I’m a little unclear on this (marked strong):
"The public key authentication functions provide for on-chip key pair generation using a hardware random number generator, along with public key signature, verification, encryption, and decryption. By generating the private keys in the chip, and encrypting them anytime they are transferred outside the chip, the TPM guarantees that malicious software cannot access the keys at all. Even the owner of the keys cannot give the private keys away to phishing or pharming attacks, as the keys are never visible outside the chip unencrypted. Malicious code could use the private keys on the TPM, so some way needs to be provided to ensure that malicious code cannot use the keys either. "
"The integrity measurement functions provide the capability to protect private keys from access by malicious code. In a trusted boot, the chip stores in the Platform Configuration Registers (PCRs) hashes of configuration information throughout the boot sequence. Once booted, data (such as private keys) can be “sealed” under a PCR. The sealed data can be unsealed only if the PCR has the same value as at the time of sealing. Thus, if an attempt is made to boot an alternative system, or a virus has “backdoored” the operating system, the PCR value will not match and the unseal will fail, thus protecting the data from access by the malicious code."
"The attestation functions keep a list of all the software measurements committed to the PCRs, and can then sign them with a private key known only by the TPM. Thus, a trusted client can prove to a third party that its software has or has not been compromised."
Please a small example for each would be appreciable.thanks