This blog post will introduce the basic functionality of the TPM PCR Calculator app, which can be found in the Windows Store.
During the boot of a PC with measured boot enabled, firmware and early phases of the operating system protocol software and configuration data into a measurement log and “checksums” of these log entries into the Platform Configuration Registers (PCR) of a Trusted Platform Module (TPM). The checksums are recorded as hashes, which have been computed using secure hashing algorithms (SHA).
I work a lot with these measured boot logs, or TCG logs, generated as results of UEFI firmware or Windows boot loader. To validate the entries in these log file, I have to calculate hashes and PCR values from hand. This becomes tedious. That’s why I wrote the TPM PCR Calculator app.
The menu (column of icons) on the left navigates to different functionality of this app. The first icon, which looks like the search icon, opens the PCR calculator page. I’ll get back to that later. The first calculator icon opens the hash calculator page.
A hashing algorithm computes the cryptographic hash, or digest, from whatever data is presented to it. To allow users to either input text or a text representation of a byte array, the user can toggle a checkbox labeled “Input is raw bytes.” If the checkbox is clear, the text in the input box is treated as plain text. If the checkbox is selected, the input is treated as hexadecimal text representation of a byte array. A value of zero of size four bytes would look like this: “00000000” (without the quotes). The “compute hash” button starts the computation of the hashes. The app currently supports the secure hash algorithms (SHA) SHA1 and, from the SHA2 class, SHA2-256, SHA2-384, and SHA2-512. If the checkbox is selected to interpret the input as bytes, but the input cannot be converted into a byte array, an error message is printed into the SHA1 output box.
The lower calculator icon opens the hash calculator with HMAC key page. This hash calculation uses an additional key to compute the hash of input data.
This page work essentially the same as the hash calculator page, except that the HMAC key has to be provided as well. The input format for the HMAC key is always assumed to be “raw bytes”, so the checkbox only controls the input parsing of the input data field.
Now let’s come back to the PCR calculator page: Platform Configuration Registers (PCR) can be manipulated using a one-way (or trap-door) function. This function – “Extend” in TPM terminology – performs two steps: first, it concatenates the input data to the current value of the register. Then a hash is computed of the concatenated value. The result is then stored as current value. The PCR calculation page will show these steps as explanation of the Extend function.
A PCR is usually associated with a hashing algorithm. TPM version 1.2 devices only support the SHA1 algorithm with PCRs, whereas TPM version 2.0 devices can support multiple PCR with different hashing algorithms. I’ll write a different post that goes into the details of what exactly a PCR is at another time.
In summary, if you have the need to compute hashes or PCR values, this app might be for you.
Source code for the app can be found on GitHub.