Hacker News new | ask | show | jobs
by awesomeMilou 1021 days ago
At this point I don't understand why hardware vendors can't just do it like Apple. Put a small ARM SoC with some firmware in ROM onto the mainboard that starts before the main CPU and initializes it, ensuring that the system is in a known state before any components boot.
1 comments
mschuster91 1021 days ago
That's actually how modern Intel and AMD CPUs work.
link
g_p 1021 days ago
Indeed, and TPM + secure boot broadly define how these built-in firmware TPMs (fTPMs) implement verification and validation of system components.

TPM is the specification and standard for a predictable way this is implemented, and most modern CPUs do this as you say, with option ROM validation, UEFI firmware integrity checking, etc.

link
awesomeMilou 1021 days ago
The author claims that this is not the case:

> Note that at any point in this process, if the attacker is able to control code execution, there is no way for TPM to know that the measurement it was just handed wasn't a lie. Now let's assume you are an attacker trying to get the BitLocker keys, what can you do? [0]

[0] https://gist.github.com/osy/45e612345376a65c56d0678834535166...

link