Tamper-proof BIOS password & settings storage with Trusted Platform Module?

Question

In the olden days, one could trivially bypass BIOS passwords on most PCs by removing the BIOS battery and clearing the CMOS.

My question is: On modern PCs equipped with a Trusted Platform Module (TPM), how tamper-resistant are BIOS passwords and BIOS settings generally? Maybe TPM design specifications mandate a certain level of resistance against removing BIOS passwords, obtaining BIOS passwords in plaintext, or changing the drive boot order?

(I'm assuming a business class HP/Dell laptop where TPM is advertised as a core feature, and that the attacker has physical access to the PC motherboard.)

Answer 1

The TCG Trusted Computing concept devices the BIOS into two parts. The initial BIOS is assumed to be secure and will initialize the TPM. This so-called CRTM will then measure the remaining BIOS components and log their values in the TPM. From the spec it appears that CMOS data is part of that measurement and is stored to PCR1. But since a changed BIOS password or other setting would invalidate things like Bitlocker, I don't think this register is actually used. Or the implementations don't actually measure this configuration space. Best try it out and see what happens. If it is measured, you can use a system like Bitlocker(or a linux initrd plus shellscript) to protect your OS data against a manipulated BIOS.

Note however that the TCG specification explicitly excludes hardware attacks. Also, the TPM is always dependent on the BIOS to correctly program and protect SMM and TXT, so you should always verify the BIOS measurements.

Note also that full disk encryption and protection of passwords against brute-force attacks are the only practical use-cases of a TPM today. Everything else is generally impractical due to the huge configuration space of the OS(infinite valid measurements..) or not as secure as one might think(SVM/TXT/VT, though they still present an advancement over the state-of-the-art).

Answer 2

--- this is comment, not an answer ---

http://www.intel.com/design/mobile/platform/downloads/Trusted_Platform_Module_White_Paper.pdf

BIOS Code The TCPA specifies the measurement of integrity of BIOS code at system startup. In order to accomplish such integrity measurement and reporting, the system BIOS has to be enhanced with integrity measurement functions.

Depending on the existing BIOS architecture, such enhancements can be a complex task.

Platform vendors may wish to provide various pre-boot security functions using the TPM. The necessary code to provide such functions is either implemented directly within the system BIOS or provided as an option ROM.

Whether or not any pre-boot functionality is provided on the platform, minimum changes have to be made to the BIOS code to ensure that the TPM is defined as a motherboard device within the ACPI descriptor tables. This enables the Operating System to identify the device, allocate resources to it, and load necessary device drivers.

...

TPM implementation on Notebook PCs

Mechanical Requirements

The TPM has to be permanently attached to the motherboard by soldering it down. This reinforces the fact that the TPM provides a 1:1 binding between itself and the platform that it is attached to. Due to this requirement it is a good idea to factor in the real estate required for the TPM at an early stage in the motherboard design and layout process. The TCPA also recommends the provision of a tamper detection mechanism that can provide tamper evidence. An example of a tamper detection mechanism is the use of tamper tape

Would you check your laptop motherboard for signs of damage to tamperproof tape every day?