On 11/19/2018 12:34 PM, James Bottomley wrote:
2. At some point in time the attacker could reset the TPM, clearing the PCRs and then send down their own measurements which would effectively overwrite the boot time measurements the TPM has already done. [snip] However, the second can only really be detected by relying on some sort of mechanism for protection which would change over TPM reset.
FYI: TPM 2.0 has a resetCount that can be used to detect, but not protect against, this attack.
Every TPM comes shipped with a couple of X.509 certificates for the primary endorsement key. This document assumes that the Elliptic Curve version of the certificate exists at 01C00002, but will work equally well with the RSA certificate (at 01C00001).
A nit. The RSA cert is at 01c00002. The ECC cert is at 01c0000a.