Operating SystemsSecure Boot

Secure Boot: Establishing Trust from Power-On

LevelAdvanced

Duration75 mins

TopicSecure Boot

4 / 5

TPM (Trusted Platform Module)

The Silent Witness to Every Boot

Hidden on your motherboard—or increasingly, embedded within your CPU—sits a specialized security chip that observes every step of your system's boot process. This is the Trusted Platform Module (TPM), a cryptographic coprocessor that serves as an unforgeable witness to what actually booted on your system.

Unlike Secure Boot, which prevents unauthorized code from running, the TPM records exactly what ran. It maintains a tamper-evident log that can later be used to prove the system's state—to itself, to disk encryption systems, to corporate security infrastructure, or to cloud attestation services. If Secure Boot is the guard at the gate, the TPM is the security camera that records everyone who passed through.

What You Will Learn

By the end of this page, you will understand TPM architecture comprehensively—Platform Configuration Registers (PCRs), measurement operations, sealing/unsealing secrets, quote and attestation mechanisms. You'll understand how TPM enables disk encryption that only unlocks on unmodified systems, and how remote attestation proves system integrity to external verifiers.

TPM Architecture Overview

The Trusted Platform Module is specified by the Trusted Computing Group (TCG), an industry consortium. The current specification is TPM 2.0, which replaced TPM 1.2 and offers significantly enhanced cryptographic capabilities and flexibility.

Converting Mermaid diagram...

TPM Implementation Types

TPMs come in several physical forms:

Discrete TPM (dTPM)

Separate chip on the motherboard
Connected via LPC, SPI, or I2C bus
Highest isolation—separate silicon
Required by some high-security standards
Examples: Infineon SLB9670, Nuvoton NPCT750

Firmware TPM (fTPM)

Implemented in platform firmware
Runs on the platform security processor (Intel PTT, AMD fTPM)
Uses isolated execution environment
Lower cost, increasingly common
Dependent on security processor integrity

Hypervisor TPM (vTPM)

Virtual TPM for virtual machines
Backed by hypervisor-managed state
State stored in VM configuration
Enables TPM features for VMs

Software TPM (sTPM)

Pure software implementation
For development and testing only
NOT secure—no hardware protection
Examples: IBM's TPM2-software, Microsoft simulator

TPM 1.2 vs TPM 2.0 Comparison
Feature	TPM 1.2	TPM 2.0
Hash Algorithms	SHA-1 only	SHA-1, SHA-256, SHA-384, SHA-512
Asymmetric Crypto	RSA 2048 only	RSA (1024-4096), ECC (P256, BN256+)
Symmetric Crypto	None	AES-128, AES-256
PCR Banks	24 PCRs (SHA-1)	Multiple banks (SHA-1, SHA-256, etc.)
Authorization	Simple HMAC	Enhanced authorization (EA) policies
Key Hierarchy	Single SRK	Multiple hierarchies (Endorsement, Storage, Platform, Null)
Specification Status	Deprecated	Current standard (2019+)

TPM 1.2 Deprecation

TPM 1.2's reliance on SHA-1, which has known collision vulnerabilities, makes it unsuitable for modern security requirements. Windows 11 requires TPM 2.0. New deployments should exclusively use TPM 2.0 devices.

Platform Configuration Registers (PCRs)

Platform Configuration Registers are the heart of TPM measurement functionality. Each PCR is a fixed-size register that accumulates cryptographic measurements—a running record of everything measured into it since the last reset.

The Extend Operation

PCRs cannot be directly written. Instead, they are extended using a cryptographic operation:

PCR_new = Hash(PCR_old || data_to_measure)

This operation is fundamental:

One-Way: Given a PCR value, you cannot determine what was measured (hash pre-image resistance)
Order-Sensitive: Measuring A then B produces different result than B then A
Tamper-Evident: Any modification to measured components changes the final PCR value
Irreversible: You cannot 'undo' a measurement or set PCR to arbitrary value

The only way to reset most PCRs to their initial value is to reboot the system.

pcr_extend.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# PCR Extend Operation Illustrated
 
# Initial state after boot (TPM 2.0)
PCR[0] = 0x0000...0000  # 32 bytes of zeros for SHA-256
 
# First measurement: BIOS code hash
bios_hash = SHA256(bios_code)
PCR[0] = SHA256(PCR[0] || bios_hash)
# PCR[0] is now: SHA256(0x0000...0000 || bios_hash)
 
# Second measurement: BIOS configuration
config_hash = SHA256(bios_config_data)  
PCR[0] = SHA256(PCR[0] || config_hash)
# PCR[0] is now: SHA256(SHA256(0x0000...0000 || bios_hash) || config_hash)
 
# Each subsequent measurement extends the chain
# Final PCR value uniquely represents the complete measurement sequence
 
# Verification: Given expected measurements
expected_pcr = initial_value
for measurement in [bios_hash, config_hash, ...]:
    expected_pcr = SHA256(expected_pcr || measurement)
 
if actual_pcr == expected_pcr:
    print("Boot sequence matches expected configuration")
else:
    print("Boot sequence differs from expected!")

Standard PCR Allocation

The TCG specification defines standard PCR assignments for platform firmware and operating systems:

TCG Standard PCR Allocation
PCR	Measured By	Content Description
PCR 0	BIOS/UEFI	Core Root of Trust for Measurement (CRTM), POST BIOS, and host platform extensions
PCR 1	BIOS/UEFI	Host platform configuration (BIOS/UEFI settings)
PCR 2	BIOS/UEFI	Option ROM code
PCR 3	BIOS/UEFI	Option ROM configuration and data
PCR 4	BIOS/UEFI	MBR code / Initial Program Loader (IPL) code
PCR 5	BIOS/UEFI	MBR data / IPL configuration and data (including boot device)
PCR 6	BIOS/UEFI	State transitions and wake events
PCR 7	BIOS/UEFI	Secure Boot policy (db, dbx, etc.), manufacturer-specific
PCR 8-15	OS	Defined by operating system (Linux IMA, Windows Boot)
PCR 16	Any	Debug PCR, available for testing
PCR 23	App	Application-specific, commonly used for application state

OS-Specific PCR Usage

Linux PCR Conventions:

