Chapter 6. Integrity Recording, Reporting, and Secure Boot

In this chapter, the TPM mechanisms for recording and reporting integrity measurements are described (also referred to as TCPA authenticated boot), together with the TPM mechanisms that can be used to implement the related process of secure boot. Integrity measurement is one of the most important features in a trusted computing platform. Furthermore, it is a distinguishing feature of a TP, because ordinary platforms do not possess such a capability. Integrity measurements provide evidence of platform behavior. The host platform uses integrity measurements to provide Protected Storage (to prevent disclosure of secrets unless the platform is in the correct state). Third parties use the integrity measurements to check that a target platform is in the correct state. A third party believes integrity measurements because the platform signs the measurements with a TPM identity (described in Chapter 5) and provides assurance that the measurements come from a TP. Social trust mechanisms, in the form of credentials (certificates) that state the proper values of measurements when a platform is behaving as expected, are required to check that the evidence describes a desirable platform state (this is discussed in Chapter 12). Integrity measurements can also be used to implement secure boot (checking that a boot process is proceeding as expected). A secure boot process compares the values of platform configuration registers (PCRs) against expected values stored in a data integrity register (DIR) and enters an exception-handling routine if the values do not match. This forces a platform to boot in a predetermined manner or not at all.

Chapter 2 provides a general description of performing integrity measurements (including the specific example of PCs), introducing platform configuration registers and the integrity challenge, response, and verification process. For the purposes of this chapter, recall that a TP (generally) has a Root-of-Trust-for-Measurement (RTM) engine and an arbitrary number of measurement agent engines. Before any software is executed, the RTM or current measurement agent makes measurements of that specific software, stores a log of the measurement in ordinary memory (for the purpose of creating history information, which is used in the mechanisms described in Chapter 12), and stores the result of the measurement in the TPM. The TPM uses special registers, called platform configuration registers (PCRs), to store the results. Multiple results can be incorporated into a single PCR without discarding the information content of individual results and the order in which they were produced. A TP has several PCRs and uses those PCRs to record different aspects of the state of the TP. For clarity, this chapter is restricted to a description of a single generic PCR.