You can’t verify what software booted your server fleet. Not reliably, not at scale. TPMs—those hardware chips measuring boot integrity—have been standard for 20 years. They sit in every enterprise laptop and server. Cloud providers emulate them for Azure, GCP, and AWS VMs. Measured boot ticks boxes in NIST 800-53, FedRAMP, and CIS benchmarks. Yet, no public database lists “known-good” PCR values. None exists. Deploy measured boot beyond a handful of machines, and you hit this wall. I’ve seen it in production environments. You will too.
This gap undermines remote attestation. A TPM quote signs current PCR values—cryptographic hashes chaining every boot stage. Firmware hashes into PCR0. Bootloader into PCR4. Kernel and initramfs scatter across PCRs 8-12 on modern Linux with Unified Kernel Images. Each extend operation concatenates prior value, new measurement, then hashes. Irreversible. Remote parties check if your quote matches expected values. Fine for one lab machine. Impossible for thousands without a reference oracle.
Why PCRs Explode Combinatorially
PCRs aren’t single hashes. They’re aggregates. PCR0 captures firmware version, CPU microcode, UEFI vars. Update firmware? New PCR0. Patch microcode? Different hash. PCR4: shim, GRUB, Secure Boot DB. Linux distros fragment kernel/initrd/cmdline across PCR8 (kernel), PCR9 (initrd), PCR11 (cmdline), PCR12 (UKI config). Any tweak—kernel patch, distro release, config flag—resets the chain.
Scale this. A fleet runs three firmware versions (e.g., Dell BIOS 1.20, 1.21, 1.22), two bootloaders (shim 15 vs 16), four kernels (Ubuntu 5.15, 6.2, RHEL 5.14, 6.1), three initrd configs (with/without FDE modules). That’s 3 × 2 × 4 × 3 = 72 valid PCR sets just for those. Add cmdline options (quiet, nomodeset), four distros, Secure Boot keys, and you’re at thousands. Real fleets hit millions. No central registry tracks this. Attempts like tpm2-pcr-db or vendor-specific lists (Microsoft’s confidential VMs) cover niches, not universals.
Structural reasons block one. PCR specs (TCG PC Client 2.0) allow vendor flexibility. Intel, AMD, ARM firmware behave differently. Distros tune measurements (drum, systemd-stub). No standardization mandates uniform hashes. Building a VirusTotal equivalent? You’d need exhaustive enumeration—impossible as updates cascade. CCADB works for certs because chains are hierarchical, not exponential.
Implications: Security Theater at Scale
This matters because measured boot sells integrity. Confidential VMs (AWS Nitro, Azure CVMs) attest PCRs to prove no tampering. But without verification baselines, attestation is blind trust. You query the TPM, get values, then what? Manual lookup? Script against your inventory? Fails in dynamic clouds where AMIs spin hourly. Supply chain attacks—like SolarWinds or recent XZ Utils—alter boot components undetected without PCR matching.
Costs pile up. Teams waste weeks auditing PCRs post-incident. Compliance auditors demand logs, but can’t validate. In crypto/security ops, this kills zero-trust fleets. I’ve audited setups where 40% of attested VMs had “unexpected” PCRs—benign updates, no incident. Or worse: attacker swaps kernel, PCR shifts subtly, slips through if you whitelist lazily.
Workarounds exist, skeptically. Vendor tools: Dell iDRAC exports PCR baselines per BIOS. Red Hat’s Ignition measures UKIs predictably. Custom registries: build internal DBs with Ansible inventory, extend on changes. Tools like tpm2-tools and edk2-measurer simulate chains. But scale demands automation. Projects like Google’s Trillian or Keylime aim at fleet attestation, pinning PCRs to manifests. Still nascent—Keylime manages hundreds, not hyperscale.
$ tpm2_pcrread sha256:0,4,8-12
# Outputs current values. Compare to your DB.
Blockchain fans pitch decentralized registries. Hash PCR sets on-chain, query via oracles. Cute, but combinatorial bloat kills it—storing millions of valid tuples costs ETH. Better: standardize PCR extensions. TCG could mandate distro/firmware hash prefixes. Until then, measured boot remains lab toy.
Bottom line: TPMs work. Verification doesn’t. Enterprises burn cycles on theater. Clouds hide behind “trust us.” Push for PCR predictability in upstreams. Audit your fleet today—run tpm2_quote, tally uniques. You’ll see the explosion. Fix demands ecosystem shift, not more chips.