PCR 8: GRUB command line and configuration
PCR 9: Boot loader code (GRUB, shim)
PCR 10: Kernel (using IMA)
PCR 11-14: Reserved for IMA

Windows PCR Conventions:

PCR 11: BitLocker sealing
PCR 12-14: Windows-specific boot data

Multiple PCR Banks (TPM 2.0)

TPM 2.0 maintains separate PCR banks for different hash algorithms. Each bank has a complete set of 24 PCRs:

┌──────────────────────────────────────────────────────────────┐
│                     TPM 2.0 PCR Banks                        │
├──────────────────────────────────────────────────────────────┤
│ SHA-1 Bank:   PCR[0..23] (160 bits each) - Legacy compat    │
│ SHA-256 Bank: PCR[0..23] (256 bits each) - Primary use      │
│ SHA-384 Bank: PCR[0..23] (384 bits each) - Optional         │
│ SHA-512 Bank: PCR[0..23] (512 bits each) - Optional         │
└──────────────────────────────────────────────────────────────┘

When firmware extends a measurement, it typically extends the same data into all active PCR banks simultaneously.

PCR Design Philosophy

PCRs are designed around a key insight: cryptographic hashes are one-way and composable. By chaining measurements through repeated hashing, the final PCR value becomes a unique 'fingerprint' of the entire measurement sequence—without storing the full log. This fingerprint can be verified against expected values or used to seal secrets.

TPM Key Hierarchy

The TPM manages cryptographic keys in a hierarchical structure. This hierarchy provides organization, access control, and key derivation capabilities.

Converting Mermaid diagram...

The Four Hierarchies (TPM 2.0)

1. Endorsement Hierarchy

Contains the TPM's identity keys
Endorsement Key (EK) is unique per TPM, certified by manufacturer
Used for attestation and proving TPM genuineness
Authorization: Endorsement password (often empty by default)

2. Storage Hierarchy

Primary hierarchy for user/application keys
Storage Root Key (SRK) is the parent of all user keys
Sealing keys, signing keys, encryption keys derived here
Authorization: Owner password

3. Platform Hierarchy

Controlled by firmware/platform manufacturer
Used for platform-specific functions
Often reset on ownership change
Authorization: Platform password (firmware-controlled)

4. Null Hierarchy

Ephemeral keys for current session only
Lost on TPM reset
No authorization required
Useful for transient cryptographic operations

Endorsement Key (EK) Deep Dive

The EK is the TPM's identity:

Creation:

Derived deterministically from the Endorsement Primary Seed
Same seed always produces same EK
EK cannot be exported—private portion never leaves TPM

Certification:

TPM manufacturer creates an EK certificate during production
Certificate attests that this EK belongs to a genuine TPM
Certificate can be verified against manufacturer's CA
Enables trust in TPM-generated attestations

Privacy Considerations: The EK uniquely identifies the TPM (and thus the machine). Using the EK directly for attestation has privacy implications—the same key identifies the device across all interactions.

Attestation Keys (AK) / AIK: To address privacy, the TPM can create Attestation Keys under the Endorsement hierarchy:

AK signed by EK, proving it's from this TPM
Different AKs for different services
Services see different keys, can't correlate
Privacy-CA protocols enable zero-knowledge attestation

tpm_key_operations.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# TPM 2.0 Key Operations with tpm2-tools
 
# View TPM properties
tpm2_getcap properties-fixed
tpm2_getcap properties-variable
 
# Create primary key in Storage hierarchy (SRK equivalent)
tpm2_createprimary -C o -g sha256 -G rsa2048 -c primary.ctx
# -C o: Owner/Storage hierarchy
# -g sha256: Hash algorithm for key derivation
# -G rsa2048: Key algorithm and size
 
# Create a child key under the primary
tpm2_create -C primary.ctx -g sha256 -G rsa2048     -u child.pub -r child.priv
# -u: Public portion output
# -r: Encrypted private portion output
 
# Load the child key into TPM
tpm2_load -C primary.ctx -u child.pub -r child.priv -c child.ctx
 
# Make the key persistent (survives TPM reset)
tpm2_evictcontrol -C o -c child.ctx 0x81000001
# Key is now at persistent handle 0x81000001
 
# Read the public portion of Endorsement Key
tpm2_createek -G rsa2048 -u ek.pub -c ek.ctx
tpm2_readpublic -c ek.ctx
 
# Create an Attestation Key under EK
tpm2_createak -C ek.ctx -g sha256 -G rsa2048     -u ak.pub -r ak.priv -c ak.ctx -n ak.name

Deterministic Key Derivation

TPM primary keys are derived deterministically from the hierarchy seed using the key creation parameters. The same parameters always produce the same key. This means you can 'recreate' a primary key without having stored it—just run the same creation command. This is crucial for recovery scenarios.

Sealing and Binding Secrets

One of the TPM's most powerful capabilities is sealing—the ability to encrypt data such that it can only be decrypted when the system is in a specific state, as measured by PCR values.

Binding vs. Sealing

Binding encrypts data to a TPM key:

Data can only be decrypted by this specific TPM
No PCR constraints—decryption always works if you have authorization
Use case: Protecting data to a specific device

Sealing encrypts data to a TPM key AND PCR values:

Data can only be decrypted when PCR values match
If any measured component changes, unsealing fails
Use case: Disk encryption that only works on unmodified systems

Converting Mermaid diagram...

BitLocker TPM Integration

Microsoft BitLocker uses TPM sealing extensively:

Seal to PCRs 0, 2, 4, 7, 11 (typical configuration):

PCR 0: Core BIOS code
PCR 2: Option ROM code
PCR 4: Boot loader code (MBR/bootmgr)
PCR 7: Secure Boot policy
PCR 11: BitLocker-specific

Protection Provided:

If BIOS is modified: PCR 0 changes → Cannot decrypt
If bootloader is replaced: PCR 4 changes → Cannot decrypt
If Secure Boot policy changes: PCR 7 changes → Cannot decrypt

BitLocker Key Protectors: BitLocker can have multiple 'protectors' for the encryption key:

TPM only: Automatic unlock if PCRs match
TPM + PIN: PCRs must match AND user enters PIN
TPM + USB key: PCRs must match AND USB key present
Recovery key: Bypass for emergency recovery

Automatic PCR Re-Sealing: When you install a firmware update, PCR values will change. BitLocker handles this by:

