Loading learning content...
We've explored two complementary approaches to boot security: Secure Boot prevents unauthorized code from executing, while TPM measurement records what actually executed. Measured Boot combines these approaches to create a system that is both protected at boot time AND whose boot state can be cryptographically verified afterward.
Measured Boot transforms security from a binary question ("Did something bad run?") into a verifiable statement ("Here's exactly what ran, signed by tamper-resistant hardware"). This enables sophisticated security architectures where secrets are only released to verified systems, access is granted only to machines that booted approved configurations, and remote verifiers can assess system integrity without trusting the system's software.
By the end of this page, you will understand how measured boot integrates Secure Boot and TPM technologies, the complete attestation workflow, practical implementation on Windows and Linux, and advanced topics including confidential computing and measured launch. You'll be equipped to design, deploy, and verify measured boot architectures in enterprise and cloud environments.
Understanding the distinction between Secure Boot and Measured Boot is fundamental. They solve different problems and are most powerful when combined.
| Aspect | Secure Boot | Measured Boot |
|---|---|---|
| Primary Goal | Prevent unauthorized code execution | Record exactly what executed |
| Mechanism | Signature verification | Cryptographic hashing into PCRs |
| Failure Mode | Boot halts (enforcement) | Attestation reveals mismatch (detection) |
| Flexibility | Requires pre-signed binaries | Can measure any code |
| Key Component | UEFI Secure Boot (db/dbx) | TPM Platform Configuration Registers |
| Verification Time | At load time (before execution) | Any time after boot (attestation) |
| Remote Verification | Not inherent (local enforcement) | Core capability (remote attestation) |
| Use Case | Block known-bad, allow known-good | Prove what booted, seal to state |
Why Both Together?
Secure Boot alone has limitations:
Measured Boot alone has limitations:
Combined ("Trusted Boot"): The system both enforces known-good signatures AND records what was loaded for verification. This provides:
Secure Boot provides the first line of defense; measured boot provides the verification layer. Even if an attacker somehow bypasses Secure Boot (through a 0-day, compromised key, or misconfiguration), the measured boot record will differ from expected values—enabling detection through attestation or causing sealed secrets to fail to unlock.
A complete measured boot implementation follows a carefully orchestrated workflow from power-on through operating system initialization. Each component measures the next before loading it, building a cryptographic record in the TPM.
Phase Details
Phase 1: Core Root of Trust for Measurement (CRTM)
The CRTM is the first piece of code that executes and performs measurements. On modern Intel systems, this is the ACM code verified by Boot Guard. On AMD, it's the PSP boot code.
Phase 2: Firmware Measurement
UEFI firmware measures platform configuration and boot components:
PCR 0: Additional firmware code
PCR 1: Platform configuration (BIOS settings)
PCR 2: Option ROM code
PCR 3: Option ROM configuration
PCR 4: Boot loader code
PCR 5: Boot loader configuration (GPT partition table)
PCR 6: Wake events
PCR 7: Secure Boot policy (PK, KEK, db, dbx hashes)
Phase 3: Bootloader Measurement
The bootloader (GRUB, shim, Windows Boot Manager) continues measurement:
PCR 8: GRUB configuration, command line
PCR 9: Kernel image, initramfs
Phase 4: OS Measurement (IMA)
The Linux kernel's IMA subsystem extends measurement into runtime:
PCR 10 (typically): Executables, libraries, configuration files
as they're accessed
Note the difference: Secure Boot VERIFIES before allowing execution (binary pass/fail). Measured Boot MEASURES everything that is about to execute (creates a record). Both happen—Secure Boot may reject code that would have been measured, but anything that passes Secure Boot is also measured.
Windows has comprehensive measured boot support, deeply integrated with BitLocker and enterprise management features.
