Hardware Reference
In-Depth Information
Introducing trusted computing
The TPM is a cryptographic co-processor. The TPM on the CryptoCape is Atmel's embed-
ded I2C version, which conforms to version 1.2 of the TPM spec published by the
Trusted
Computing Grou
p (
TCG
). The TCG is an industry consortium that maintains and devel-
ops open specifications for trusted computing.
Trusted
in this sense is the definition from
RFC 4949:
a system that operates as expected, according to design and policy
.
Cryptographically, TPM 1.2 is limited. It implements the RSA algorithm, SHA-1, has an
internal random number generator, and some limited storage. It does not provide any sym-
metric ciphers. These limitations were a result of the design goal for a low cost embeddable
module. Symmetric ciphers were eliminated, because with the TPM, one can protect the
symmetric keys at rest and allow the much more powerful host computer to operate on
them.
The TPM 1.2 specification is, in total, over 700 pages. We will focus on a unique feature of
the TPM that enables many of its security features:
Platform Control Registers
(
PCRs
).
PCRs are TPM registers that can always be read but may only be written to with the
extend
operation
. The extend operation takes the current value of the 20 byte PCR, combines it
with a 20 byte input value, and sets the new PCR value to the SHA-1 result of the combina-
tion. The key point is that once a PCR is set, it can't be reversed. It can only be continued to
be combined in future extend operations.
At first, it may not be obvious how this feature helps. Let's consider an example. On boot,
your computer's BIOS, prior to loading the bootloader, first sends a SHA-1 hash of the
bootloader to the TPM to extend one of the PCRs. It then loads the bootloader. The boot-
loader performs the same operation on your kernel. The kernel then performs the same op-
eration on various startup systems before finally allowing normal user operation. At the end
of this process, the PCRs will be populated with a series of hash values.
The values of these registers represent a trusted measurement of your system. Now, say
malware has infected your computer and has modified the boot process. On next boot, at
least one of the PCRs will have a drastically different value than previously recorded. PCRs
enable measurements of the boot process which provide assertions of the boot process.
There are several terms relating to the TPM-protected boot process. Secure boot will halt
the boot processes if the PCR values do not match a known configuration. Authenticated
boot simply measures the boot process and allows remote parties to make assertions on the