Reading the key using current (old) PCR values
Re-sealing to new PCR values after update
This requires administrative access

tpm_seal_unseal.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Sealing data to PCR values with TPM 2.0
 
# First, create a sealing key
tpm2_createprimary -C o -g sha256 -G rsa2048 -c primary.ctx
 
# View current PCR values
tpm2_pcrread sha256:0,1,7
 
# Create a policy that requires specific PCR values
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_flushcontext session.ctx
 
# Create policy file from current PCR state
tpm2_createpolicy --policy-pcr -l sha256:0,1,7 -f pcr.policy
 
# Create a sealing object with PCR policy
echo "My secret disk encryption key" > secret.txt
tpm2_create -C primary.ctx -g sha256     -u sealed.pub -r sealed.priv     -L pcr.policy -i secret.txt
    
# Load the sealed object
tpm2_load -C primary.ctx -u sealed.pub -r sealed.priv -c sealed.ctx
 
# Unseal the data (only works if PCRs match)
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_unseal -c sealed.ctx -p session:session.ctx -o unsealed.txt
# If PCRs haven't changed: unsealed.txt contains the secret
# If PCRs changed: Error - policy check failed
 
# More complex policy: PCRs AND password
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_policypassword -S session.ctx
tpm2_flushcontext session.ctx

PCR Fragility Trade-off

Sealing to many PCRs increases security but also fragility. A firmware update, BIOS setting change, or boot order modification can change PCRs and lock you out. Enterprise deployments must carefully select PCRs and maintain recovery mechanisms. Sealing only to PCR 7 (Secure Boot policy) is more stable but less comprehensive.

Measured Boot and Event Log

While PCR values tell you whether the system state matches an expected configuration, they don't tell you what actually booted. That's where the Event Log comes in—a detailed record of every measurement extended into the PCRs.

Measured Boot Flow

CRTM (Core Root of Trust for Measurement) extends its own hash into PCR 0
For each subsequent component loaded:
- Compute hash of the component
- Create a TCG Event Log entry describing what's being measured
- Extend the hash into the appropriate PCR
Record continues through firmware, bootloader, and optionally into the OS
Event Log is stored in memory, accessible to OS and attestation services

Event Log Structure (TCG Format)

Each event log entry contains:

┌──────────────────────────────────────────────────────────────┐
│ TCG_PCR_EVENT2 Structure                                     │
├──────────────────────────────────────────────────────────────┤
│ PCRIndex      │ Which PCR was extended (0-23)                │
├───────────────┼──────────────────────────────────────────────┤
│ EventType     │ What kind of measurement (EV_EFI_*, etc.)    │
├───────────────┼──────────────────────────────────────────────┤
│ Digests[]     │ Array of hashes, one per PCR bank           │
├───────────────┼──────────────────────────────────────────────┤
│ EventSize     │ Size of event data                           │
├───────────────┼──────────────────────────────────────────────┤
│ Event[]       │ Variable-length event data (what was hashed)│
└───────────────┴──────────────────────────────────────────────┘

Common Event Types:

EV_EFI_VARIABLE_DRIVER_CONFIG: UEFI variable measurement
EV_EFI_BOOT_SERVICES_APPLICATION: Bootloader/application measurement
EV_EFI_ACTION: String describing an action
EV_IPL: Initial Program Loader events
EV_SEPARATOR: Marks firmware-to-OS transition

event_log_inspect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Inspecting the TCG Event Log
 
# Read TPM event log (Linux)
tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
 
# Sample output (abbreviated):
# - EventNum: 0
#   PCRIndex: 0
#   EventType: EV_S_CRTM_VERSION
#   Digest: "d708e..."
#   Event: "1.0"
#
# - EventNum: 1
#   PCRIndex: 0  
#   EventType: EV_EFI_PLATFORM_FIRMWARE_BLOB
#   Digest: "a7c32..."
#   Event: "FvMainCompact: Base=0xFFD00000 Length=0x002A0000"
#
# - EventNum: 47
#   PCRIndex: 7
#   EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
#   Digest: "c4e91..."
#   Event:
#     VariableName: SecureBoot
#     VariableGUID: 8be4df61-93ca-11d2-aa0d-00e098032b8c
#     VariableData: 01 (Secure Boot enabled)
 
# Verify event log matches PCR values
# Replay all measurements and compare to actual PCRs
tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements     --verify-pcrs
 
# View specific PCR events
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null
 
# Windows: tpmtool command
# tpmtool getdeviceinformation
# tpmtool gatherlogs

Linux Integrity Measurement Architecture (IMA)

IMA extends measured boot into the operating system, measuring files as they're accessed:

IMA Measurement Flow:

File is opened for reading/execution
IMA hooks the kernel file access
File contents are hashed
Hash is extended into PCR 10 (or configured PCR)
Entry is added to IMA measurement list

IMA Policy Examples:

# Measure all executables
measure fowner=0 func=BPRM_CHECK

# Measure all files opened by root
measure uid=0 func=FILE_CHECK

# Measure kernel modules
measure func=MODULE_CHECK

# Measure firmware loaded by kernel
measure func=FIRMWARE_CHECK

IMA Use Cases:

Remote attestation of running software
Detecting unauthorized binaries
Audit trail for compliance
Container image verification

Event Log Enables Diagnosis

The event log is essential for understanding WHY PCR values changed. Without it, you can only see that PCRs don't match expected values. With the log, you can identify exactly which component changed—was it a firmware update? A different bootloader? A modified initramfs? This dramatically simplifies debugging and recovery.

Remote Attestation

Remote attestation allows an external party (verifier) to determine the state of a system (attester) without trusting that system's software. The verifier receives a cryptographically signed statement of the system's boot state, verifiable back to the TPM manufacturer.

Converting Mermaid diagram...

