How are TPMs used to detect tampering?

Question

I've known some stuff about trusted platform modules for over six or seven years. I understand their usage in (un)wrapping keys and storing information in NVRAM which may then be locked permanently or until the next power cycle. And though I understand how the platform configuration registers are updated (their current value and the input value are hashed together), I do not understand what good they do or how they can be used by the firmware or software to detect changes.

If the TPM is supposed to be a dumb (passive) chip, then shouldn't it be incapable of determining whether or not to deny access to the data it holds based on the PCRs' values? If the PCRs are used to compare two states, then how can the system software do this if it needs to know either past future data that it would seem it cannot ever have access to? I am most familiar with the Integrity Measurement Architecture, so maybe you want to use that to explain this stuff to me.

Answer 1

Good question. To my knowledge, this is where most of the Trusted Computing confusion comes from.

Yes, it's important to understand that while the TPM collects measurements (PRCs) from DRTM (e.g. Tboot) or SRTM, it cannot not take action on them. The value of those measurements can only be seen with the seal()/unseal()/quote() operations.

Imagine we booted within an environment we believe to be clean (e.g. a fresh install). SRTM/DRTM filled the measurements of the boot process within the TPM's PCRs. We can use the seal() operation to encrypt data using the values of those PCRs. Yes, the PCRs becomes the key (or part of the key). In other words, the signature of the running environment is the key to our data.

Now imagine we rebooted and want to get back this encrypted data. We need to use the unseal() operation which will use the current PRCs to try to decrypt our data. If the environment is the same, no problem we get our data back. If the environment changed, no luck. Keep in mind we cannot forge PCRs value - only SRTM and DRTM can.

If you run this scenario while considering that the data we encrypted is actually a key used to encrypt our hard drive, you now understand how Trusted Computing (TPM) can prevent someone from accessing something without actually talking decisions - without actually being active (being dumb).

I suggest you read this answer.