Hector Martin

I never understood the point of that. If the TPM has the keys and there's no auth from CPU to TPM, can't you just see the keys over the bus? Equally, can you not just lie to the TPM about PCR values when doing remote attestation?

Easiest is the reset attack. Boot Linux or whatever, hit the TPM reset pin, feed it whatever PCR values it wants pretending to be the BIOS, get keys. DRTM makes it more complicated due to HW cycle differences but an FPGA will take care of that.

Maybe this isn't the right time or forum for asking (maybe you intend to blog the result), but what are the other conditions of your PoC? Is Secure Boot enabled? Is the UEFI configuration and boot order protected by a system/setup password?

The PoC doesn't exist yet. But TBH none of that should matter. If I can MITM the interface to the TPM it's pretty much game over.

Very nice! Though, is this a widely held belief? I mean, seems obviously possible that if you have the TPM, the disk, and the data that will lead up to the correct PCRs, you'll be able to extract the data. And I barely know anything about TPMs.

What about the recent TPMs that are on the CPU die? (AMD fTPM / Intel PTT)

Those are broken in a bunch of other ways. AMD PSP/fTPM is already totally hijackable if you just write your BIOS flash chip due to a bunch of fail (that you can't fix in existing systems AFAIK). Much worse than a dedicated TPM in that respect, you can steal all the secrets.