Trusted Computing Platform Alliance (TCPA)
TCPA uses the following definition of trust:
“A trusted component, operation, or process is one whose behaviour is predictable under almost any operating condition and which is highly resistant to subversion by application software, viruses, and a given level of physical interference.”
Desirable trustworthiness
The platform owner and user should be able to trust the configuration of the platform.
e.g., that it is not running malicious or unauthorized software that could compromise sensitive information.
Remote attestation
A platform should be able to attest information about its current configuration to another platform in a manner that the second platform can trust.
It allows an entity to authenticate the software configuration of a platform that is not under its control.
TCPA-related architectural modifications
Trusted Platform Module (TPM)
Cryptographic component in the platform.
Provides a range of cryptographic primitives.
Random number generation
Hashing
Symmetric encryption/decryption
Asymmetric key pair generation, enc/dec, sign/verify
Protected storage for keys
TPM types
Discrete
Implemented by a discrete chip.
Chip designed, built and evaluated for the highest level of security.
Can resist tampering with the chip.
Can resist probing and freezing with all sorts of sophisticated attacks.
Highest level of security.
Integrated
A hardware TPM.
But integrated into a chip that provides other functions.
Resistant to software bugs.
But not designed to be tamper-resistant.
Security is very high.
Firmware
Implemented in protected software.
The code runs on the main CPU.
A separate chip is not required.
The code runs in a protected execution environment.
Trusted Execution Environment (TEE).
The TEE separates it from the rest of the programs running on the CPU.
Secrets needed by the TPM can be kept in the TEE.
Creating a more difficult path for hackers.
No tamper resistance.
Depends on many additional aspects to keep it secure (e.g. TEE).
Security is high.
Software
Implemented in software.
Good for developing a TPM-based prototype.
Its security is not an issue.
Virtual
For cloud environments.
Provided by the hypervisor
Security is high
TPM types and needs
TCPA root of trust
Core Root of Trust for Measurement (CRTM).
BIOS trust boot block.
The CRTM takes a hash of the BIOS before executing code other than CRTM.
The result is stored in a TPM register.
Platform Configuration Register (PCR)
TPM PCR (Platform Configuration Register)
A register that can not be deleted or set, can only be cleaned on power-on or extended.
Its value results from a hash chain. Each new value stored is hashed with its value.
Becoming the new value.
All stored values are logged for validation.
The goal of a PCR is to act as a log validator.
TPM PCR banks
Groups of PCR registers per hashing function.
The BIOS can deactivate banks. The BIOS can only use banks for which it knows (implements) the hash functions.
Bank's allocation (24 PCR).
0-7: SRTM
8-15: OS measurements
16-23: DTRM
TPM authorization PCR
An authorization PCR is one in which the value is used to unlock a TPM secret.
e.g. a disk encryption key.
e.g. VPN endpoint authentication key.
It allows a system that boots as expected to access secrets without human intervention.
Example
Microsoft BitLocker
BitLocker encrypts the file system.
The secret key can be stored inside TPM.
The secret key can be automatically recovered upon a boot performed as expected.
It is recovered by the Microsoft boot loader.
Otherwise, the Windows OS will not launch.
Boot Modes
Secure boot
The boot is terminated if a PCR value does not match an expected value.
Authenticated boot (or trusted boot)
Values are stored in PCR registers along the boot.
These values can be checked a posteriori
The platform can end up in any arbitrary state.
MS Windows measured boot
Authenticated boot.
TPM records the chain of measurements of software components and configuration information through the initialization of the Windows operating system.
Previously the measurement chain stopped at the Windows Boot Manager component.
The measurements in the TPM did not help understand the starting state of Windows.
Measured information.
Software: kernel, early-launch anti-malware drivers, and boot drivers.
Configuration settings: malware signatures, Windows security features.
Remote attestation
Remote verification that a host booted properly
The boot process ran as expected
It does not mean the system is secure!
It relies on authenticated boots.
The TPM provides all PCR values of the last boot.
The TPM device signs this data set
PCR quote
Singed PCR report
Includes a nonce provided to ensure freshness
Last updated