On Mon, 2023-12-04 at 16:02 -0500, Stefan Berger wrote: > On 12/4/23 14:24, James Bottomley wrote: [...] > > The actual threat to PCR extends from an interposer is silent > > discards where the attacker seeks to fake the log after the fact to > > match a quote they've discarded a suspicious event from. Thus the > > HMAC check > > Well, it's not that simple to fake the log unless you are root and > then all bets are off when it comes to sending commands to the TPM. It's not just faking logs: if I can discard the true measurements and insert my own, I can recover any object sealed to a PCR policy. Even if I can only discard the last few bad measurements and insert good ones, I can still likely succeed. If an attacker gains root, the TPM still can't be faked out. As long as the PCRs have accurate measurements, those measurements can be quoted. The theory is that the event that allowed the root exploit got recorded before the exploit happened (of course there's a huge problem of whether the right thing is being recorded) because post boot computer hacking cannot violate causality. The interposer at boot is a more interesting problem, but that's documented. James
