Securing the Boot Process
Trusted Platform Module (TPM)
TPM is a standard that was developed by the Trusted Computing Group TCG to provide a specification for secure cryptoprocessors. The specification is published by the International Organization for Standardization (ISO) in ISO 11889. TPM 2.0 was published in 2019, and is the current standard. Microsoft provides an overview of TPM functionality in this article.
Here is Mr. Vanderpool again explaining the operation of TPMs:Key Points:
- A TPM is a secure cryptoproccessor that complies with the ISO 11889 standard developed by the TCG
- TPMs implement multiple tamper resistant measures
- TPMs can be used to generate and store cryptographic keys
- TPMs can generate hashes
- TPMs can generate true random numbers using analog noise measured from physical sensors
- The TPM 2.0 specification can be implemented on descrete hardware (dTPM), integrated in chipsets, virtualized by a hypervisor (vTPM), or embedded into firmware (fTPM)
- TPMs can be used to provide measured boot for a system by using a hash-chain of hardware and firmware components to detect any changes to a systems configuration
- TPM 1.2 supported SHA1, RSA, XOR, and very limited AES
- TPM 2.0 supports any hash algorithm with a fixed digest size, any asymmetric algorith with a public/private portion, and any symmetric algorithm
- Windows Hello is a local login mechanism which uses a simple hash of a PIN or biometric data which is paired with the TPM to allow local login
True understanding of the secure boot process and the TPM requires an understanding of public key cryptography and digital signatures. If you are interesting in learning more about cryptography, Christopher Paar's Introduction to Cryptography Youtube channel provides a 30 hour lecture series that gives a great overview of major algorithms and cryptographic concepts.