It’s all built on top of the concept of “a chain of trust”, starting at the hardware level.
(as mentioned) TPM is a chip that’ll store encryption keys at a hardware level and retrieval of these keys can only happen if the hardware is unmodified.
I assume that part of this key is derived from aspects of your OS (ie: all device drivers are signed by MS).
The OS will fetch this key, if it’s valid - the OS knows that the hardware is untampered, it can then verify that the OS is unmodified, which can then be used by application to determine that their not modified, etc.
Now you could spoof your own TPM chip (similar to how Switch 1’s are chipped/nodded), but the deal-breaker is that when you add your key to the TPM chip, you sign it with a hardware vendor specific public key. And that vendor private key is baked into the hardware (often into the CPU, so the private key never crosses the hardware bus).
That’s the strength of public/private key encryption.
The application (or OS) knows what the hardware vendors public key is. Thus ,it can verify that any message (or application key) claiming to come from that hardware (TPM) is legitimate or not. Thus, the OS is just a proxy or the middle man.
Now what you could do (in theory) is to start modifying the application and replace the hardware vendor public key with your own. …but you’d need to do this with every application and they’ll probably have some sort of anti-tampering or (more likely) you won’t even be allowed to install the application because your OS isn’t “safe/secure”.
disclaimer: I’m a bit hazy on some of these details. There are probably more elegant solutions.
What’s preventing spoofing this with a fake implementation?
To expand on this a bit:
It’s all built on top of the concept of “a chain of trust”, starting at the hardware level.
(as mentioned) TPM is a chip that’ll store encryption keys at a hardware level and retrieval of these keys can only happen if the hardware is unmodified.
I assume that part of this key is derived from aspects of your OS (ie: all device drivers are signed by MS).
The OS will fetch this key, if it’s valid - the OS knows that the hardware is untampered, it can then verify that the OS is unmodified, which can then be used by application to determine that their not modified, etc.
Now you could spoof your own TPM chip (similar to how Switch 1’s are chipped/nodded), but the deal-breaker is that when you add your key to the TPM chip, you sign it with a hardware vendor specific public key. And that vendor private key is baked into the hardware (often into the CPU, so the private key never crosses the hardware bus).
Luckily that key always leaks from a human or side channel
But at the end of day, doesn’t app have to ask OS? At that stage, can’t you spoof “positive” responce of unmodified system?
That’s the strength of public/private key encryption.
The application (or OS) knows what the hardware vendors public key is. Thus ,it can verify that any message (or application key) claiming to come from that hardware (TPM) is legitimate or not. Thus, the OS is just a proxy or the middle man.
Now what you could do (in theory) is to start modifying the application and replace the hardware vendor public key with your own. …but you’d need to do this with every application and they’ll probably have some sort of anti-tampering or (more likely) you won’t even be allowed to install the application because your OS isn’t “safe/secure”.
disclaimer: I’m a bit hazy on some of these details. There are probably more elegant solutions.
Cryptography.