Does a TPM chip simply replicate the BIOS function of checking platform integrity?
According to Wikipedia,
The primary scope of TPM is to assure the integrity of a platform. In this context, "integrity" means "behave as intended", and a "platform" is any computer device regardless of its operating system. It is to ensure that the boot process starts from a trusted combination of hardware and software, and continues until the operating system has fully booted and applications are running
I think I get this.
The TPM must uses Platform Configuration Registers (PCRs) to develop a checksum (or perhaps hash) of the boot up process.
However, when the hardware, firmware, or boot loader of the machine changes, the changes are detected in the PCR values. Awesome, the TPM is checking the integrity of start up.
But, I thought the BIOS (as implemented in UEFI) handled this function? And it will roll back to a known good state if a problem is detected.
Have a got this wrong or is the TPM performing a redundant check?
I know the TPM does other stuff like disk encryption and password protection, but is platform integrity checking unnecessary?
What if the uefi bios firmware is changed? Who will detect the changes? That is where TPM comes into play. What you are referring is Secure boot which can be achieved without TPM whereas Trusted boot can only be achieved with TPM.
In trusted boot you use hashing to measure changes whereas in secure boot firmwares are digitally signed and verified. (Secure boot is generally configured along with trusted boot).
TPM also provides other functionality such as releasing an encryption key only when the boot process is trusted. Remote attestation is also something that BIOS cannot provide
Also, TPM is hardened with respect to attacks so even if some get the acces of system it will not be easy to access or modify data in TPM or TPM itself.