How do we know that input to TPMs actually comes from the measured code?


Suppose we’re using secure boot and remote attestation to prove to a server what client software is talking to it.

What stops an attacker from doing this:

  • Start a legitimate copy of the client software on machine A.

  • Get a remote attestation challenge from the server using a modified copy on machine B.

  • Send TPM_Quote to machine A’s TPM and forward the signature back via B.

I understand that if the attacker had code running on machine A, the PCR values would be wrong. But is code running on machine A really the only way to talk to its TPM? With physical access, can’t he put his own signals on the lines between machine A’s CPU and TPM?

Or even simpler, disconnect it from machine A’s board and send it arbitrary input from his own hardware, just imitating or replaying a legitimate boot? How do we know that the measurements given to TPM_Extend are actually the software that’s sending the messages vs. e.g. replay of something I observed with a logic analyzer?