Abstract To achieve more powerful task processing capabilities, the smart embedded systems (SES) are interconnected via wireless network to form a collaboration system. However, due to the limitations on system hardware, the SES device are usually built with the consideration of software functions instead of enough security mechanisms, that exposes the SESs under the security threats from malware or malicious users, such as software or data tampering. To address this issue, a Trusted Platform Module (TPM) is brought in the SES device to guarantee the integrity of the system, with which any unauthorized modifications towards the SES system can be detected by measurement operations of TPM. However, from the perspective of the external visitors, a SES collaboration network performs as a complete system. Thus, to unify the root-of-trust of the network, all the TPMs need to be integrated into a logical one, which can provide more efficient way to attest the external visitors. This brings two distinct advantages: (1) any nodes of the network can be the access node for the visitor, and (2) once a visitor has been successfully attested, it can access the network via any nodes without extra attestation. To achieve TPM integration, we have proposed five protocols to orchestrate the distributed TPMs, including Synchronization Protocol (SYNP), Node Accessing Protocol (NAP), Crossing-Node Access Protocol (CNAP), Updating Protocol (UPDP) and Node-Removing Protocol (NRP). We have built a prototype system composed of Raspberry Pis and Infineon TPM2.0 chips, in which these protocols are implemented and deployed. Then, we evaluate the protocols’ performance on time consumption, and the results show the feasibility and availability of these protocols. Finally, our analysis on experimental results gives the guidance for appropriate use of these protocols.

中文翻译：

---

面向基于智能嵌入式系统的协作网络的安全 TPM 集成方案

摘要 为了实现更强大的任务处理能力，智能嵌入式系统（SES）通过无线网络相互连接，形成协作系统。然而，由于系统硬件的限制，SES设备的构建通常是出于对软件功能的考虑，而不是足够的安全机制，这将SES暴露在来自恶意软件或恶意用户的安全威胁下，例如软件或数据篡改。为了解决这个问题，在 SES 设备中引入了可信平台模块 (TPM) 以保证系统的完整性，通过 TPM 的测量操作可以检测到对 SES 系统的任何未经授权的修改。但是，从外部访问者的角度来看，SES 协作网络是一个完整的系统。因此，为了统一网络的信任根，所有 TPM 都需要集成到一个逻辑中，这样可以提供更有效的方式来证明外部访问者。这带来了两个明显的优势：（1）网络的任何节点都可以成为访问者的访问节点；（2）一旦访问者被成功认证，它就可以通过任何节点访问网络，无需额外的认证。为了实现 TPM 集成，我们提出了五种协议来编排分布式 TPM，包括同步协议（SYNP）、节点访问协议（NAP）、跨节点访问协议（CNAP）、更新协议（UPDP）和节点删除协议（ NRP）。我们构建了一个由树莓派和英飞凌 TPM2.0 芯片组成的原型系统，其中实现并部署了这些协议。然后，我们评估协议在时间消耗上的表现，结果表明这些协议的可行性和可用性。最后，我们对实验结果的分析为适当使用这些协议提供了指导。