Inferensys

Glossary

Measured Boot

A process that computes and securely logs the cryptographic hash of each firmware and software component during the boot sequence into Platform Configuration Registers (PCRs) for later verification by a remote party.
Operations team reviewing AI vendor onboarding platform on laptop, forms and contracts visible, casual office workspace.
PLATFORM INTEGRITY VERIFICATION

What is Measured Boot?

Measured Boot is a security process that computes and cryptographically logs the hash of every firmware and software component during the boot sequence, storing these measurements in a Trusted Platform Module's Platform Configuration Registers for subsequent remote attestation.

Measured Boot is a process that computes the cryptographic hash of each boot component—from UEFI firmware to OS kernel—and records these integrity measurements in a Trusted Platform Module (TPM). Unlike Secure Boot, which halts execution on verification failure, Measured Boot logs all components regardless of validity, creating an unforgeable audit trail in Platform Configuration Registers (PCRs) for later analysis by a remote verifier.

The resulting PCR values enable remote attestation, where a client cryptographically signs a quote of its boot state using an Attestation Identity Key (AIK). A remote server compares this quote against known-good golden measurements to determine if the platform is in a trusted state before releasing secrets or granting network access, forming the foundation of zero-trust device authentication.

CRYPTOGRAPHIC ATTESTATION

Key Characteristics of Measured Boot

Measured Boot is a process that computes and securely logs the cryptographic hash of each firmware and software component during the boot sequence into Platform Configuration Registers (PCRs). Unlike Secure Boot, which enforces execution policy, Measured Boot creates an immutable, verifiable record of what actually ran, enabling remote attestation.

01

The Measurement Process

The Core Root of Trust for Measurement (CRTM) initiates the process by hashing the next boot component before execution. Each subsequent stage measures the next, extending hashes into Platform Configuration Registers (PCRs) using the operation: New PCR = Hash(Old PCR || New Hash). This cryptographic chaining ensures the final PCR values uniquely represent the exact boot sequence, making it impossible to forge a measurement log without detection.

02

PCRs and the TPM

Platform Configuration Registers are shielded memory locations within a Trusted Platform Module (TPM). They do not store hashes directly but rather a cumulative digest. Key characteristics include:

  • PCR 0: Typically holds the CRTM, BIOS, and platform firmware measurements.
  • PCR 7: Often used for Secure Boot policy and key state.
  • PCRs 8-15: Defined for the operating system bootloader and kernel. The TPM's hardware isolation prevents software from resetting PCRs to arbitrary values except through a system reboot.
03

Measured Boot vs. Secure Boot

These two technologies are complementary but distinct:

  • Secure Boot is an enforcement mechanism. It verifies digital signatures and halts the boot process if a component is untrusted.
  • Measured Boot is a recording mechanism. It logs every component's hash regardless of trust, allowing a remote party to decide later if the state is acceptable. A system can implement both: Secure Boot enforces integrity, while Measured Boot provides auditable proof of the running configuration.
04

The Event Log

Alongside PCR extensions, the system maintains a TCG Event Log in system memory. This log records the exact sequence of hashes extended into the PCRs. During remote attestation, a verifier replays the event log to reconstruct the expected PCR values and compares them against the TPM-signed quote. Any mismatch indicates log tampering. The event log provides the semantic meaning—the 'what'—while the PCR provides the cryptographic proof.

05

Remote Attestation

The ultimate goal of Measured Boot is to enable a remote verifier to assess platform trustworthiness. The process:

  1. A challenger requests a quote.
  2. The TPM signs the current PCR values with an Attestation Identity Key (AIK).
  3. The signed quote and event log are sent to the verifier.
  4. The verifier replays the log and compares it to the signed PCRs. This allows a cloud orchestrator or enterprise server to verify that a node booted a known-good kernel before admitting it to the production cluster.
06

Sealing and Policy Enforcement

Measured Boot enables sealing, where data is encrypted to a specific platform state. A TPM can release a decryption key only if the current PCR values match a predefined policy. Use cases include:

  • Unlocking a disk encryption key only if the boot sequence is unaltered.
  • Releasing a service's TLS private key only to a verified, untampered OS. If malware modifies the bootloader, the PCR values change, and the TPM refuses to unseal the key, rendering the encrypted data inaccessible to the attacker.
BOOT INTEGRITY COMPARISON

Measured Boot vs. Secure Boot

A technical comparison of two distinct firmware verification mechanisms used to establish platform trust during the boot sequence.

FeatureMeasured BootSecure BootCombined Implementation

Primary Objective

Log and attest platform state

Enforce signature-based execution policy

Attestable enforcement

Verification Mechanism

Cryptographic hashing to PCRs

Digital signature validation

Hash + Signature

Enforcement Action

None (passive logging)

Halt boot on invalid signature

Halt and log

Prevents Execution of Untrusted Code

Enables Remote Attestation

Requires TPM

Modifies Boot Flow

No (observational only)

Yes (blocks unauthorized components)

Yes

Standard Specification

TCG PC Client Platform Firmware Profile

UEFI Forum Secure Boot Specification

TCG + UEFI Combined

MEASURED BOOT EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about Measured Boot, its relationship to TPMs, and how it differs from Secure Boot in establishing platform integrity.

Measured Boot is a process that computes and securely logs the cryptographic hash of every firmware, driver, and OS component during the boot sequence into Platform Configuration Registers (PCRs) within a Trusted Platform Module (TPM). Unlike Secure Boot, which halts execution on a signature mismatch, Measured Boot simply records the state—whether good or bad—without stopping the boot. The core mechanism uses the TPM's PCR_Extend operation, which concatenates a new hash with the existing PCR value and hashes the result, creating an unforgeable, append-only log. This log can later be presented to a remote verifier through Remote Attestation to prove the platform's boot integrity.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.