0

I've learned that a TPM can supposedly attest to the state of a computer's BIOS being good. It does this by asking the BIOS to send a hash of its current state.

So what stops a compromised BIOS from sending a precalculated hash of a good state (that it is not in)?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Bob
  • 1
  • I'm assuming you saw this? https://security.stackexchange.com/questions/39329/how-does-the-tpm-perform-integrity-measurements-on-a-system and this? https://security.stackexchange.com/questions/192180/with-tpm-how-are-the-initial-pcr-values-seeded-with-good-values?rq=1 and this? https://security.stackexchange.com/questions/231404/how-do-we-know-that-input-to-tpms-actually-comes-from-the-measured-code?rq=1 – schroeder Jul 25 '21 at 10:26
  • Thank you @schroeder for your prompt response. I have read the first link but couldn't make head nor tail of it, as it seems to be answering lots of questions simultaneously. The second link answers a different question. The third link is related, but addresses a human attacker injecting data into a bus to the TPM. What I'm referring to is a seemingly easy modification of an already compromised BIOS. Verifying the BIOS is in a good state is the purpose of the TPM, so it should surely be able to resist a compromised BIOS? – Bob Jul 25 '21 at 10:37
  • Also related: https://security.stackexchange.com/questions/107603/is-it-possible-to-determine-if-the-bios-has-been-modified-between-two-points-in and https://en.wikipedia.org/wiki/Trusted_Execution_Technology. From the above articles, it seems that the TPM takes a hash of the BIOS state, as opposed to the TPM asking the BIOS to send a hash of its current stated. – mti2935 Jul 25 '21 at 11:23
  • 1
    Does this answer your question? [With TPM how are the initial PCR values seeded with 'good' values?](https://security.stackexchange.com/questions/192180/with-tpm-how-are-the-initial-pcr-values-seeded-with-good-values) – mentallurg Jul 25 '21 at 11:39
  • The second link is directly applicable to your question and includes a link to an authoritative document. – schroeder Jul 25 '21 at 12:52
  • @mentallurg No not quite. I believe that question is asking how the TPM determines what qualifies as a good state, whereas my question is how the TPM can be sure it's receiving accurate information. – Bob Jul 26 '21 at 12:40

1 Answers1

1

The BIOS module stores the CRTM (Core Root of Trust for Measurements) and as per TCG specification it should be immutable. CRTM measures the integrity of rest of BIOS code. CRTM ensures that measurement taken is valid and then give control to rest of BIOS code.

Integrity Measurement

This measurement also involves Digital Signature verification, and public keys for verification are hardwired AFAIK (also known as Hardware root of trust). The BIOS code is generally digitally signed. So, if you modify the BIOS code, the signature verification will fail and CRTM won't pass the control to the rest of BIOS code.

Below link will be helpful:

root-of-trust

saurabh
  • 743
  • 1
  • 4
  • 12
  • Thank you, this is interesting. So the CRTM is completely immutable then? – Bob Jul 26 '21 at 12:09
  • Completely immutable is not the word I'll use. It's immutable and generally use read-only storage area for e.g. NV-memory. – saurabh Jul 26 '21 at 12:38
  • Ok. So could any normal malware modify it or would you need special hardwarw tools or something? – Bob Jul 26 '21 at 12:42
  • OTP (One time programmable) NVM is used and AFAIK malware cannot modify them. Attacks on these NVM requires special equipment. – saurabh Jul 26 '21 at 13:00
  • @Bob: I'll note that if you have a bios password, then retrieving protected keys from the TPM (e.g., those used for whole disk encryption) won't be feasible without that password. A competent design will use cryptography in a way that precludes compromising this key with via physical access (exceptions for brute forcing bad passwords, hardware intercepts/keyloggers, video cameras pointed at the keyboard, etc.). – Brian Jul 28 '21 at 15:30