Quote: Signed PCR Statement

A TPM quote is a signed statement of PCR values:

Quote = Sign_AK(TPMS_QUOTE_INFO)

TPMS_QUOTE_INFO = {
    magic: TPM_GENERATED,       # Proves TPM generated this
    type: TPM_ST_ATTEST_QUOTE,  # Quote type identifier  
    qualifiedSigner: AK name,   # Identifies signing key
    extraData: nonce,           # Verifier's challenge
    clockInfo: {                # TPM clock state
        clock, resetCount, restartCount
    },
    firmwareVersion: ...,       # TPM firmware version
    attested: {                 # The actual attestation
        pcrSelect: [0,1,7],     # Which PCRs are attested
        pcrDigest: SHA256(      # Hash of selected PCR values
            PCR[0] || PCR[1] || PCR[7]
        )
    }
}

The nonce (challenge) prevents replay attacks—an attacker can't reuse an old quote from when the system was in a good state.

remote_attestation.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Remote Attestation with tpm2-tools
 
## On the Attester (Client)
 
# Create an Attestation Key (if not existing)
tpm2_createek -c ek.ctx -G rsa2048 -u ek.pub
tpm2_createak -C ek.ctx -c ak.ctx -G rsa2048 -g sha256     -u ak.pub -r ak.priv -n ak.name
 
# Make AK persistent
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
 
# Export AK public for verifier
tpm2_readpublic -c 0x81010002 -o ak.pub
 
## Attestation Request (received from verifier)
# Verifier sends: nonce = "challenge123..."
echo "challenge123..." | xxd -r -p > nonce.bin
 
# Create the quote
tpm2_quote -c 0x81010002 -l sha256:0,1,7     -q nonce.bin -m quote.msg -s quote.sig -o quote.pcrs
 
# Collect event log
cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog.bin
 
# Send to verifier: quote.msg, quote.sig, quote.pcrs, 
#                   eventlog.bin, ak.pub, AK certificate
 
## On the Verifier (Server)
 
# 1. Verify AK certificate chains to known TPM vendor CA
openssl verify -CAfile tpm_vendor_ca.crt ak_cert.crt
 
# 2. Verify quote signature using AK public key
tpm2_checkquote -u ak.pub -m quote.msg -s quote.sig     -f nonce.bin -l sha256:0,1,7 -q quote.pcrs
 
# 3. Replay event log and verify it produces received PCRs
tpm2_eventlog eventlog.bin --verify-pcrs
 
# 4. Evaluate events against organizational policy
# (Custom logic to check what binaries booted)
 
echo "Attestation verified - system is trusted"

Real-World Attestation Systems

Microsoft Azure Attestation

Cloud service for attesting VMs and containers
Verifies guest boot state before releasing secrets
Supports SEV-SNP (AMD), TDX (Intel) and TPM attestation
Issues attestation tokens (JWTs) for verified systems

Keylime

Open-source remote attestation framework
Continuous monitoring of system state
Agent runs on attested systems, verifier on central server
Automatic remediation actions on attestation failure

SPIFFE/SPIRE with TPM Attestation

Workload identity framework
TPM attestation as node attestation method
Issues short-lived X.509 certificates to verified nodes

Intel Trust Authority

Intel's attestation service
Supports SGX enclaves, TDX VMs, and standard TPM
Provides attestation policies and tokens

Enterprise Use Cases:

Zero Trust Network Access: Only attested devices get network access
Confidential Computing: Secrets released only to verified TEEs
Compliance Verification: Prove systems boot approved configurations
Supply Chain Security: Verify device hasn't been tampered with

Trust in Attestation

Remote attestation requires trust in: (1) The TPM manufacturer's endorsement of the EK, (2) The TCG specification's security properties, (3) The firmware's correct implementation of measurements. It does NOT require trusting the attested system's software—that's the whole point. The verifier can determine the system's state independently.

TPM Security Considerations

While TPMs provide powerful security capabilities, they are not invulnerable. Understanding TPM limitations and attack vectors is essential for proper security architecture.

Known Attack Vectors

•Bus Sniffing (dTPM): Discrete TPMs communicate over LPC/SPI. Physical attackers can intercept traffic.
•Reset Attacks: Some TPMs can be reset without full system reset, potentially clearing PCR values.
•CRTM Vulnerabilities: If the CRTM (first measuring code) is compromised, all measurements are suspect.
•fTPM Side Channels: Firmware TPMs share silicon with main CPU; side-channel attacks possible.
•Event Log Manipulation: Event log stored in memory could be modified by malware.
•Physical Extraction: With lab equipment, some TPM key material extraction is possible.

Mitigations

•Parameter Encryption: TPM 2.0 supports encrypted sessions for bus protection.
•TPM 2.0 DA Protection: Dictionary Attack protection rate-limits brute force attempts.
•Trusted Platform with HW attestation: Boot Guard/PSP verify CRTM integrity.
•Physical Tamper Protection: Some TPMs have tamper-evident packaging, zeroization.
•Event Log Signing: Some implementations sign event log entries.
•Defense in Depth: TPM should be one layer, not sole protection.

TPM-FAIL Vulnerability (CVE-2019-11090, CVE-2019-16863)

In 2019, researchers demonstrated timing side-channel attacks against TPM ECDSA signature operations:

Affected TPMs from Intel (fTPM), STMicroelectronics, and others
Attackers could recover private keys by measuring signature timing
Mitigated by firmware updates implementing constant-time algorithms

Lesson: Even dedicated security hardware can have implementation vulnerabilities. Keep TPM firmware updated.

BitLocker-Specific Considerations

BitLocker's transparent TPM unlock (no PIN) is vulnerable to certain attacks:

Attack: Direct Memory Access

Attacker with physical access can use DMA (Thunderbolt, FireWire) to read memory
BitLocker key in memory could be extracted
Mitigation: Kernel DMA Protection, VBS, TPM+PIN mode

Attack: Cold Boot

RAM contents persist briefly after power-off
Freeze RAM, move to attacker's system, read key
Mitigation: TPM+PIN makes unlock not automatic

Attack: Evil Maid (Steal and Observe)

Attacker modifies boot so it appears normal but logs credentials
User boots and enters credentials
Attacker retrieves credentials
Mitigation: Pre-boot authentication different from OS login

TPM Protection Levels
Configuration	Protected Against	NOT Protected Against
TPM Only	Offline HDD removal, boot modification	DMA attacks, cold boot, sophisticated physical
TPM + PIN	Above + DMA, cold boot	Keyloggers, shoulder surfing, sophisticated evil maid
TPM + PIN + USB	Above + PIN interception	Physical implants on USB, sophisticated attacks
TPM + Attestation	Above + verify system state remotely	TPM implementation bugs, trusted client compromise

Threat Model Matters

TPM provides strong protection against remote attacks and casual physical access. Against well-funded adversaries with extended physical access and laboratory resources, additional protections are needed. Match your protection level to your threat model—TPM alone may or may not be sufficient.

