← Back to Labs

Secure Boot and TPM Sealing

Walk the chain from Boot Guard to BitLocker unseal. Toggle tampering to see how changing one hash invalidates the disk encryption seal.

Boot chain1. Power onpower sequencing2. Boot Guard verifies firmwarehardware fuse check3. SEC + PEI + PCR 0PCR[0] = H(PCR[0] || hash)4. Option ROMs + PCR 2PCR[2] = H(PCR[2] || hash)5. Secure Boot policy + PCR 7verify signature vs db6. Verify + measure bootloaderverify signature vs db7. Kernel + initrd + PCR 11PCR[11] = H(PCR[11] || hash)8. TPM unseal BitLocker/LUKS keycompare PCRs to policyTPM 2.0 (SHA-256 bank)PCR[0]firmwareunextendedPCR[1]platform cfgunextendedPCR[2]option ROMsunextendedPCR[3]option ROM cfgunextendedPCR[4]bootloaderunextendedPCR[7]SB policyunextendedPCR[11]kernel/UKIunextendedBitLocker VMK seal policywaiting for boot...drive mounted automatically
Step 1 / 8Power on

Power rails come up. The CPU is still held in reset while the Management Engine decides whether the firmware is safe to run.

Arrows to step · T to tamper · R to reset

Tap dots to jump to any step

Read the full article →Take the quiz →