On 01.04.2023 07:15, gebser@mousecar.com wrote:
Components involved during boot are checked and if they were found to be modified it is possible to refuse to boot, to refuse decryption etc. TPM is used as a trusted blackbox to store results/private keys that cannot be tampered with.
Do the components which are checked include the BIOS ("BIOS" broadly meaning the hardware responsible for booting before any "disk" is read)?
They should be according to specification, but at the end you are at the mercy of your vendor to implement it correctly.
Did you try to google it?
Quite a bit actually. What I found was, unfortunately, either overly simplistic or technically over my head.
Well, the idea is simple indeed and the devil is as usual in implementation details.