Summary: TPM as Trust Anchor

The Trusted Platform Module provides a hardware foundation for platform security that goes beyond simple boot verification. Let's consolidate the key concepts:

Key Takeaways

•TPM is a cryptographic coprocessor — It provides protected key storage, PCR measurement, and cryptographic operations in tamper-resistant hardware.
•PCRs record boot state via extend operations — Each measurement irreversibly updates the PCR, creating a unique fingerprint of the boot sequence.
•Key hierarchy enables organized trust — Endorsement, Storage, Platform, and Null hierarchies serve different purposes with different authorization.
•Sealing binds secrets to system state — Data sealed to PCR values can only be unsealed when the system boots in the same configuration.
•Event logs enable diagnosis — The TCG event log records what was measured, allowing verification and debugging of PCR values.
•Remote attestation proves state to external parties — Quotes signed by attestation keys allow verifiers to determine system state without trusting system software.
•TPM has limitations — Physical attacks, implementation vulnerabilities, and trust assumptions must be understood and mitigated appropriately.

What's Next:

With a comprehensive understanding of both Secure Boot (prevention) and TPM (measurement), we'll explore Measured Boot in depth—how these technologies combine to provide both enforcement and verifiability. We'll examine practical measured boot implementations, remote attestation architectures, and how confident computing builds on these foundations.

Page Complete

You now understand the Trusted Platform Module comprehensively—its architecture, PCR mechanics, key hierarchies, sealing operations, event logging, and remote attestation capabilities. This knowledge is essential for implementing disk encryption, remote attestation systems, and understanding the hardware foundation of modern platform security.

4 / 5

Loading learning content...

Operating SystemsSecure Boot

Secure Boot: Establishing Trust from Power-On

LevelAdvanced

Duration75 mins

TopicSecure Boot

4 / 5

TPM (Trusted Platform Module)

The Silent Witness to Every Boot

What You Will Learn

TPM Architecture Overview

Converting Mermaid diagram...

TPM Implementation Types

TPMs come in several physical forms:

Discrete TPM (dTPM)

Separate chip on the motherboard
Connected via LPC, SPI, or I2C bus
Highest isolation—separate silicon
Required by some high-security standards
Examples: Infineon SLB9670, Nuvoton NPCT750

Firmware TPM (fTPM)

Implemented in platform firmware
Runs on the platform security processor (Intel PTT, AMD fTPM)
Uses isolated execution environment
Lower cost, increasingly common
Dependent on security processor integrity

Hypervisor TPM (vTPM)

Virtual TPM for virtual machines
Backed by hypervisor-managed state
State stored in VM configuration
Enables TPM features for VMs

Software TPM (sTPM)

Pure software implementation
For development and testing only
NOT secure—no hardware protection
Examples: IBM's TPM2-software, Microsoft simulator

TPM 1.2 vs TPM 2.0 Comparison
Feature	TPM 1.2	TPM 2.0
Hash Algorithms	SHA-1 only	SHA-1, SHA-256, SHA-384, SHA-512
Asymmetric Crypto	RSA 2048 only	RSA (1024-4096), ECC (P256, BN256+)
Symmetric Crypto	None	AES-128, AES-256
PCR Banks	24 PCRs (SHA-1)	Multiple banks (SHA-1, SHA-256, etc.)
Authorization	Simple HMAC	Enhanced authorization (EA) policies
Key Hierarchy	Single SRK	Multiple hierarchies (Endorsement, Storage, Platform, Null)
Specification Status	Deprecated	Current standard (2019+)

TPM 1.2 Deprecation

Platform Configuration Registers (PCRs)

The Extend Operation

PCRs cannot be directly written. Instead, they are extended using a cryptographic operation:

PCR_new = Hash(PCR_old || data_to_measure)

This operation is fundamental:

One-Way: Given a PCR value, you cannot determine what was measured (hash pre-image resistance)
Order-Sensitive: Measuring A then B produces different result than B then A
Tamper-Evident: Any modification to measured components changes the final PCR value
Irreversible: You cannot 'undo' a measurement or set PCR to arbitrary value

The only way to reset most PCRs to their initial value is to reboot the system.

pcr_extend.pseudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# PCR Extend Operation Illustrated
 
# Initial state after boot (TPM 2.0)
PCR[0] = 0x0000...0000  # 32 bytes of zeros for SHA-256
 
# First measurement: BIOS code hash
bios_hash = SHA256(bios_code)
PCR[0] = SHA256(PCR[0] || bios_hash)
# PCR[0] is now: SHA256(0x0000...0000 || bios_hash)
 
# Second measurement: BIOS configuration
config_hash = SHA256(bios_config_data)  
PCR[0] = SHA256(PCR[0] || config_hash)
# PCR[0] is now: SHA256(SHA256(0x0000...0000 || bios_hash) || config_hash)
 
# Each subsequent measurement extends the chain
# Final PCR value uniquely represents the complete measurement sequence
 
# Verification: Given expected measurements
expected_pcr = initial_value
for measurement in [bios_hash, config_hash, ...]:
    expected_pcr = SHA256(expected_pcr || measurement)
 
if actual_pcr == expected_pcr:
    print("Boot sequence matches expected configuration")
else:
    print("Boot sequence differs from expected!")

