TPM – How the integrity of the system configuration is guaranteed if the PCR hash is overwritten on each "Measurement"?

In the TPM architecture, we know that after a "Measurement" procedure is performed, it is followed by a "PCR Extend" procedure, in which the resulting system configuration metrics data (20 bytes) are appended to the val… Continue reading TPM – How the integrity of the system configuration is guaranteed if the PCR hash is overwritten on each "Measurement"?

Posted in TPM

How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

During remote attestation, a device sends the server the EK certificate, AK public, AK name. By using tpm2_makecredential/tpm2_activatecredential, the attestation sever can confirm that:

the EK is resident in the device TPM, and
the AK th… Continue reading How to bind TPM2.0 AK to the "AK name" used in tpm2_makecredential, and how is trust established in AIK?

Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?

So, before this year, when you were using WebAuthN to create security keys on an up to date Android phone (Pixel 6 in my case), you had these options (iirc):
When creating a platform authenticator, you were offered Fingerprint/Passcode. Wh… Continue reading Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?

Why is my TPM bugged? If I enable checks on PCR 8,9,10, it ALWAYS asks for decryption password even if it shouldn’t [migrated]

I’ve also checked with systemd-analyze pcrs if PCRs are the same at every reboot, and they are.
Only at first reboot I don’t know why the only PCRs that change are 8,9,10 lol(I don’t know why)… but in next reboots they are always the sam… Continue reading Why is my TPM bugged? If I enable checks on PCR 8,9,10, it ALWAYS asks for decryption password even if it shouldn’t [migrated]

Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it’s undetected

In my laptop I’ve set up a bios password when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I’ve set up TPM to automatically decrypts the di… Continue reading Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it’s undetected