Table of Contents

Trusted Platform Module

TPM vs TPM2

TPM 2.0 Platform Configuration Registers (PCR)

PC Client specification allocation example:

PCR Number Allocation Explanation1
0 BIOS This PCR obstensibly checks the PC BIOS (not including BIOS settings) has not been changed. A changed BIOS may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from other devices)
1 Platform/Motherboard/BIOS configuration This PCR checks for any changes to BIOS configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from an unapproved device)
2 Option ROMs This PCR checks any option ROMs (i.e. motherboard device code, for items such as Intel SATA/RAID controller code) have not been changed. Option ROMs are typically included in BIOS updates. Changed Option ROMs may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. insecure data transmission)
3 Option ROM configuration This PCR checks for any changes to Option ROM configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. degraded RAID configuration)
4 MBR (master boot record) This PCR ensures your hard disk Master Boot Record code has not been tampered with. Some viruses, trojans and rootkits will try to amend the MBR to ensure they (or their code) is loaded at system startup.
5 MBR configuration This PCR ensures that no partitions have been amended on your disks.
6 State transitions and wake events
7 Platform manufacturer specific measurements
8-15 Static operating system
16 Debug
23 Application support

(source: Arthur W., Challener D., Goldman K. (2015) Platform Configuration Registers. In: A Practical Guide to TPM 2.0. Apress, Berkeley, CA.)

Windows

PCR Number Allocation Explanation2
8 NTFS Boot Sector These PCRs ensure that the Operating System startup location & initialisation code (for Windows) has not been tampered with.3
9 NTFS Boot Block
10 Boot Manager This PCR ensures that the Operating System boot manager (i.e. which version of Windows or other O/S is selected to load) has not been tampered with.
11 BitLocker Access Control This is required to enable BitLocker to work.

Linux

unlock LUKS with TPM2

On Fedora:

dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd
lsblk -f
cryptsetup luksDump /dev/disk/by-uuid/# trigger on every change but BIOS setting changes
clevis luks bind -d /dev/disk/by-uuid/… tpm2 '{"pcr_ids":"0,2,3,4,5,7"}'
# for the dracut unlocker
dracut -f

(source: Kowalski7cc)

if error with SHA1

If you get the following error:

clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"7"}'
 
Enter existing LUKS password: 
Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'.
Unable to perform encryption with PIN 'tpm2' and config '{"pcr_ids":"7"}'
Error adding new binding to /dev/nvme0n1p2

you can list PCRs with tpm2_pcrread

and bind with sha256 instead of sha1 like so:

clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"hash":"sha256","pcr_bank":"sha256","pcr_ids":"7"}'

LUKS on TPM

see LUKS


[1] source: Setting up BitLocker (techbobbins, 2017)
[2] source: Setting up BitLocker (techbobbins, 2017)
[3] Some viruses, trojans and rootkits will try to amend the NTFS Boot Sector to ensure they (or their code) is loaded at system startup.