====== Trusted Platform Module ======

===== TPM vs TPM2 =====

===== TPM 2.0 Platform Configuration Registers (PCR) =====

PC Client specification allocation example:

^ PCR Number ^ Allocation ^ Explanation[(source: [[https://sites.google.com/site/techbobbins/home/articles/setting-up-bitlocker/bitlocker-plus|Setting up BitLocker]] (techbobbins, 2017) )] |
| 0 | BIOS | This PCR obstensibly checks the PC BIOS (not including BIOS settings) has not been changed.  A changed BIOS may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from other devices) |
| 1 | Platform/Motherboard/BIOS configuration | This PCR checks for any changes to BIOS configuration.  Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from an unapproved device) |
| 2 | Option ROMs | This PCR checks any option ROMs (i.e. motherboard device code, for items such as Intel SATA/RAID controller code) have not been changed.  Option ROMs are typically included in BIOS updates.  Changed Option ROMs may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. insecure data transmission) |
| 3 | Option ROM configuration | This PCR checks for any changes to Option ROM configuration.  Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. degraded RAID configuration) |
| 4 | MBR (master boot record) | This PCR ensures your hard disk Master Boot Record code has not been tampered with.  Some viruses, trojans and rootkits will try to amend the MBR to ensure they (or their code) is loaded at system startup. |
| 5 | MBR configuration | This PCR ensures that no partitions have been amended on your disks. |
| 6 | State transitions and wake events | |
| 7 | Platform manufacturer specific measurements | |
| 8-15 | Static operating system | |
| 16 | Debug | |
| 23 | Application support | |

(source: [[https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12|Arthur W., Challener D., Goldman K. (2015) Platform Configuration Registers. In: A Practical Guide to TPM 2.0. Apress, Berkeley, CA.]])

===== Windows =====

^ PCR Number ^ Allocation ^ Explanation[(source: [[https://sites.google.com/site/techbobbins/home/articles/setting-up-bitlocker/bitlocker-plus|Setting up BitLocker]] (techbobbins, 2017) )] |
| 8 | NTFS Boot Sector | These PCRs ensure that the Operating System startup location & initialisation code (for Windows) has not been tampered with.[(Some viruses, trojans and rootkits will try to amend the NTFS Boot Sector to ensure they (or their code) is loaded at system startup.)] |
| 9 | NTFS Boot Block | ::: |
| 10 | Boot Manager | This PCR ensures that the Operating System boot manager (i.e. which version of Windows or other O/S is selected to load) has not been tampered with. |
| 11 | BitLocker Access Control | This is required to enable BitLocker to work. |

===== Linux =====
  * [[https://github.com/latchset/clevis/|clevis]] – a plugable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.
==== unlock LUKS with TPM2 ====
On Fedora:

<code bash>
dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd
lsblk -f
cryptsetup luksDump /dev/disk/by-uuid/…
# trigger on every change but BIOS setting changes
clevis luks bind -d /dev/disk/by-uuid/… tpm2 '{"pcr_ids":"0,2,3,4,5,7"}'
# for the dracut unlocker
dracut -f
</code>

(source: [[https://kowalski7cc.xyz/blog/luks2-tpm2-clevis-fedora31|Kowalski7cc]])

=== if error with SHA1 ===

If you get the following error:

<code bash>
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"7"}'

Enter existing LUKS password: 
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.
Unable to perform encryption with PIN 'tpm2' and config '{"pcr_ids":"7"}'
Error adding new binding to /dev/nvme0n1p2
</code>

you can list PCRs with ''tpm2_pcrread''

and bind with sha256 instead of sha1 like so:

<code bash>
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"hash":"sha256","pcr_bank":"sha256","pcr_ids":"7"}'
</code>

==== LUKS on TPM ====
see [[:admin:linux:luks|LUKS]]