Skip to main content

TPM, Measured Boot and Attestation

When discussing Zenith, terms like Secure Boot, Measured Boot, TPM, and Attestation often appear together. This page explains the fundamental concepts behind these technologies, how they relate to one another, and how they collectively ensure a system’s integrity while helping to detect unauthorized or unwanted software.

Overview

At a high level:

  • The TPM (Trusted Platform Module) provides secure hardware storage and performs cryptographic operations.
  • Measured Boot records the state of each boot component as the system starts.
  • Attestation uses the recorded measurements to prove a system’s integrity to another party.

Together, these mechanisms form a chain of trust — a sequence in which each component verifies and records the next, starting from immutable firmware and extending up through the operating system and applications.

Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a dedicated hardware chip that acts as a system’s root of trust. It securely stores cryptographic keys and measurement data, ensuring that critical operations (such as decrypting sensitive information or verifying the boot process) are only performed when the platform is in a trusted state.

Key Functions

  • PCRs (Platform Configuration Registers): TPMs include a set of special registers that hold cryptographic hashes of software components measured during boot.

  • Cryptographic Operations: The TPM can generate, store, and use keys for hashing, signing, and encryption without ever exposing those keys to the main CPU or memory.

  • Sealed Storage: Data can be encrypted in a way that makes it accessible only when the TPM’s PCR values match a specific, trusted configuration — preventing decryption if the system has been tampered with.

Measured Boot

Measured Boot is the process by which each component in the boot chain measures the next component before executing it. This establishes a verifiable record of the entire startup process.

How It Works

  1. The firmware (for example, UEFI) begins execution and measures itself.
  2. It computes a cryptographic hash of the next component to load (such as the boot manager).
  3. This hash is extended into one of the TPM’s PCRs.
  4. Control is passed to the next component, which repeats the process.
  5. The sequence continues until the operating system kernel has been measured and launched.

Why It Matters

Measured Boot ensures that every step of the boot process can be verified afterward. If any component in the chain is modified — for instance, by malicious software — its measurement will differ, leading to a mismatch in the resulting PCR values. These discrepancies can be detected through attestation, signaling that the system’s trust state has been compromised.

TCG Event Log

Alongside the PCR measurements, the firmware and bootloader maintain a TCG event log — a structured, human-readable record describing each measurement event.

Each entry typically includes:

  • The name or type of the measured component (e.g., “Windows Boot Manager”)
  • The cryptographic hash and algorithm used
  • The PCR index where the measurement was extended
  • A textual description of the event

The TCG event log provides context for the raw PCR data inside the TPM, making it possible to interpret what was measured, when, and why. Together, the event log and PCR values form a complete audit trail of the boot process.

Attestation

Attestation is the process through which a system proves that it has booted and is operating in a trusted state. Unlike traditional software-based checks that rely on the system’s own reports, attestation is anchored in hardware-backed evidence generated by the TPM.

The TPM records cryptographic hashes of each boot component into PCRs that can only be extended — never reset or rewritten — ensuring the sequence of measurements cannot be falsified. When the system later provides these PCR values, the TPM signs them with a private key stored securely within the chip. Because this key never leaves the TPM, and because the PCR chain is immutable, no software can forge or manipulate the attestation data without detection.

In essence, attestation converts trust from a subjective belief into a verifiable, cryptographic fact. It enables external systems or services to confirm, with mathematical certainty, that a device’s firmware and operating system match a known, trusted state — forming the foundation for secure computing, access control, and identity verification.