50

I am trying to find out how the TPM performs an integrity measurement on a system. It is well-documented in the TPM specification how it seals the data it has measured in the PCRs and how it is updated. But that which I can't find explained is how the TPM actually performs the integrity measurements that it is sealing in the first place. To know if the system is in a given state or not it has to measure it, but how does it do that? And what is it that it actually measures? Most papers seem to gloss over this, and I get the feeling that ready-for-storage-in-PCR-data just appears out of the blue.

northox
  • 1,413
  • 16
  • 26
user1049697
  • 1,117
  • 2
  • 10
  • 15

3 Answers3

53

There's basically two way of doing this;

  1. SRTM (Static Root of Trust for Measurements) and
  2. DRTM (Dynamic Root of Trust for Measurements).

SRTM takes place at system boot. The first thing getting executed at boot is called the Core Root of Trust for Measurements (CRTM) aka the BIOS boot block will measure the BIOS and send the value (hash) to the TPM in a location called Platform Configurations Register (PCR) 0 before executing it. Then the BIOS measure the next thing in the boot chain and again, will store the value in a PCR of the TPM. This process is executed for each components in the boot sequence (PCI option ROM, boot loader, etc).

TrustedGrub is a TPM aware boot loader that will send the proper measurements to the TPM. It is use to continue the chain of measurements (SRTM) from the BIOS up to the Kernel.

DRTM is very different as it's something happening while the system is running. Intel’s implementation is called Trusted Execution Technology (TXT) while AMD use the name Secure Virtual Machine (SVM). The goal of DRTM is to create a trusted environment from an untrusted state. Technically, it creates a secure/clean state and will report (provide measurement – hashes in PCRs) on a piece of code someone wants to execute (aka Measured Launched Environment - MLE). Typically, the MLE is an Operating System (kernel, userspace, etc).

Without going into details, Intel's DRTM works by calling a set of new CPU instructions (SMX) which tells the CPU and the chipset to perform a very specific set of tasks (GETSEC) which ensure nothing else than a special code can run, i.e. SINIT Authenticated Code Module (ACM). This part includes disabling all but one CPU and blocking/stopping everything currently running: all other processes, interrupts and I/O (via IOMMU, e.g. to avoid DMA attacks). Then, all CPU rejoin in a clean state - anything executed before is discarded. At this point the signature of this special code (SINIT ACM) gets validated and its identity (hash measurement) is sent to the TPM in the PCR 17. Afterwards, execution is passed to the ACM which then measure the MLE and sends the measurement to the TPM in the PCR 18. Finally, execution is passed to the MLE.

Tboot is a tool created by Intel to do just that (DRTM) and an alternative to TrustedGrub (SRTM).


Here's an example of what PCRs values looks like with SRTM (TPM aware BIOS) but without a TPM aware boot loader (e.g. TrustedGrub) and without DRTM (e.g. Tboot):

# cat /sys/devices/pnp0/00:09/pcrs 
PCR-00: A8 5A 84 B7 38 FC C0 CF 3A 44 7A 5A A7 03 83 0B BE E7 BD D9 
PCR-01: 11 40 C1 7D 0D 25 51 9E 28 53 A5 22 B7 1F 12 24 47 91 15 CB 
PCR-02: A3 82 9A 64 61 85 2C C1 43 ED 75 83 48 35 90 4F 07 A9 D5 2C 
PCR-03: B2 A8 3B 0E BF 2F 83 78 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 
PCR-04: 78 93 CF 58 0E E1 A3 8F DA 6F E0 3B C9 53 76 28 12 93 EF 82 
PCR-05: 72 A7 A9 6C 96 39 38 52 D5 9B D9 12 39 75 86 44 3E 20 10 2F 
PCR-06: 92 20 EB AC 21 CE BA 8A C0 AB 92 0E D0 27 E4 F8 91 C9 03 EE 
PCR-07: B2 A8 3B 04 BF 2F 83 74 29 9A 5B 4B DF C3 1E A9 55 AD 72 36 
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

As you can see, PCR 0-7 are filled but from PCR 8 to 15 it's empty - they are still reset to 0. Since DRTM hasn't been used, PCRs 17-22 are filled with 1s (f).


The security of those mechanisms relies on the fact that PCRs values cannot be set (or forged) but only extended (TPM_Extend()). This means whenever a measurement is sent to a TPM, the hash of the concatenation of the current value of a PCR and the new measurement is stored (i.e. new_value = Hash(old_value || new_measurement)). Obviously, there's a beginning to all of this:

  • With SRTM, only the CRTM can reset PCRs 0 to 15 at boot
  • With DRTM, only the TXT instructions can reset PCRs 17 to 20 (when in locality 4 (SMX operations)). See this answer, this presentation or the specs for the details.

It's important to understand that while the TPM collects those measurements, it does not take action on them-actually, it can't. The value of those measurements can only be seen with the seal()/unseal()/quote() operations: Now that we have measurements in the TPM's PCRs, we can use the unseal() operation to reveal a secret which is only accessible if the correct PCRs values are in the TPM-they are used as encryption keys. This basically means that a secret can only be accessed if the proper environment was loaded via SRTM (BIOS, bootloader, kernel, etc) or DRTM (SINIT and MLE (kernel, etc)). See this answer for more info.

For more info, I suggest you read this 101 and then this document.

MTCoster
  • 133
  • 7
northox
  • 1,413
  • 16
  • 26
  • 3
    What prevents the CRTM in the BIOS boot block being modified so that it sends the expected hash to the TPM, without actually being in a clean state? Is the CRTM read-only enforced by hardware, or signed by a key that the CPU automatically checks, similar to BootGuard? – forest Nov 27 '17 at 08:59
  • Pretty much. You should make this a seperate question. – northox Dec 02 '17 at 23:57
  • @northox Intel TXT uses both SRTM and DRTM. From Intel's [white paper](https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/trusted-execution-technology-security-paper.pdf): "...it is essential to bring into the TCB some parts of the early BIOS that initialize the system fabric and the runtime BIOS components ... Consequently, because a pure D-RTM implementation excludes these items, a true D-RTM implementation with its smaller TCB falls short.To create a more suitable implementation for servers, Intel TXT takes key features from both approaches" – wmjdgla May 21 '20 at 19:27
8

The most direct answer to your question is that the TPM doesn't do the measurements. The measurements and PCR values are completely proprietary to the platform in which the TPM is installed.

The other answers are great at describing this process for some well established systems, but in short, the TPM just stores/updates 160-bit SHA hashes and seals keys against those hashes. It's blind to what they mean, as far as I know.

Here is a great presentation on this stuff: http://opensecuritytraining.info/IntroToTrustedComputing.html

Get the slides there and see the first few slides in Day2-1-auth-and-att.pdf.

Wilbur Whateley
  • 598
  • 7
  • 12
7

The TPM main specification is meant to be platform-independent. That is why no details about what is actually measured during startup are contained, because obviously the components differ from platform to platform. If you are interested in what is measured during the boot of a PC, you should take a look at section 1.3 (Overview of Measurement Process) of the TCG PC Client Specific Implementation Specification for Conventional BIOS.

Details on how the measurements are processed and stored in the PCRs can be found in the TPM Main Specification. Part 1, section 4.4 (Platform Configuration Register (PCR)) might be a good place to start.

I would also recommend taking a look at the TCG Architecture Overview to get the big picture, this is not directly related to your question, however.

rosso
  • 161
  • 1
  • 2