Hardware Security: TPM, Secure Boot, and Drive Encryption
Use Trusted Platform Modules, Secure Boot, and full-disk encryption (BitLocker, FileVault) to prevent cold-boot and evil-maid attacks on physical devices.
Physical Hardware Attack Threats
When an attacker gains physical access to a device, logical security controls are severely weakened. Cold-boot attacks freeze RAM and extract encryption keys from residual data. Evil-maid attacks involve modifying a device's bootloader or OS while it is temporarily unattended. DMA attacks use physical ports (Thunderbolt, FireWire) to directly read memory. Hardware security features — TPM, Secure Boot, and full-disk encryption — work together to defend against these physical-layer attacks.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a dedicated security chip embedded in the motherboard that provides hardware-based cryptographic functions. TPM capabilities include: generating and storing cryptographic keys that cannot be extracted from the chip, measuring the boot process (Platform Configuration Registers store hashes of each boot component), sealing data to specific system states (data can only be decrypted when the system is in a trusted state), and remote attestation (proving to a remote server that the system hasn't been tampered with).
# TPM Platform Configuration Registers (PCRs):
# PCR0: BIOS/UEFI firmware hash
# PCR1: BIOS configuration data
# PCR2: Option ROM code
# PCR3: Option ROM configuration
# PCR4: Master Boot Record (MBR) / bootloader
# PCR5: Partition table
# PCR6: Resume from sleep (S4/S5 state)
# PCR7: Secure Boot state
# If bootloader is replaced (evil-maid attack):
# PCR4 value changes -> TPM detects mismatch
# -> BitLocker requires PIN or recovery key
# (TPM won't unseal disk encryption key)All lessons in this course
- Physical Access Controls: Badges, Locks, and Mantraps
- Surveillance: CCTV, Motion Sensors, and Logging
- Data Center Environmental Controls
- Hardware Security: TPM, Secure Boot, and Drive Encryption