Measured Boot Process - Security+

---

Hello everyone!
In lab 21 (Security+), I see this explanation about Measured Boot Process:
"A chain is defined for the bootup process such that the current object calculates the hash of the next object and stores it safely. It starts with the Root of Trust, and then the next object in the chain is computing its own hash. In case of Measured Boot, the hashes are stored in the TPM, the Trusted Platform Module."

It first says that "the current object calculates the hash of the next object", but then in the following sentence, it says: "the next object in the chain is computing its own hash".

I am quite confused with this. Can anyone help me?

Thank you!

@Nguyen-Huynh-Khoi , I hope all is well. A Measured Boot process measures each component, from firmware up through the boot start drivers, stores those measurements in the Trusted Platform Module (TPM) on the machine, and then makes available a log that can be tested remotely to verify the boot state of the client.

The Measured Boot feature provides Anti-Malware (AM) software with a trusted (resistant to spoofing and tampering) log of all boot components that started before the AM software.

AM software can use the log to determine whether components that ran before it are trustworthy or if they are infected with malware.

The AM software on the local machine can send the log to a remote server for evaluation.

The remote server may initiate remediation actions either by interacting with software on the client or through out-of-band mechanisms, as appropriate.

The Trusted Platform Module (TPM) is a tamper-proof, cryptographically secure auditing component with firmware supplied by a trusted third party.

The boot configuration log contains hash-chained measurements recorded in its Platform Configuration Registers (PCR) when the host last underwent the bootstrapping sequence, incrementally adding a previously hashed measurement to the next measurement’s hash and running the hashing algorithm on the union accomplishes hash-chaining.

I hope that helps to sort things out for you.

Good Luck !!!

Cheers,

Adam

Thank you for your explanation @Adam-Gordon !

@Nguyen-Huynh-Khoi , great question...let me help. The in boot process there are a sequence of routines that are performed from initializing the hardware to determining the boot loader and then finally finding the OS...etc. In measured boot, each routine or software process has a hash value assigned to it and stored in the chip (TPM) on the motherboard. When the boot process kicks off, before the first routine/process (they call it an object) will start, the hash value of that routine is pulled from the TPM (actually called Platform Configuration Registers or PCRs) and calculated. If the current values and value in the TPM match, then that routine/process (object) runs and finishes by pulling the next routine/process's hash value from the TPM, calculates the values and if the values match, then the next process runs and that continues, this is forms a "Root of Trust" between each process. This will continue until a value that is pulled from the TPM does not match (signs of unauthorized or unacceptable tampering), stopping the boot process or the boot process completes successfully.

The "chain" is that process of each routine in the "Root of Trust" calculating the next routine's hash value.

This is all done to make sure that the boot process has not been tampered with and is in the acceptable configuration (no rootkits, side loaded...etc).

I hope this helps. Thank you for watching!