TPM – How the integrity of the system configuration is guaranteed if the PCR hash is overwritten on each "Measurement"?
In the TPM architecture, we know that after a "Measurement" procedure is performed, it is followed by a "PCR Extend" procedure, in which the resulting system configuration metrics data (20 bytes) are appended to the value that the PCR in the TPM currently stores, which (in case it is not zero, i e. "Measurement" is performed for the first time ever/after a PCR restart) is a SHA-1 / SHA256 hash (20 bytes) of the previous metrics + hash concatenation, and the resulting 40 bytes string is SHA-1 / SHA-256-hashed to form the new value of the PCR.
Given that the old hash in the PCR is replaced by the new hash, my questions are these:
If we don't have the old SHA-1 / SHA-256 hash anymore, but it was part of the data used for the new hash, how is the current hash in the PCR useful? How can we verify the system integrity using it, since we can not even compute it back? We can get the system metrics again, but since the PCR is overwritten, the old hash is lost, and we can not compute the current hash in the PCR without the previous one.
How is such Chain Of Trust implementation useful, if the current PCR hash holds all the previous hashes (because they were used for the computation at some level down), but these hashes are irretrievable themselves?
How often "Measurement" and the subsequent "PCR Extend" happen? Is it platform specific and what is the most common implementation? Every boot, on hardware change...?
