Check BIOS Integrity with TPM

TL;DR

Yes, a Trusted Platform Module (TPM) chip can help check if your BIOS is still in its factory setting. It doesn’t directly ‘know’ the original state, but it can verify that changes haven’t been made since a trusted measurement was taken. This relies on Secure Boot and TPM attestation.

How to Check BIOS Integrity with a TPM

1. Understand Trusted Platform Modules (TPMs)
   • A TPM is a security chip that stores cryptographic keys used for hardware authentication.
   • It creates hashes (unique fingerprints) of system components, including the BIOS.
   • These hashes are stored securely within the TPM.
2. Enable Secure Boot in your UEFI/BIOS
   • Secure Boot ensures that only digitally signed and trusted bootloaders and operating systems can run.
   • This is a prerequisite for using TPM measurements effectively.
   • Access your BIOS settings (usually by pressing Del, F2, F12 or Esc during startup). The key varies depending on the motherboard manufacturer.
   • Look for Secure Boot options and enable them.
3. Check TPM Status
   • Open Command Prompt as an administrator.
   • Type tpm.msc and press Enter. This opens the TPM Management console.
   • Verify that the TPM is present and enabled. The status should show ‘The TPM is ready for use’.
4. Use PowerShell to Verify Boot Integrity (TPM Attestation)

   This process uses a tool called Measured Boot, which relies on the TPM’s measurements.

   • Open PowerShell as an administrator.
   • Run the following command to check if Measured Boot is enabled:

     Get-SecureBootUEFI

   • If it’s not enabled, you may need to enable it through your BIOS settings or use a specific tool provided by your motherboard manufacturer.
   • To view the PCR (Platform Configuration Register) values which store the hashes of boot components including the BIOS, run:

     Get-Pcr

5. Interpreting PCR Values
   • PCRs are numbered registers. Specific PCRs correspond to different boot components (e.g., PCR 0 for the BIOS).
   • Compare these values against known ‘good’ values if you have them. This is difficult without a baseline from a factory-fresh system.
   • Changes to the BIOS will alter the corresponding PCR value.
6. Using Third-Party Tools (Optional)
   • Some security software packages provide tools for monitoring boot integrity and TPM measurements. Examples include BitLocker Device Encryption (Windows) or specialized endpoint detection and response (EDR) solutions.
   • These tools often simplify the process of comparing PCR values and detecting changes.

Important Considerations

• Baseline is Key: The TPM doesn’t inherently know the ‘factory setting’. You need to establish a baseline measurement from a known-good system (preferably one that hasn’t been modified). This is often done during initial setup or by comparing against a trusted image.
• PCR Reset: Clearing the TPM will reset all PCR values, effectively removing any previous measurements.
• BIOS Updates: A legitimate BIOS update will change the PCR value. You need to re-establish a baseline after updating your BIOS.
• cyber security threats can modify boot processes before the TPM measurement occurs, so it’s not foolproof. Secure Boot and other security measures are essential complements.