What is it
The Trusted Platform Module is a mechanism of securing cryptographic keys using a separate hardware module. This module can detect the state of the running system, and can release keys only if certain conditions are met (ie. that the machine has booted a known good kernel image). It is an example of security by isolation as it relies upon the separation between the platform module and the CPU to provide security in the case of an operating system compromise.
What it is not
It is not secureboot. Secureboot relies on the bios verifying that the kernel it is booting is signed with a particular key. The TPM generally works after boot to ensure that the system remains in a known good state. It is also by design not secure against a physical attacker, as the connection between the TPM and the CPU is not encrypted and easy to manipulate.
Theory of operation
The TPM has two parts.
- A crypto processor which can perform cryptographic operations (signing/encrypting/decrypting/etc) on unlocked keys, on data handed to it by the kernel.
- A series of PCR registers, which keep track of the state of the system
The PCR's are registers that are updated (from an initial state) via a one way function. They cannot be reset, nor set to any particular value by any standard interface. As such the PCR register value can be used as a kind of a "tamper evidence seal" that a system has correctly executed a series of checkpoints, and so is running the desired system. These PCR's are initially set by the Bios, and then (possibly) by the bootloader, and then (possibly) by the kernel.
As an example, consider the following boot sequence:
- The Bios hashes the bootloader, and uses that hash to update a PCR value.
- The bootloader hashes the kernel, and uses that hash to update a PCR value.
- The kernel then asks the TPM to unlock the hard drive decryption key, which has been "sealed" by the two PCR values.
- As the PCR values matche, the hard drive decryption key is unlocked and the kernel can then decrypt the hard drive and continue booting.
In the case that the bootloader or kernel were compromised, the PCR values would not match and the TPM would refuse to hand the decryption key to the kernel. As the key is never recorded, the compromised system has no way of decrypting the disk and so continuing to boot.
Anti Evil Maid
Qubes comes with an Anti Evil Maid detector, that uses the TPM to seal a TOTP secret so that you can verify that the bootloader/kernel hasn't been modified. This has been automated by Prisim Librem key, which is a Nitrokey with custom firmware to automate the process.