Windows Boot Measurement Chain
┌─────────────────────────────────────────────────────────────────┐
│ Windows Measured Boot Components │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ Boot Guard │──▶│ UEFI FW │──▶│ bootmgfw │ │
│ │ (CRTM) │ │ │ │ .efi │ │
│ └────────────┘ └────────────┘ └────────────┘ │
│ │PCR0 │PCR1,7 │PCR4 │
│ ▼ ▼ ▼ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ winload │──▶│ ntoskrnl │──▶│ Early Boot │ │
│ │ .efi │ │ .exe │ │ Drivers │ │
│ └────────────┘ └────────────┘ └────────────┘ │
│ │PCR11 │PCR11 │PCR11 │
│ ▼ ▼ ▼ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ BitLocker Unlock │ │
│ │ 1. Read PCR 0, 2, 4, 7, 11 values │ │
│ │ 2. Unseal Volume Master Key (VMK) from TPM │ │
│ │ 3. If PCRs match sealed values: Decrypt volume │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Windows Boot Logging
Windows logs all boot measurements in the TCG event log. Key events include:
The event log is stored in memory and accessible through WMI after boot.
1234567891011121314151617181920212223242526272829303132333435
# Windows Measured Boot Verification # Check if Secure Boot is enabledConfirm-SecureBootUEFI# Expected: True # Get TPM informationGet-Tpm# Expected: TpmPresent: True, TpmReady: True, TpmOwned: True # Read PCR values (requires Admin)Get-TpmEndorsementKeyInfo # View BitLocker protection statusGet-BitLockerVolume -MountPoint "C:"# Look for: KeyProtector with type "Tpm" # Get BitLocker key protector details(Get-BitLockerVolume -MountPoint "C:").KeyProtector | Where-Object {$_.KeyProtectorType -eq 'Tpm'}# Shows PCRs that BitLocker is sealed to # View TCG event log$Log = Get-WmiObject -Namespace root\cimv2\Security\MicrosoftTpm ` - Class Win32_Tpm$Log.GetPhysicalPresenceRequest() # More detailed event log(requires Windows Admin Center or tpmtool)# tpmtool gatherlogs<output_path> # Check Device Health Attestation enrollmentGet- ItemProperty - Path "HKLM:\SOFTWARE\Microsoft\DeviceHealthAttestation" # Verify boot configuration against expectedbcdedit /enum | Select - String "integrity"Windows Defender System Guard
System Guard provides additional measured boot hardening:
Secure Launch (DRTM)
System Management Mode (SMM) Protection
Runtime Attestation
Windows 11 requires TPM 2.0 and Secure Boot capable systems. This isn't arbitrary—it's to enable measured boot, attestation, and modern security features like System Guard and VBS. The hardware requirements establish a baseline for enterprise security capabilities.
Linux measured boot leverages firmware measurements, shim/GRUB extensions, and the Integrity Measurement Architecture (IMA) for comprehensive boot-to-runtime measurement.
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
# Linux Measured Boot Configuration and Verification # === Phase 1: Check TPM availability ===# Verify TPM device existsls - la / dev / tpm *# Expected: /dev/tpm0 and / dev / tpmrm0 # Check TPM versioncat / sys / class/ tpm / tpm0 / tpm_version_major# Expected: 2(for TPM 2.0) # === Phase 2: Verify firmware measurements ===# Read current PCR valuestpm2_pcrread sha256: 0, 1, 2, 3, 4, 5, 6, 7 # View TCG event log tpm2_eventlog / sys / kernel / security / tpm0 / binary_bios_measurements # Verify event log matches PCR values tpm2_eventlog / sys / kernel / security / tpm0 / binary_bios_measurements \ --verify - pcrs # === Phase 3: Check Secure Boot status === mokutil--sb - state# Expected: SecureBoot enabled # === Phase 4: IMA Configuration ===# Check if IMA is enabled dmesg | grep - i ima# Look for: "integrity: Platform Keyring initialized" # View IMA policy(if loaded) cat / sys / kernel / security / ima / policy # View IMA runtime measurements head - 20 / sys / kernel / security / ima / ascii_runtime_measurements# Format: PCR template - hash algorithm: file - hash filename # Example output:# 10 abc123...ima - ng sha256:def456...boot_aggregate# 10 fed321...ima - ng sha256: 123abc... /usr/sbin / init# 10 aabbcc...ima - ng sha256:ddeeff... /usr/lib / systemd / systemd # === Phase 5: TPM - backed LUKS encryption ===# Check LUKS for TPM binding(using systemd - cryptenroll)systemd - cryptenroll / dev / sda3--tpm2 - device=list# Shows TPM binding status # Enroll TPM for LUKS unlocksudo systemd - cryptenroll / dev / sda3 \ --tpm2 - device=auto \ --tpm2 - pcrs=0 + 7 # Seal to PCR 0 and 7 # Verify enrollmentcryptsetup luksDump / dev / sda3 | grep - A5 "Token"Unified Kernel Images (UKI) for Measured Boot
UKIs address a traditional weakness in Linux measured boot: the initramfs gap.
