How to extend the running application into PCR?

问题

How to extend the running application into PCR? and Which PCR can be used for it?

回答1:

I assume you mean a TPM version 1.2 on a PC platform, so the following specification documents are of interest for you:

• TPM Main Part 2 TPM Structures
• TCG PC Client Specific TPM Interface Specification (TIS)

Now to your questions:

1. "How to extend the running application into PCR?"

   You need some piece of software that identifies "the running application" (=measure) and issue a TPM_Extend command to the TPM. Usually this is done through a TSS, but you can also do that with a self written program, the TPM_Extend command is not that complex.

   Identifying means calculating a SHA-1 hash in most cases, but the TPM does not care. The description of the data you provide is:

   The 160 bit value representing the event to be recorded.
   

2. "Which PCR can be used for it?"

   This depends on your actual environment. Access to PCRs are controlled by localities. Here is a table showing which PCR can be extended in which locality:

   PCR       Alias (description)         Extendable in localities
   -----------------------------------------------------------------
   0-15      Static RTM                  4,3,2,1,0
   16        Debug                       4,3,2,1,0
   17        Locality 4                  4,3,2
   18        Locality 3                  4,3,2
   19        Locality 2                    3,2
   20        Locality 1                    3,2,1
   21        Dynamic OS controlled           2
   22        Dynamic OS controlled           2
   23        Application Specific        4,3,2,1,0
   

   Which locality you are in depends on your environment. If you are in a Linux userspace, for exmaple, you have locality 0.

   If you are designing a trusted architecture you will also have to consider how the PCRs can be reset (in which localities).

   The localities are described in TCG PC Client Specific TPM Interface Specification (TIS):

   • Locality 4: Trusted hardware component. This is used by the D-CRTM to establish the Dynamic RTM.

   • Locality 3: Auxiliary components. Use of this is optional and, if used, it is implementation dependent.

   • Locality 2: Dynamically Launched OS (Dynamic OS) “runtime” environment.

   • Locality 1: An environment for use by the Dynamic OS.

   • Locality 0: The Static RTM, its chain of trust and its environment.

来源：https://stackoverflow.com/questions/19613658/how-to-extend-the-running-application-into-pcr