Trusted Platform Module
TPM vs TPM2
TPM 2.0 Platform Configuration Registers (PCR)
PC Client specification allocation example:
PCR Number | Allocation | Explanation1 |
---|---|---|
0 | BIOS | This PCR obstensibly checks the PC BIOS (not including BIOS settings) has not been changed. A changed BIOS may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from other devices) |
1 | Platform/Motherboard/BIOS configuration | This PCR checks for any changes to BIOS configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. booting from an unapproved device) |
2 | Option ROMs | This PCR checks any option ROMs (i.e. motherboard device code, for items such as Intel SATA/RAID controller code) have not been changed. Option ROMs are typically included in BIOS updates. Changed Option ROMs may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. insecure data transmission) |
3 | Option ROM configuration | This PCR checks for any changes to Option ROM configuration. Changed configurations may be a result of altered system configuration (i.e. tampering) which may result in vulnerabilities (i.e. degraded RAID configuration) |
4 | MBR (master boot record) | This PCR ensures your hard disk Master Boot Record code has not been tampered with. Some viruses, trojans and rootkits will try to amend the MBR to ensure they (or their code) is loaded at system startup. |
5 | MBR configuration | This PCR ensures that no partitions have been amended on your disks. |
6 | State transitions and wake events | |
7 | Platform manufacturer specific measurements | |
8-15 | Static operating system | |
16 | Debug | |
23 | Application support |
Windows
PCR Number | Allocation | Explanation2 |
---|---|---|
8 | NTFS Boot Sector | These PCRs ensure that the Operating System startup location & initialisation code (for Windows) has not been tampered with.3 |
9 | NTFS Boot Block | |
10 | Boot Manager | This PCR ensures that the Operating System boot manager (i.e. which version of Windows or other O/S is selected to load) has not been tampered with. |
11 | BitLocker Access Control | This is required to enable BitLocker to work. |
Linux
- clevis – a plugable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes.
unlock LUKS with TPM2
On Fedora:
dnf install clevis clevis-luks clevis-dracut clevis-udisks2 clevis-systemd lsblk -f cryptsetup luksDump /dev/disk/by-uuid/… # trigger on every change but BIOS setting changes clevis luks bind -d /dev/disk/by-uuid/… tpm2 '{"pcr_ids":"0,2,3,4,5,7"}' # for the dracut unlocker dracut -f
(source: Kowalski7cc)
if error with SHA1
If you get the following error:
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"pcr_ids":"7"}' Enter existing LUKS password: Unable to validate combination of PCR bank 'sha1' and PCR IDs '7'. Unable to perform encryption with PIN 'tpm2' and config '{"pcr_ids":"7"}' Error adding new binding to /dev/nvme0n1p2
you can list PCRs with tpm2_pcrread
and bind with sha256 instead of sha1 like so:
clevis luks bind -d /dev/nvme0n1p2 tpm2 '{"hash":"sha256","pcr_bank":"sha256","pcr_ids":"7"}'
LUKS on TPM
see LUKS
[1]
source: Setting up BitLocker (techbobbins, 2017)
[2]
source: Setting up BitLocker (techbobbins, 2017)
[3]
Some viruses, trojans and rootkits will try to amend the NTFS Boot Sector to ensure they (or their code) is loaded at system startup.