Changes between Version 12 and Version 13 of tpm


Ignore:
Timestamp:
05/30/2024 04:41:55 PM (6 months ago)
Author:
Tim Harvey
Comment:

added more detail about PCR banks

Legend:

Unmodified
Added
Removed
Modified

  • tpm

    v12 v13  
    3636 - storage for up to 10x 2048-bit keys
    3737
     38Notes:
     39 - the ATTPM20P supports 1 active PCR bank at a time and defaults to SHA1 (see [#banks below] on how to switch banks)
     40
    3841
    3942[=#pcr]
     
    4649
    4750If the stored PCR values in the TPM do not match the currently booting system PCRs, access will not be granted. For example, someone trying to boot a Ubuntu Live CD would not be able to access the TPM key as the PCRs generated from the original disk and stored in the TPM will not match the newly generated PCRs from the boot CD. PCRs use hashing and thus any new value is concatenated with the old and then hashed. This new hash will replace the old hash. The definition of each specific PCR register can be found online.   
     51
     52
     53[=#banks]
     54== PCR Banks
     55The TCG "PC Client Platform Profile for TPM 2.0" specification lists two hash algorithms as mandatory to implement (SHA1 and SHA256) and it is permitted for a TPM to support fewer active banks than algorithms. The firmware chooses which ones to actually enable at boot time.
     56
     57In general, you can configure a TPM to have multiple PCR banks active. When TPM measurements are performed it should be done on all active PCR banks. Note the 'tpm pcrread' command shows available banks and PCR values for those banks that are active.
     58
     59Note that the ATTPM20P TPM allows 1 bank to be allocated at a time and defaults to SHA1 but you can switch it to SHA256.
     60
     61You can change active banks using the 'tpm pcrallocate' command from the tpm2-tools package in Linux:
     62{{{#!bash
     63# switch from SHA1 bank to SHA256
     64tpm2 pcrallocate sha1:none+sha256:all
     65tpm2 pcrread # notice the sha256 bank is active and sha1 is not
     66# switch from SHA256 bank to SHA1
     67tpm2 pcrallocate sha256:none+sha1:all
     68tpm2 pcrread # notice the sha1 bank is active and sha256 is not
     69}}}
    4870
    4971
     
    186208note the firmware hashes and thus PCR's will be different (which will keep the key inaccessible) if there are any changes to the hash values used to extend the PCR (meaning any changes to flash/memory areas you hash over)
    187209
     210Note that the above example uses the SHA1 PCR bank which is the default bank enabled on the ATTPM20P. You can switch to the SHA256 bank if desired (only one bank can be active at a time on the ATTMP20P) - see [#banks above]
    188211
    189212[=#linux]
     
    262285  sha256:
    263286}}}
     287  * the above shows that the sha1 bank is active and sha256 is supported but not active. You can switch to the SHA256 bank if desired (only one bank can be active at a time on the ATTMP20P) - see [#banks above]
    264288 - Clearing the TPM
    265289{{{#!bash