• Introduction: Demonstrates a software attack to set PCRs of a discrete TPM device to arbitrary values and unseal secrets using PCR-based sealing policies.
• Previous work: Previously showed a trivial hardware attack by booting an OS with physical access and grounding the TPM's reset pin. This allowed an attacker to achieve a clean TPM state and perform arbitrary extend operations.
• Software attack: On Intel platforms, discrete TPM devices are connected to the PCH via buses. The PCH's reset pin (PLTRST#) can be reassigned to the GPIO block and driven low from software to reset the TPM and set PCR values. This can be used to attack TPM FDE schemes. A simple demonstration is provided in a YouTube video.
• Mitigating the attack: Intel PCHs have a facility to lock PCH pins configured by boot firmware. Boot firmware can set this lock to prevent the software attack. However, the author has not found a device with the correct implementation in the wild, and the mechanism in coreboot is broken on some platforms. Mitigating the attack requires rolling out boot firmware updates.
• Attacking BootGuard's measured mode: Intel BootGuard can verify and measure boot firmware. Malicious boot firmware can perform the attack to reset and forge BootGuard measurements. Intel rejected implementing a mitigation, arguing that the attack requires physical access and the TPM is already an attack surface. The author believes there are scenarios where the GPIO reset attack can pose problems.
• Disclosure notes: Disclosed to Intel Product Security privately on 27th February 2024. Intel initially claimed it only affects MSI products but later said it may affect unspecified OEM partners and will inform them. No CVE was assigned, and a public disclosure date of 1st June was agreed.
• Testing your system: The author plans to implement support for detecting this vulnerability in the chipsec framework and will provide a link when done.