Calculating TPM PCR values

Needed to check the value of a trusted platform modules platform configuration register (PCR) against the log file from which it is generated.

The information out there is a big vague and lists things like PCR_new = SHA1 (PCR_old | new_data)

So what does this mean? It means the PCR value is calculated as:

1. Take the initial PCR value as starting point. It is a 160bit/20byte value (20 bytes is 160 bits so the same thing..)

2. Calculate SHA1 hash for the new data (the log entry). This results in another 160bit/20byte value. Call this new hash “new_data”.

3. “Concatenate” the old PCR value and the new_data value. This is the “PCR_old | new data” part from formula above. To do this:
3.1 Take the 20 bytes of the current PCR value (“PCR_old” in formula above). This is actually also an SHA1 hash as we see later..
3.2 Take the 20 bytes of the new_data SHA1 hash value.
3.3 Reserve a byte array of 40 bytes. Call it “new_bytes”.
3.4 Copy the 20 bytes of PCR_old into bytes 0-19 in new_bytes.
3.5 Copy the 20 bytes of new_data into bytes 20-39 in new_bytes.

4. Calculate SHA1 hash for new bytes as in SHA1(new_bytes).

5. The value from step 4 is the new PCR value PCR_new.

SHA1 is always 20 bytes and this is why PCR_old is also always 20 bytes as the PCR_new becomes PCR_old in the next round.

Note that several examples show the hash as a string of hex characters, which can be confusing. At least was for me, as I tried some online calculators for SHA1 and got wrong results. This is because a hex string is 40 bytes due to representing each 4 bits as a character (0-F) and the bytes are actually 8 bits. So the hash string needs to be converted to raw bits/bytes to get the above formula to work.. Or skip the hex string totally which makes more sense in real applications but for the examples read online it can be confusing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s