Standard PCR Allocation

The TCG specification defines standard PCR assignments for platform firmware and operating systems:

TCG Standard PCR Allocation
PCR	Measured By	Content Description
PCR 0	BIOS/UEFI	Core Root of Trust for Measurement (CRTM), POST BIOS, and host platform extensions
PCR 1	BIOS/UEFI	Host platform configuration (BIOS/UEFI settings)
PCR 2	BIOS/UEFI	Option ROM code
PCR 3	BIOS/UEFI	Option ROM configuration and data
PCR 4	BIOS/UEFI	MBR code / Initial Program Loader (IPL) code
PCR 5	BIOS/UEFI	MBR data / IPL configuration and data (including boot device)
PCR 6	BIOS/UEFI	State transitions and wake events
PCR 7	BIOS/UEFI	Secure Boot policy (db, dbx, etc.), manufacturer-specific
PCR 8-15	OS	Defined by operating system (Linux IMA, Windows Boot)
PCR 16	Any	Debug PCR, available for testing
PCR 23	App	Application-specific, commonly used for application state

OS-Specific PCR Usage

Linux PCR Conventions:

PCR 8: GRUB command line and configuration
PCR 9: Boot loader code (GRUB, shim)
PCR 10: Kernel (using IMA)
PCR 11-14: Reserved for IMA

Windows PCR Conventions:

PCR 11: BitLocker sealing
PCR 12-14: Windows-specific boot data

Multiple PCR Banks (TPM 2.0)

TPM 2.0 maintains separate PCR banks for different hash algorithms. Each bank has a complete set of 24 PCRs:

┌──────────────────────────────────────────────────────────────┐
│                     TPM 2.0 PCR Banks                        │
├──────────────────────────────────────────────────────────────┤
│ SHA-1 Bank:   PCR[0..23] (160 bits each) - Legacy compat    │
│ SHA-256 Bank: PCR[0..23] (256 bits each) - Primary use      │
│ SHA-384 Bank: PCR[0..23] (384 bits each) - Optional         │
│ SHA-512 Bank: PCR[0..23] (512 bits each) - Optional         │
└──────────────────────────────────────────────────────────────┘

When firmware extends a measurement, it typically extends the same data into all active PCR banks simultaneously.

PCR Design Philosophy

TPM Key Hierarchy

The TPM manages cryptographic keys in a hierarchical structure. This hierarchy provides organization, access control, and key derivation capabilities.

Converting Mermaid diagram...

The Four Hierarchies (TPM 2.0)

1. Endorsement Hierarchy

Contains the TPM's identity keys
Endorsement Key (EK) is unique per TPM, certified by manufacturer
Used for attestation and proving TPM genuineness
Authorization: Endorsement password (often empty by default)

2. Storage Hierarchy

Primary hierarchy for user/application keys
Storage Root Key (SRK) is the parent of all user keys
Sealing keys, signing keys, encryption keys derived here
Authorization: Owner password

3. Platform Hierarchy

Controlled by firmware/platform manufacturer
Used for platform-specific functions
Often reset on ownership change
Authorization: Platform password (firmware-controlled)

4. Null Hierarchy

Ephemeral keys for current session only
Lost on TPM reset
No authorization required
Useful for transient cryptographic operations

Endorsement Key (EK) Deep Dive

The EK is the TPM's identity:

Creation:

Derived deterministically from the Endorsement Primary Seed
Same seed always produces same EK
EK cannot be exported—private portion never leaves TPM

Certification:

TPM manufacturer creates an EK certificate during production
Certificate attests that this EK belongs to a genuine TPM
Certificate can be verified against manufacturer's CA
Enables trust in TPM-generated attestations

Attestation Keys (AK) / AIK: To address privacy, the TPM can create Attestation Keys under the Endorsement hierarchy:

AK signed by EK, proving it's from this TPM
Different AKs for different services
Services see different keys, can't correlate
Privacy-CA protocols enable zero-knowledge attestation

tpm_key_operations.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# TPM 2.0 Key Operations with tpm2-tools
 
# View TPM properties
tpm2_getcap properties-fixed
tpm2_getcap properties-variable
 
# Create primary key in Storage hierarchy (SRK equivalent)
tpm2_createprimary -C o -g sha256 -G rsa2048 -c primary.ctx
# -C o: Owner/Storage hierarchy
# -g sha256: Hash algorithm for key derivation
# -G rsa2048: Key algorithm and size
 
# Create a child key under the primary
tpm2_create -C primary.ctx -g sha256 -G rsa2048     -u child.pub -r child.priv
# -u: Public portion output
# -r: Encrypted private portion output
 
# Load the child key into TPM
tpm2_load -C primary.ctx -u child.pub -r child.priv -c child.ctx
 
# Make the key persistent (survives TPM reset)
tpm2_evictcontrol -C o -c child.ctx 0x81000001
# Key is now at persistent handle 0x81000001
 
# Read the public portion of Endorsement Key
tpm2_createek -G rsa2048 -u ek.pub -c ek.ctx
tpm2_readpublic -c ek.ctx
 
# Create an Attestation Key under EK
tpm2_createak -C ek.ctx -g sha256 -G rsa2048     -u ak.pub -r ak.priv -c ak.ctx -n ak.name

Deterministic Key Derivation

Sealing and Binding Secrets

One of the TPM's most powerful capabilities is sealing—the ability to encrypt data such that it can only be decrypted when the system is in a specific state, as measured by PCR values.

Binding vs. Sealing

Binding encrypts data to a TPM key:

Data can only be decrypted by this specific TPM
No PCR constraints—decryption always works if you have authorization
Use case: Protecting data to a specific device

Sealing encrypts data to a TPM key AND PCR values:

Data can only be decrypted when PCR values match
If any measured component changes, unsealing fails
Use case: Disk encryption that only works on unmodified systems

Converting Mermaid diagram...

BitLocker TPM Integration

Microsoft BitLocker uses TPM sealing extensively:

Seal to PCRs 0, 2, 4, 7, 11 (typical configuration):

PCR 0: Core BIOS code
PCR 2: Option ROM code
PCR 4: Boot loader code (MBR/bootmgr)
PCR 7: Secure Boot policy
PCR 11: BitLocker-specific

Protection Provided:

If BIOS is modified: PCR 0 changes → Cannot decrypt
If bootloader is replaced: PCR 4 changes → Cannot decrypt
If Secure Boot policy changes: PCR 7 changes → Cannot decrypt

BitLocker Key Protectors: BitLocker can have multiple 'protectors' for the encryption key:

TPM only: Automatic unlock if PCRs match
TPM + PIN: PCRs must match AND user enters PIN
TPM + USB key: PCRs must match AND USB key present
Recovery key: Bypass for emergency recovery

Automatic PCR Re-Sealing: When you install a firmware update, PCR values will change. BitLocker handles this by:

Reading the key using current (old) PCR values
Re-sealing to new PCR values after update
This requires administrative access

tpm_seal_unseal.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Sealing data to PCR values with TPM 2.0
 
