Enabling System Cloning for TPM based Platforms (paper)

We describe a concept of mutual remote attestation for two identically configured trusted (TPM based) systems. We provide a cryptographic protocol to achieve the goal of deriving a common session key for two systems that have verified each other to be a clone of themselves.

The mutual attestation can be applied to backup procedures without providing data access to administrators, i. e. one trusted systems exports its database to another identical trusted system via a secure channel after mutual attestation is completed.

Another application is dynamically parallelizing trusted systems in order to increase the performance of a trusted server platform. We present details of our proposed architecture and show results from extensive hardware tests. These tests show that there are some unresolved issues with TPM-BIOS settings currently distributed by PC hardware manufacturers since the specification regarding measurement of extended platform BIOS configuration is either not met or the usage of undocumented options is required.

Test Environment

Test Environment

Our results show that the specfied requirement (TCG EFI Platform Speci cation V1.20.) that „platform configuration information being unique or automatically updated must not be measured“ is apparently violated. The full activation of extended security reporting options results in different values on identical systems.

Read full paper here. Get slides from here.

This entry was posted in DaPriM. Bookmark the permalink.

Comments are closed.