The TPM Base Services feature is divided into four functional areas:
To ensure that different entities cannot access each other's resources, each command submitted to the TBS is associated with a specific entity. This is accomplished by creating one or more contexts for an entity, which are then associated with each subsequent command submitted by that entity. Each command includes a context object, which allows the TBS to execute TPM commands under the appropriate context.
An entity creates the context before it first accesses the TBS and maintains the context until it is finished performing TBS accesses. For example, in the case of a TSS, the TCG core services (TCS) feature of the TSS would create a TBS context when it starts up, and it would keep that context active until it shuts down.
The TBS restricts access to the TBS API to the Administrators, NT AUTHORITY\LocalService, and NT AUTHORITY\NetworkService accounts. By default, these accounts are the only ones that can connect to TBS and create contexts. Access restrictions can be modified by creating a registry key Access with a string (REG_SZ) registry value name SecurityDescriptor under it as follows:
HKEY_LOCAL_MACHINE Software Microsoft TPM Access SecurityDescriptor = SecurityDescriptor
By default, the maximum number of contexts supported by the TBS is 25. This number can be altered by creating or modifying a DWORD registry value named MaxContexts under HKEY_LOCAL_MACHINE\Software\Microsoft\Tpm. Real-time TBS context usage can be observed by using the performance monitor tool to track the number of TBS contexts.