TPM Measurements
The COMex in the switch tray is equipped with a server-grade CPU, connected to a discrete TPM. During boot, the firmware performs a measured boot and extends each measurement to the appropriate PCRs, in accordance with TCG standards.
Currently, attestation supports measurements of the core UEFI, drivers, and security configurations through PCRs 0 and 7.
TPM remote attestation reports these measurements and the platform's state externally.
A verifier queries the attester about its state and measurements
The TPM then sends a quote, signed by its Attestation Key
This quote serves as a cryptographic attestation of the device's state, including the PCRs measured during boot
An external verifier validates the quote and compares it against known good measurements
The following table describes the measurements returned by the TPM attestation feature, and whether they have a measurement reference:
CoMID Index | What is measured | Part of Reference? |
1 | Measurement Block Format | Yes |
2 | PCR0 -SRTM, BIOS, Host Platform Extensions, Embedded Option ROMs and PI Drivers | Yes |
4 | PCR1: Host Platform Configuration | No |
6 | PCR2:UEFI driver and application Code | No |
8 | PCR3:UEFI driver and application Configuration and Data | No |
10 | PCR4:Shim, Grub and kernel boot loaders | No |
12 | PCR5:Boot Manager Code Configuration and Data (for use by the Boot Manager Code) and GPT/Partition Table | No |
14 | PCR6:Host Platform Manufacturer Specific | No |
16 | PCR7:Secure Boot Policy, Secure boot Verification Authority | Yes |