Traditional Problem:
UKI Solution: Bundle everything into a single signed PE binary:
┌───────────────────────────────────────────────┐
│ Unified Kernel Image(.efi) │
├───────────────────────────────────────────────┤
│ .osrel │ OS release information │
│ .cmdline │ Kernel command line(LOCKED) │
│ .linux │ Kernel image │
│ .initrd │ Initramfs(compressed) │
│ .splash │ Boot splash image(optional) │
│ .uname │ Kernel version string │
│ .sbat │ UEFI revocation metadata │
│ .pcrsig │ Expected PCR values + signature │
└───────────────────────────────────────────────┘
Benefits:
.pcrsig section contains predicted PCR values for unsealingCreating a UKI:
# Using ukify(systemd - ukify)
ukify build \n--linux = /boot/vmlinuz - 6.1.0 \n--initrd = /boot/initramfs - 6.1.0.img \n--cmdline ="root=/dev/mapper/root ro quiet" \n --os-release=@/etc/os-release \n --output=/boot/efi/EFI/Linux/linux-6.1.0.efi \n --secureboot-private-key=/path/to/key \n --secureboot-certificate=/path/to/cert
IMA Deep Dive
The Integrity Measurement Architecture extends measured boot into the running system:
IMA Modes:
| Mode | Description | Use Case |
|---|---|---|
measure | Record hash to PCR | Attestation |
appraise | Verify against stored signature | Enforcement |
audit | Log measurements to audit log | Compliance |
IMA Policy Example:
# /etc/ima/ima-policy
# Measure all executables run by root
measure uid=0 func=BPRM_CHECK
# Measure all kernel modules
measure func=MODULE_CHECK
# Measure all firmware loaded
measure func=FIRMWARE_CHECK
# Appraise (verify signatures) for all executables
appraise fowner=0 mode=0755 func=BPRM_CHECK appraise_type=imasig
# Audit all file opens by root
audit uid=0 func=FILE_CHECK
IMA + TPM Integration:
/sys/kernel/security/ima/ascii_runtime_measurementsIMA measurement has a performance cost—every file access matching the policy triggers a hash computation and TPM extend. In high-throughput environments, carefully craft the IMA policy to measure only security-critical files. Broad policies (measure all files) can impact system performance significantly.
Measured boot provides the foundation; attestation architectures provide the verification infrastructure. Different use cases require different attestation models.
Local Attestation: Sealing Secrets
The simplest attestation model—the system attests to itself.
Use Case: Disk Encryption (BitLocker, LUKS+TPM)
Advantages:
Limitations:
Implementation:
# LUKS with TPM sealing (systemd-cryptenroll)
sudo systemd-cryptenroll /dev/sda3 \n --tpm2-device=auto \n --tpm2-pcrs=0+7 # Seal to firmware and Secure Boot policy
If anything in the measured boot chain changes (firmware update, bootloader change, Secure Boot policy modification), the system won't boot without the recovery key. This is the tradeoff: security vs. maintainability.
Static Root of Trust for Measurement (SRTM), which we've discussed primarily, establishes trust at system reset. Dynamic Root of Trust for Measurement (DRTM) provides the ability to establish a new root of trust at any point during system operation—even if the early boot was potentially compromised.
Why DRTM?
