Continuing the "security model" thread, just reading the PCRs would permit a man-in-the-middle to return fake CPR values. The attacker could also change your display.
For better security, you want the TPM to sign the returned PCR values (a Quote) so you know they really came from the TPM. You also want a trusted system to verify the results. That is, a compromised platform can't evaluate whether it is compromised. On 9/19/2014 1:21 AM, Dmitri Toubelis wrote: > > If you are not enforcing any security and you just want to know if any > of boot parameters has changed then reading PCR registers should be enough. ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
