TPM PCRS Values

These are the steps for validating values that are in the Trusted Platform Module (TPM) Platform Configuration Registers (PCRS).

The TPM module can:

Generate cryptographic keys
Generate random numbers
Remote attestation – creates a nearly unforgeable hash key summary of the hardware and software configuration. The program hashing the configuration data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.
Binding – encrypts data using TPM bind key, a unique RSA key descended from a storage key
Sealing – encrypts data in a similar manner to binding, but in addition specifies a state in which TPM must be in order for the data to be decrypted (unsealed)

^{For more information on the TPM:}^{TPM Wikipedia article}

The TPM also has special registers (called Platform Configuration Registers – PCRs) which hold various measurements in a shielded location in a manner that prevents spoofing. Measurements consist of a cryptographic hash using a Secure Hashing Algorithm (SHA); the TPM v1.0 specification uses the SHA-1 hashing algorithm. More recent TPM versions (v2.0+) call for SHA-2.

The PCRs that OpenXT looks at for the Measured launch are PCRs 0-3 and PCRs 17 - 19 these PCRs hold the information in the following list.

PCR0 – CRTM, BIOS code, and Host Platform Extensions
PCR1 – Host Platform Configuration
PCR2 – Option ROM Code
PCR3 – Option ROM Configuration and Data
PCR17 – DRTM and launch control policy
PCR18 – Trusted OS start-up code (MLE)
PCR19 – Trusted OS (for example OS configuration)

For more information on the PCRs: Trusted Execution use of PCRs Wikipedia article

Where are these values in OpenXT

These values can be found in a 3.x kernel based build in /sys/class/misc/tpm0/device/pcrs and in a 4.x kernel in /sys/class/tpm/tpm0/device/pcrs.

I you display the contents of the pcrs file you will get a grid of hex values in a format similar to this:

PCR-00: 88 D5 D8 5F 9A F6 A3 13 46 F6 B1 00 BE 73 76 F9 81 38 F4 7C

PCR-01: 72 DE 4D E4 EE 7D 75 03 07 D8 E0 DC C1 9C 42 B9 B4 BD A8 5C

PCR-02: B2 6E 23 89 08 9A 44 E3 47 1B 01 33 BD 16 54 68 D5 30 21 75

PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-04: C4 88 7E 3B 3C 29 E0 72 7D 34 46 56 26 AC 5D 64 5B 53 47 94

PCR-05: DA 69 6B 3E C0 09 8A 73 B2 25 79 FF EB 70 E3 CB 79 CE 4B D5

PCR-06: 78 CD 77 59 86 6A 77 D0 31 03 C2 03 5B F7 DC 7E 61 DC 19 2E

PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75

PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-15: BE 21 1D 90 92 53 01 7B D7 0E D8 6A A2 05 04 8B 85 10 C7 B6

PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-17: 19 F0 41 EA 40 26 00 E0 22 E6 96 0A 1E 56 09 A6 AE 86 73 D2

PCR-18: D7 51 E8 5C 6D AC 4A 91 80 14 F2 9F 03 75 02 5D C9 A4 E4 F1

PCR-19: FB 9D DA 4D 0C D9 0B 3C 33 6F 59 DE B8 64 5E 82 15 A2 B5 27

PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Notice the values in row PCR 0-3 an PCR 17-19 are unique and should be consistent between reboots with no change to the computer configuration

Things that should trigger a reseal for a measured launch:

change to BIOS settings
Internal changes to hardware( add graphics card ...)
Changes to configuration files

Things that should not trigger a reseal for a measured launch:

External change to hardware( Plugin a USB drive)
Change of screen brightness
removing laptop from docking station
adding removing keyboard and mouse

Access to a command prompt can be gained in a number of ways:

medic, The install medic option will bring you to a command prompt
from the installer press <ctrl><alt> <F3>
Press <ctrl><shift>t

From a command prompt type more /sys/class/misc/tpm0/device/pcrs for a 3.x kernel device and

more /sys/class/tpm/tpm0/device/pcrs for a 4.x kernel device

TPM Wikipedia article

For more information on the TPM: TPM Wikipedia article

For more information on the PCRs: Trusted Execution use of PCRs Wikipedia article

Where are these values in OpenXT

^{For more information on the TPM:}^{TPM Wikipedia article}