Securing an OS by Using TPM

Q: What does a Trusted Platform Module (TPM) do besides store encryption keys? What makes it a "trusted platform module"?

A: There are many ways to circumvent OS security by tampering with the memory and disk drive of a computer. A TPM is intended to provide assurance that the information that's stored on the TPM or that's protected with encryption keys stored on the TPM isn't divulged and that malware won't be introduced into the OS.

In addition to being a secure store for encryption keys, the TPM measures certain elements of the system when the system is known to be in a trusted clean state and stores those measurements in its secure memory. When enabled with BitLocker Drive Encryption on Windows Vista Ultimate or Vista Enterprise, the TPM measures about a dozen different elements including the ROM, motherboard configuration, master boot records, sectors, and blocks. Then, at start-up, the TPM remeasures those measurements and refuses to unlock the OS volume if any of the elements have changed. These measurements are called Platform Configuration Registers (PCRs) and make up the TPM validation profile. To view and enable or disable PCRs, run gpedit.msc to open the local computer’s policy object. Then, under Computer ConfigurationAdministrative TemplatesWindows ComponentsBitLocker Drive Encryption, double-click Configure TPM platform validation profile to open the dialog box shown in Figure 1.