Topic: Newbee meets PCR

Hello,
I'm trying to play with the TPM inside my own PC (win10), and figure out what I can do with it.
These days I'm trying to authenticate my PC (the client) to a server (which is actually another PC of mine, on which I wrote my own home made http server).

I guess that PCR is the tool I need, but I must admit that I don't understand how to use this feature...

I called wolfTPM2_ReadPCR which returned a buffer of 32 bytes, but what should I do with it ?
If I send it to my server, how is it going to authenticate the client ?
I suppose the server should share some secret with the client's TPM in order to verify some kind of signature...

By the way, on my PC, wolfTPM2_ExtendPCR is disabled.

Thanks in advance...

Hadrien

Share

Re: Newbee meets PCR

Hi Hadrien,

PCR register contains only a hash digest. This hash digest is a computation of the current PCR value and the new one provided using PCR Extend. Typically, PCR registers use SHA256 digests on TPM 2.0. Back in the TPM 1.2 days, the PCR used SHA1 digest, but this is now deprecated (both TPM 1.2 and SHA1).

Could you please clarify what do you mean by "disabled"?

It could be another Windows TBS limitation, because wolfTPM does not have a flag to enable or disable PCR extend.

It could also be related to the TPM locality as David mentioned before.

Maybe these three resources could help understand what are PCR useful for:
- https://opensecuritytraining.info/Intro … nd-att.pdf
- https://developers.tpm.dev/posts/localities
- https://ebrary.net/24811/computer_scien … ty_command

PCRs are useful to verify the state or content of something. I am not sure they are an easy solution to authentication.

For communication authentication using a TPM between a client and a server, I could recommend using our examples/tls server-client demo.

Dimi Tomov,
wolfSSL Engineer and Founder of TPM.dev

Share