Starter for someone who is not familiar with bitlocker part II

Last time i gave a lay man's overview about bit locker and i stopped at the point why we need a TPM device and what does it do!

Basically a TPM device is measuring the integrity of boot components...it’s like i trust A...completely and i asked A to measure B and then B measures C and C measures D. the way we do it is that we trust A fully. A goes and measures B and then add measured entity into pcr which is nothing but a register which is containing the hash value of data measured by A, then B goes ahead and measures C and writes the hash value of measured data into another pcr. Now C goes ahead and measures D and writes hash value of measured data into another pcr. Finally we see that all the pcrs match the original measured value and if they match we release the secret to requestor. In case a malicious code tries to modify the mbr or bios, it will lead to generation of a different hash value in pcr and thus validation failure at the end.

A measurement is stored by extending a particular PCR. The extend operation works like this:

PCR = SHA-1(PCR + measurement) and there are 16 pcrs in the tpm but we use upto pcr 11 and pcr 11 is the one which releases secret if everything matches.

When we boot OS then core root of trust for measurement measures bios and code in bios measures mbr and code in mbr measures ntfs boot sector and then measures rest of boot sector code which is close to first 10 sectors. Once we load the bootmgr that also gets measured and then bootmgr goes to pcr 11 and ask for the secret which is nothing but VMK (if this is the case of TPM only mode) then this VMK goes to FVE-metadata and validates itself. After VMk’s validation it decrypts FVE in FVE-metadata and FVE decrypts the complete OS partition.

So in simple lines TPM is nothing but a device to store secrets and release secrets when it validates the trust.

Gaurav Anand

This posting is provided "AS IS" with no warranties, and confers no rights.