On 11/19/2018 12:34 PM, James Bottomley wrote:
2. At some point in time the attacker could reset the TPM, clearing
the PCRs and then send down their own measurements which would
effectively overwrite the boot time measurements the TPM has
already done.
[snip]
However, the second can only really be detected by relying
on some sort of mechanism for protection which would change over TPM
reset.
FYI: TPM 2.0 has a resetCount that can be used to detect, but not
protect against, this attack.
Every TPM comes shipped with a couple of X.509 certificates for the
primary endorsement key. This document assumes that the Elliptic
Curve version of the certificate exists at 01C00002, but will work
equally well with the RSA certificate (at 01C00001).
A nit. The RSA cert is at 01c00002. The ECC cert is at 01c0000a.