# First, create a sealing key
tpm2_createprimary -C o -g sha256 -G rsa2048 -c primary.ctx
 
# View current PCR values
tpm2_pcrread sha256:0,1,7
 
# Create a policy that requires specific PCR values
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_flushcontext session.ctx
 
# Create policy file from current PCR state
tpm2_createpolicy --policy-pcr -l sha256:0,1,7 -f pcr.policy
 
# Create a sealing object with PCR policy
echo "My secret disk encryption key" > secret.txt
tpm2_create -C primary.ctx -g sha256     -u sealed.pub -r sealed.priv     -L pcr.policy -i secret.txt
    
# Load the sealed object
tpm2_load -C primary.ctx -u sealed.pub -r sealed.priv -c sealed.ctx
 
# Unseal the data (only works if PCRs match)
tpm2_startauthsession --policy-session -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_unseal -c sealed.ctx -p session:session.ctx -o unsealed.txt
# If PCRs haven't changed: unsealed.txt contains the secret
# If PCRs changed: Error - policy check failed
 
# More complex policy: PCRs AND password
tpm2_startauthsession -S session.ctx
tpm2_policypcr -S session.ctx -l sha256:0,1,7
tpm2_policypassword -S session.ctx
tpm2_flushcontext session.ctx

PCR Fragility Trade-off

Measured Boot and Event Log

Measured Boot Flow

CRTM (Core Root of Trust for Measurement) extends its own hash into PCR 0
For each subsequent component loaded:
- Compute hash of the component
- Create a TCG Event Log entry describing what's being measured
- Extend the hash into the appropriate PCR
Record continues through firmware, bootloader, and optionally into the OS
Event Log is stored in memory, accessible to OS and attestation services

Event Log Structure (TCG Format)

Each event log entry contains:

┌──────────────────────────────────────────────────────────────┐
│ TCG_PCR_EVENT2 Structure                                     │
├──────────────────────────────────────────────────────────────┤
│ PCRIndex      │ Which PCR was extended (0-23)                │
├───────────────┼──────────────────────────────────────────────┤
│ EventType     │ What kind of measurement (EV_EFI_*, etc.)    │
├───────────────┼──────────────────────────────────────────────┤
│ Digests[]     │ Array of hashes, one per PCR bank           │
├───────────────┼──────────────────────────────────────────────┤
│ EventSize     │ Size of event data                           │
├───────────────┼──────────────────────────────────────────────┤
│ Event[]       │ Variable-length event data (what was hashed)│
└───────────────┴──────────────────────────────────────────────┘

Common Event Types:

EV_EFI_VARIABLE_DRIVER_CONFIG: UEFI variable measurement
EV_EFI_BOOT_SERVICES_APPLICATION: Bootloader/application measurement
EV_EFI_ACTION: String describing an action
EV_IPL: Initial Program Loader events
EV_SEPARATOR: Marks firmware-to-OS transition

event_log_inspect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# Inspecting the TCG Event Log
 
# Read TPM event log (Linux)
tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
 
# Sample output (abbreviated):
# - EventNum: 0
#   PCRIndex: 0
#   EventType: EV_S_CRTM_VERSION
#   Digest: "d708e..."
#   Event: "1.0"
#
# - EventNum: 1
#   PCRIndex: 0  
#   EventType: EV_EFI_PLATFORM_FIRMWARE_BLOB
#   Digest: "a7c32..."
#   Event: "FvMainCompact: Base=0xFFD00000 Length=0x002A0000"
#
# - EventNum: 47
#   PCRIndex: 7
#   EventType: EV_EFI_VARIABLE_DRIVER_CONFIG
#   Digest: "c4e91..."
#   Event:
#     VariableName: SecureBoot
#     VariableGUID: 8be4df61-93ca-11d2-aa0d-00e098032b8c
#     VariableData: 01 (Secure Boot enabled)
 
# Verify event log matches PCR values
# Replay all measurements and compare to actual PCRs
tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements     --verify-pcrs
 
# View specific PCR events
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null
 
# Windows: tpmtool command
# tpmtool getdeviceinformation
# tpmtool gatherlogs

Linux Integrity Measurement Architecture (IMA)

IMA extends measured boot into the operating system, measuring files as they're accessed:

IMA Measurement Flow:

File is opened for reading/execution
IMA hooks the kernel file access
File contents are hashed
Hash is extended into PCR 10 (or configured PCR)
Entry is added to IMA measurement list

IMA Policy Examples:

# Measure all executables
measure fowner=0 func=BPRM_CHECK

# Measure all files opened by root
measure uid=0 func=FILE_CHECK

# Measure kernel modules
measure func=MODULE_CHECK

# Measure firmware loaded by kernel
measure func=FIRMWARE_CHECK

IMA Use Cases:

Remote attestation of running software
Detecting unauthorized binaries
Audit trail for compliance
Container image verification

Event Log Enables Diagnosis

Remote Attestation

Converting Mermaid diagram...

Quote: Signed PCR Statement

A TPM quote is a signed statement of PCR values:

Quote = Sign_AK(TPMS_QUOTE_INFO)

TPMS_QUOTE_INFO = {
    magic: TPM_GENERATED,       # Proves TPM generated this
    type: TPM_ST_ATTEST_QUOTE,  # Quote type identifier  
    qualifiedSigner: AK name,   # Identifies signing key
    extraData: nonce,           # Verifier's challenge
    clockInfo: {                # TPM clock state
        clock, resetCount, restartCount
    },
    firmwareVersion: ...,       # TPM firmware version
    attested: {                 # The actual attestation
        pcrSelect: [0,1,7],     # Which PCRs are attested
        pcrDigest: SHA256(      # Hash of selected PCR values
            PCR[0] || PCR[1] || PCR[7]
        )
    }
}

The nonce (challenge) prevents replay attacks—an attacker can't reuse an old quote from when the system was in a good state.

remote_attestation.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Remote Attestation with tpm2-tools
 
## On the Attester (Client)
 
# Create an Attestation Key (if not existing)
tpm2_createek -c ek.ctx -G rsa2048 -u ek.pub
tpm2_createak -C ek.ctx -c ak.ctx -G rsa2048 -g sha256     -u ak.pub -r ak.priv -n ak.name
 
