Trusted Computing and the Enterprise Software Ecosystem: Part 3 (of 7)

Part 3: The Trusted Platform Module (TPM)

The TPM, as defined by TCG[7], is a multi-function hardware unit solving a number of problems related to the context of trusted computing. In simplistic terms, the TPM can be thought of as a cryptographic co-processor with a secure integrity measurement storage scheme.

The cryptographic co-processor implements the SHA-1 hashing algorithm as defined by FIPS-180-1. Given a block of data (e.g., the boot loader image), it will hash the block using SHA-1 to a 160-bit value representing its digital signature or "measurement".

The results of a cryptographic measurement are stored in what is known as a Platform Configuration Register, or PCR. Each PCR is 160 bits in length and has the special property that a stored value can only be modified through what is known as an extend operation:

PCRnew = SHA-1(PCRold . value) (where "." represents the concatenate operation)

That is, a new PCR value always represents a hash of the previous PCR contents concatenated with a new 160-bit hash value. This "chaining" effect has two nice properties. First, an arbitrary number of hash values can be stored in a single, fixed size register. Each hash value is part of the ordered hashing sequence needed to construct a final hash value that reflects all intermediate values. Thus, to confirm all the hash values in a sequence of measurements, you merely need to compare the final value. If the value doesn't match, then one or more of the intermediate values did not match what was expected. Second, a PCR cannot be compromised by simply overwriting it. Instead, the process of constructing a PCR value requires a precise sequence of intermediate hash operations, something difficult to reconstruct.

Note that the TPM operates as an independent module on the motherboard. As such, it is not subject to processor-based memory attacks. Furthermore, the TPM employs asymmetric cryptography mechanisms (RSA) and holds a private key within the module known only to the TPM. Interactions with the TPM are thus highly robust against attack.

[7] TPM Main Specification,