SRTM has a fundamental limitation: if any component in the early boot chain (SMM, Option ROMs, firmware drivers) is compromised, all subsequent measurements are suspect. DRTM addresses this by:
DRTM Technologies:
Intel TXT (Trusted Execution Technology)
AMD SKINIT (Secure Kernel Init)
DRTM PCR Usage
| PCR | Description |
|---|---|
| PCR 17 | DRTM launch policy, SINIT ACM |
| PCR 18 | MLE (Hypervisor/tboot policy) |
| PCR 19-22 | Platform-specific DRTM measurements |
DRTM Benefits:
Intel TXT with tboot (Linux)
tboot is a pre-kernel module that implements DRTM for Linux:
# Install tboot
sudo apt install tboot
# Configure GRUB to use tboot
# /etc/default/grub:
# GRUB_CMDLINE_TBOOT="..."
# tboot loads first, performs SENTER, then loads kernel
# Kernel boots in measured environment with PCRs 17-22 populated
# Verify DRTM measurements
txt-stat
Windows System Guard Secure Launch
System Guard uses DRTM to protect Hyper-V and VBS:
SRTM is simpler and measures from the very first instruction. DRTM is more complex but provides stronger guarantees by resetting to a known state. Use DRTM when: (1) You can't trust all platform firmware, (2) You need to protect against SMM attacks, (3) You're running sensitive hypervisor workloads, or (4) Compliance requires DRTM-level protection.
Measured boot provides the foundation for Confidential Computing—technologies that protect data in use by ensuring computations occur in hardware-attested trusted execution environments.
Intel SGX (Software Guard Extensions)
SGX creates isolated memory regions called enclaves:
SGX Attestation Flow:
Use Cases:
AMD SEV-SNP (Secure Encrypted Virtualization)
SEV-SNP protects entire virtual machines:
SEV-SNP Attestation Flow:
Use Cases:
Attestation Comparison
| Technology | Granularity | Attested By | Trust Root |
|---|---|---|---|
| TPM Measured Boot | Whole system | TPM Quote | TPM EK → Manufacturer |
| Intel SGX | Application enclave | Quoting Enclave | Intel Root Key |
| AMD SEV-SNP | Virtual machine | AMD PSP | AMD Root Key |
| Intel TDX | Trust Domain | TDX Module | Intel Attestation |
| ARM CCA | Realm | RMM | ARM Security Root |
Measured Boot → Confidential Computing Pipeline:
1. System boots with measured boot (TPM records)
2. Hypervisor launches confidential VM (SEV-SNP/TDX)
3. VM boot is measured by security processor
4. Application in VM creates enclave (SGX)
5. Each layer provides attestation:
- TPM: "This host booted correctly"
- SEV: "This VM is encrypted and genuine"
- SGX: "This enclave runs expected code"
6. Remote verifier chains attestations
7. Secrets released only to fully verified stack
This layered attestation enables end-to-end verified computation, where data owners can verify every layer from hardware to application code before releasing sensitive data.
Cloud providers like Azure, GCP, and AWS are rapidly adopting confidential computing. Azure Confidential Computing offers SGX and SEV-SNP VMs with integrated attestation. Google Cloud offers Confidential VMs with AMD SEV. AWS Nitro Enclaves provide a different but complementary approach. Measured boot and hardware attestation are becoming table stakes for sensitive workloads.
Measured boot brings together all the secure boot concepts we've explored—creating systems that are both protected and verifiable. Let's consolidate the essential knowledge:
Module Complete: Secure Boot Mastery
You have now completed a comprehensive exploration of secure boot technologies:
Together, these technologies form the foundation of modern platform security. From protecting personal laptops with BitLocker to attesting cloud VMs for confidential computing, the principles you've learned apply across the entire spectrum of computing systems. You're now equipped to design, implement, configure, and troubleshoot secure boot architectures in any environment.
Congratulations! You've mastered the complete secure boot landscape—from hardware roots of trust through attestation infrastructure to confidential computing. This knowledge is essential for modern security engineering, whether you're protecting endpoints, hardening servers, or designing cloud security architectures. The era of attestable computing is here, and you're now prepared to build on these foundations.