Collaborate Disseminate
I have followed this guide that enables me to lock my disk decryption key behind PCR 11, with support for the value changing when I update the kernel (I use ukify for this). What I’d like is to add the static PCR 7 value into the loop, and… Continue reading How to seal/unseal disk decryption key using TPM with PCR 7, signed PCR 11 and a PIN?
Documentation for the tpm2_nvdefine utility mentions using a policy to control access to NVRAM areas.
-L, –policy=FILE:
Specifies the policy digest file for policy based authorizations.
What do these policies look like? How are they enf… Continue reading What is in a TPM policy?
Let’s assume I have 3 computers, each with its embedded TPM. I also have a pair of asymmetric keys, which I created elsewhere. I want to store & import the same external private key I have created onto the TPM of each of the 3 computer… Continue reading Is it possible to store or import an external private key into a TPM?
I have researched a little bit about TPM, and the way I see it is that it stores the keys securely and erases them if it detects even the slightest hacking attempt.
What I have not found anywhere, though is how can I be sure that the TPM t… Continue reading How do I know my TPM is not tampered with before using it? [duplicate]
If we reboot an OS and want to sign something using TPM. And let’s say we want to secure the boot environment using pcr7 policy crypto key. Is it safe to use non-pcr policy key together with a pcr7 policy key?
More formally:
In the progra… Continue reading Is it safe to use a non-pcr key after verifying some pcr7 key is working find after os start on tpm2.0?
I have learned about attacks where the BitLocker master key can be sniffed on its way from the CPU to the TPM using a logic analyzer. However, in computer configurations without TPMs, this is obviously not possible. Furthermore, as I under… Continue reading Is BitLocker susceptible to any known attacks other than bruteforcing when used with a very strong passphrase and no TPM?
The TPM (Trusted Platform Module) has a feature called dynamic root-of-trust. If i understand correctly a measurement of the current system is taken (to enable attestation) by the CPU and transmitted to the TPM. To make sure that the measu… Continue reading Do microcontroller processors like Arm Cortex-M support the TPM’s Dynamic root of trust (similar to e.g. Intel TXT)?
This is a follow-up of these two questions about using the TPM to store application’s keys. While both have great answers, there is a specific aspect I am missing:
How safe are the keys inside the TPM against another (malicious) app trying… Continue reading How safe are my app’s keys inside the TPM against other apps trying to impersonate mine?
I am not very familiar with TPMs, but from what I can tell their main benefit for the user is to make the system as a whole more secure, if you take the appropriate measures, e.g. by checking the boot process or enabling password-less disk… Continue reading Use of TPM to encrypt data of my application in practice
My setup consists of a QEMU image with u-boot 2024.01 and 6.6 Linux kernel. As a TPM I’m using swtpm. For some reason, if I reboot the device the PCR register values are different in the initial boot than in the subsequent boots.
To elabor… Continue reading TPM PCR values change after the first reboot