# Make AK persistent
tpm2_evictcontrol -C o -c ak.ctx 0x81010002
 
# Export AK public for verifier
tpm2_readpublic -c 0x81010002 -o ak.pub
 
## Attestation Request (received from verifier)
# Verifier sends: nonce = "challenge123..."
echo "challenge123..." | xxd -r -p > nonce.bin
 
# Create the quote
tpm2_quote -c 0x81010002 -l sha256:0,1,7     -q nonce.bin -m quote.msg -s quote.sig -o quote.pcrs
 
# Collect event log
cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog.bin
 
# Send to verifier: quote.msg, quote.sig, quote.pcrs, 
#                   eventlog.bin, ak.pub, AK certificate
 
## On the Verifier (Server)
 
# 1. Verify AK certificate chains to known TPM vendor CA
openssl verify -CAfile tpm_vendor_ca.crt ak_cert.crt
 
# 2. Verify quote signature using AK public key
tpm2_checkquote -u ak.pub -m quote.msg -s quote.sig     -f nonce.bin -l sha256:0,1,7 -q quote.pcrs
 
# 3. Replay event log and verify it produces received PCRs
tpm2_eventlog eventlog.bin --verify-pcrs
 
# 4. Evaluate events against organizational policy
# (Custom logic to check what binaries booted)
 
echo "Attestation verified - system is trusted"

Real-World Attestation Systems

Microsoft Azure Attestation

Cloud service for attesting VMs and containers
Verifies guest boot state before releasing secrets
Supports SEV-SNP (AMD), TDX (Intel) and TPM attestation
Issues attestation tokens (JWTs) for verified systems

Keylime

Open-source remote attestation framework
Continuous monitoring of system state
Agent runs on attested systems, verifier on central server
Automatic remediation actions on attestation failure

SPIFFE/SPIRE with TPM Attestation

Workload identity framework
TPM attestation as node attestation method
Issues short-lived X.509 certificates to verified nodes

Intel Trust Authority

Intel's attestation service
Supports SGX enclaves, TDX VMs, and standard TPM
Provides attestation policies and tokens

Enterprise Use Cases:

Zero Trust Network Access: Only attested devices get network access
Confidential Computing: Secrets released only to verified TEEs
Compliance Verification: Prove systems boot approved configurations
Supply Chain Security: Verify device hasn't been tampered with

Trust in Attestation

TPM Security Considerations

While TPMs provide powerful security capabilities, they are not invulnerable. Understanding TPM limitations and attack vectors is essential for proper security architecture.

Known Attack Vectors

•Bus Sniffing (dTPM): Discrete TPMs communicate over LPC/SPI. Physical attackers can intercept traffic.
•Reset Attacks: Some TPMs can be reset without full system reset, potentially clearing PCR values.
•CRTM Vulnerabilities: If the CRTM (first measuring code) is compromised, all measurements are suspect.
•fTPM Side Channels: Firmware TPMs share silicon with main CPU; side-channel attacks possible.
•Event Log Manipulation: Event log stored in memory could be modified by malware.
•Physical Extraction: With lab equipment, some TPM key material extraction is possible.

Mitigations

•Parameter Encryption: TPM 2.0 supports encrypted sessions for bus protection.
•TPM 2.0 DA Protection: Dictionary Attack protection rate-limits brute force attempts.
•Trusted Platform with HW attestation: Boot Guard/PSP verify CRTM integrity.
•Physical Tamper Protection: Some TPMs have tamper-evident packaging, zeroization.
•Event Log Signing: Some implementations sign event log entries.
•Defense in Depth: TPM should be one layer, not sole protection.

TPM-FAIL Vulnerability (CVE-2019-11090, CVE-2019-16863)

In 2019, researchers demonstrated timing side-channel attacks against TPM ECDSA signature operations:

Affected TPMs from Intel (fTPM), STMicroelectronics, and others
Attackers could recover private keys by measuring signature timing
Mitigated by firmware updates implementing constant-time algorithms

Lesson: Even dedicated security hardware can have implementation vulnerabilities. Keep TPM firmware updated.

BitLocker-Specific Considerations

BitLocker's transparent TPM unlock (no PIN) is vulnerable to certain attacks:

Attack: Direct Memory Access

Attacker with physical access can use DMA (Thunderbolt, FireWire) to read memory
BitLocker key in memory could be extracted
Mitigation: Kernel DMA Protection, VBS, TPM+PIN mode

Attack: Cold Boot

RAM contents persist briefly after power-off
Freeze RAM, move to attacker's system, read key
Mitigation: TPM+PIN makes unlock not automatic

Attack: Evil Maid (Steal and Observe)

Attacker modifies boot so it appears normal but logs credentials
User boots and enters credentials
Attacker retrieves credentials
Mitigation: Pre-boot authentication different from OS login

TPM Protection Levels
Configuration	Protected Against	NOT Protected Against
TPM Only	Offline HDD removal, boot modification	DMA attacks, cold boot, sophisticated physical
TPM + PIN	Above + DMA, cold boot	Keyloggers, shoulder surfing, sophisticated evil maid
TPM + PIN + USB	Above + PIN interception	Physical implants on USB, sophisticated attacks
TPM + Attestation	Above + verify system state remotely	TPM implementation bugs, trusted client compromise

Threat Model Matters

Summary: TPM as Trust Anchor

The Trusted Platform Module provides a hardware foundation for platform security that goes beyond simple boot verification. Let's consolidate the key concepts:

Key Takeaways

•TPM is a cryptographic coprocessor — It provides protected key storage, PCR measurement, and cryptographic operations in tamper-resistant hardware.
•PCRs record boot state via extend operations — Each measurement irreversibly updates the PCR, creating a unique fingerprint of the boot sequence.
•Key hierarchy enables organized trust — Endorsement, Storage, Platform, and Null hierarchies serve different purposes with different authorization.
•Sealing binds secrets to system state — Data sealed to PCR values can only be unsealed when the system boots in the same configuration.
•Event logs enable diagnosis — The TCG event log records what was measured, allowing verification and debugging of PCR values.
•Remote attestation proves state to external parties — Quotes signed by attestation keys allow verifiers to determine system state without trusting system software.
•TPM has limitations — Physical attacks, implementation vulnerabilities, and trust assumptions must be understood and mitigated appropriately.

What's Next:

Page Complete

4 / 5

Secure Boot: Establishing Trust from Power-On - Page 4 of 5 | OneNoughtOne