This relates generally to trusted platform modules.
A trusted platform module enables secure generation of cryptographic keys and limitations on their use. It may include capabilities such as remote attestation and sealed storage. Remote attestation creates a nearly unforgeable hash key summary of hardware and/or software configurations.
The primary function of a trusted platform module is to ensure the “integrity” of the platform, where integrity refers to ensuring that the platform will behave as intended. A platform is any computer platform including a server or personal computer, cellular telephone or any other processor based device.
The trusted platform module (TPM) may include platform configuration registers (PCRs) that allow secure storage or reporting of security relevant metrics. These metrics may be used to detect changes to prior configurations and to decide how to proceed.
For some users, any firmware used on a platform must be verified. To verify the firmware it must be measured relative to a root of trust, such as a trusted platform module. A platform may include a baseboard management controller (BMC) that executes prior to a host based trusted platform module's existence on the platform.
Many manufacturers place two trusted platform modules (including a primary and secondary module) on the platform. One module is used for the host domain, including the Basic Input/Output System (BIOS) and operating system. The other module is for manageability software. The module for the host domain is unable to measure firmware running on the baseboard management controller. This adds to platform cost and complexity.