For example, does it seal PCR1 into the password? What about PCRs 2 and 3?
1 Answer
Which PCRs are sealed into the key (meaning used for encryption) depends on the key itself.
For BitLocker, Windows decides which PCRs are to be used according to the registry keyHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI.
The default PCRs used by BitLocker in the BIOS are 0, 2, 4, 8, 9, 10, 11:
- PCR0: Dynamic Root of Trust, BIOS Code, Platform Extensions
- PCR2: ROM Code
- PCR4: MBR Code
- PCR8: NTFS Boot Sector
- PCR9: NTFS Boot Block
- PCR10: NTFS Boot Manager
- PCR11: BitLocker’s Volume Master Key (VMK) and its critical components
For more information see:
