6

Assume that the file partition where the PC operating system and user data reside are sealed by a number of PCRs (Platform Configuration Registers) dedicated to BIOS measurements. What happens during the boot process if the BIOS is infected by a root kit?

Bootstrapping Trust with a TPM:
When the machine is powered on, the root of trust for measurement automatically measures the BIOS, and extends a PCR register inside the TPM with that measurement. Then, control is transferred to the BIOS. The BIOS next measures the boot loader before transferring control to it. This process continues with the loading of the OS kernel. The kernel then measures all code that is loads for execution before transferring control to it.

This means, the first attestation of BIOS (computed hash is not the same as before, because the BIOS is infected by a root kit) will fail. Therefore the control is not transferred to the boot loader and the operating system will not start?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
niklr
  • 581
  • 1
  • 4
  • 11
  • That's the general idea, that way the whole boot chain can be verified. There are a couple of issues with how that first command is run in a traditional bootstrap, the BIOS tends to have two layers the first asks the TPM chip to check the second there is a cross check in there somewhere that checks the first that initially ran it. – ewanm89 Aug 24 '12 at 14:46

1 Answers1

5

The TPM doesn't stop the boot. The boot will still continue, but the PCRs will have a different value in them than they used to (since now the BIOS is different than it was before). As a result, the system will be unable to unseal the sealed data. Of course, if the bootloader or kernel is unable to unseal the sealed partition, depending on how it is written, it may or may not be able to continue execution without access to the sealed data.

Background: When you seal data, the data gets encrypted under a key associated with a particular state of the TPM. Subsequently, you can only unseal the data if the TPM is in the same state. When I say "state", I mean the state of the PCRs.

Example: Suppose you encrypt your drive using BitLocker. BitLocker seals the data on your hard drive, associated with a particular state of the TPM (i.e., associated with a particular BIOS, bootloader, and kernel). Now suppose you later change your BIOS. Then the state of the TPM after boot will be different. BitLocker will no longer be able to unseal the data, and you won't be able to access the data on your hard drive any longer. You'll need to use BitLocker's recovery key to access your data. If you've forgotten your recovery key... well, sucks to be you.

Further information:

  • The Trusted Platform Module (TPM) and Sealed Storage. Bryan Parno, 2007.

  • Understanding and Configuring BitLocker with TPM, Microsoft Certified Professional Magazine, 2008. (See especially the section on "BitLocker Recovery Password".)

  • Anti Evil Maid, Joanna Rutkowska, 2011. (See especially the first few paragraphs, where she explains that the TPM cannot prevent modifications to the BIOS; it can merely retrospectively detect that there was a modification. At that point, it will refuse to allow the modified software to access sealed data that was sealed by the previous software.)

D.W.
  • 98,420
  • 30
  • 267
  • 572