into a byte stream. IEC 11889-2-16 specifies the exact marshaling order for every structure: fields appear in a fixed sequence, and variable-length buffers are preceded by their size in bytes (inclusive). The standard defines the concept of “packed” alignment—no padding bytes are permitted between fields—ensuring deterministic binary layouts. This is critical for the TPM to parse commands correctly without ambiguity.
Common Pitfall: Some structures contain optional fields conditional on a selector (e.g.,
TPMT_SYM_DEF_OBJECT). Implementers must include the union selector (tag) and then only the fields corresponding to that tag. Misordering or including extra fields will cause desynchronization errors. Implementation Highlights
Naming Conventions and Modularity
IEC 11889-2-16 follows a systematic naming scheme:
TPM_prefix for constant and alias definitions.TPMS_for structures,TPMU_for unions,TPMI_for interface (abstraction) types.TPM2B_for sized buffers where the size is stored in a leadingUINT16.TPMT_for tagged types that embed a type selector.
These conventions help developers quickly identify the semantics of any identifier and reduce the learning curve across the TPM library.
Positive Practice: Encapsulate TPM structure manipulation in a dedicated library layer. This isolates platform-specific size checks and endian conversion, making it easier to pass conformance testing.
Endianness and Alignment
The standard mandates little-endian byte ordering for all integer types (including handles, command codes, and sizes). This is aligned with common x86 architectures but requires conversion on big-endian systems. Additionally, all structures are packed with no implicit padding. Implementation code should use compiler-specific packing instructions (e.g., __attribute__((packed)) in GCC) or explicit byte-by-byte assembly to guarantee alignment.
Compliance Notes
To claim compliance with IEC 11889-2-16 (or its Canadian adoption CAN/CSA-ISO/IEC 11889-2-16), an implementation must pass the following checks:
- Structural correctness: Every TPM structure must exactly match the bit-level layout defined in the standard.
- Serialization fidelity: The marshaling and unmarshaling routines must produce and consume the canonical byte stream without any deviation.
- Tag validation: All tagged unions must be handled with strict switch logic; unrecognized tags must be rejected.
- Boundary checks: Size fields in
TPM2Bstructures must never exceed the declared maximum. - Endian handling: All multi-byte fields must be properly converted for the host platform while communicating with the TPM.
Security Critical: A malformed structure can lead to type confusion, buffer overflows, or authorization bypass. Always validate every incoming TPM response before using its contents. Use the test suites provided by the TCG to verify structural compliance.
Products that successfully implement IEC 11889-2-16 are eligible for TPM 2.0 certification through the Trusted Computing Group (TCG) program. This certification ensures that the TPM stack interoperates with other compliant hardware and software.
FAQs
Q: What is the relationship between IEC 11889-2-16 and the TCG TPM 2.0 specification?
A: IEC 11889-2-16 (and CAN/CSA-ISO/IEC 11889-2-16) is an international adoption of the TCG’s TPM 2.0 Library Part 2. It is technically identical and carries the same requirements, making it the ISO/IEC and CSA version of the same open standard.
A: IEC 11889-2-16 (and CAN/CSA-ISO/IEC 11889-2-16) is an international adoption of the TCG’s TPM 2.0 Library Part 2. It is technically identical and carries the same requirements, making it the ISO/IEC and CSA version of the same open standard.
Q: Do I need to implement all structures defined in this part?
A: Yes, for full compliance. However, some structures are only used by certain TPM commands. A TPM implementation may omit commands, but the underlying types must still be correctly defined if any command that uses them is included. Stub structures must match the standard’s layout even if not fully implemented.
A: Yes, for full compliance. However, some structures are only used by certain TPM commands. A TPM implementation may omit commands, but the underlying types must still be correctly defined if any command that uses them is included. Stub structures must match the standard’s layout even if not fully implemented.
Q: How does this standard differ from the older ISO/IEC 11889-2:2009?
A: The 2016 revision (ISO/IEC 11889-2:2016, adopted as IEC 11889-2-16) aligns with TPM 2.0, which is a complete redesign from TPM 1.2 (2009). The data structures are entirely new, supporting modern algorithms (ECC, AES-128/256, SHA-256/384) and enhanced authorization policies.
A: The 2016 revision (ISO/IEC 11889-2:2016, adopted as IEC 11889-2-16) aligns with TPM 2.0, which is a complete redesign from TPM 1.2 (2009). The data structures are entirely new, supporting modern algorithms (ECC, AES-128/256, SHA-256/384) and enhanced authorization policies.
Q: Is compliance with this standard mandatory for TPM certification?
A: Yes. All TPM 2.0 implementations must conform to the structure definitions and marshaling rules in IEC 11889-2-16 as a precondition for TCG certification. Non-compliant structure handling will result in certification failure.
A: Yes. All TPM 2.0 implementations must conform to the structure definitions and marshaling rules in IEC 11889-2-16 as a precondition for TCG certification. Non-compliant structure handling will result in certification failure.
Published in 2026