Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

Storing and reporting system measurements with TPM

Storing and reporting system measurements with TPM

50 likes received 250 replies posted 250 sign-ins

In the previous blog, we saw how we can securely store keys and user data in a Trusted Platform Module (TPM). In this blog, we will understand how a TPM ensures integrity of an application running on the host system it is interfaced with. With an increase in complexity of personal computers (PC) and software applications, there is an increase in the number of processes running on a typical PC. Many of these processes are launched implicitly, rather than explicitly by the user which makes it difficult to know if a process running on a platform is trustworthy or not. For this reason, it is important to measure the integrity of processes running on a platform. These measurements also need to be securely stored and protected so that they are not modifiable.

What are PCRs?

Before we look at TPM’s integrity measurements, we will see what Platform Configuration Registers (PCRs) are and how they play a critical role in storing the software state of the system.

PCRs are registers in TPM that store integrity measurements of the code (software state) running on the system. These measurements are nothing but the digest generated by a hashing algorithm. TCG specifies that a TPM must contain at least 1 PCR bank with 24 registers with every register storing 20 bytes of data. Multiple PCRs associated with the same hashing algorithm is referred to as a PCR bank. OPTIGATM TPM SLB9670 has 2 PCR banks supporting SHA-1 and SHA-256 algorithms.

TPM implements these registers in its volatile memory, so the values are reset whenever the system reboots or loses power. New values (digest of the running code) are measured and stored in PCRs every time the system boots up after power-up.

We cannot modify these register values but can only perform ‘TPM2_PCR_Extend’ to update a register value. The new PCR value is nothing but a one-way hash function on the current PCR value concatenated with the data to be extended:

PCR new value = Digest of (PCR old value || data to extend)

PCRs represent the history of the software state and configurations of the system that have run on the platform until the present time. This is explained in detail below. PCR in a TPM as defined by TCG specification (section 2.3.4) is shown in Figure 1.

snehapra_0-1685000297761.pngFigure 1. PCR allocation

Now let’s see how these PCRs are used for the integrity measurements of the system (e.g. computer). Figure 2 shows a typical system boot process. The Core Root of Trust for Measurement (CRTM) is the first piece of code that gets executed and it performs a self-check on its own integrity. It then measures the BIOS (Basic Input/Output System) and stores the measurements (digest) in PCR-0. 

The BIOS  is then loaded and it measures the digest of the next software to be run which is the OS Loader code/Bootloader. The current PCR value is then extended with the measured value based on the formula mentioned above. TPM stores the extended PCR value in the corresponding PCR. To sum it up, the flow is to measure, store and pass control to the next software to be run.

snehapra_1-1685000297765.pngFigure 2. Typical system boot process with TPM

If a malicious software has to be loaded, it will have to extend the PCR value and match it to the value it would have had after an uncompromised boot. The cryptographic strength of the hash algorithm (SHA-1/2) makes it computationally unlikely to achieve this and thus ensures

When the firmware or the bootloader is tampered with, these changes are detected in the PCR values. Apart from using these PCRs to verify the system state, we can also bind TPM keys and user data to a certain state of the system. It is important to note that binding a key or a file to PCR values depends on the hashing algorithm used to generate the PCR.

For instance, if a key is bound to PCR [4] of SHA-256 algorithm and switching the PCR bank to SHA-384 will not allow us to use the key as PCR values will not match. “tpm2_pcrread” displays PCRs and hash algorithms supported by the TPM and to enable or disable PCR banks, execute command “tpm2_pcrallocate”.

Links to explore further: