Measured Boot is a process that computes the cryptographic hash of each boot component—from UEFI firmware to OS kernel—and records these integrity measurements in a Trusted Platform Module (TPM). Unlike Secure Boot, which halts execution on verification failure, Measured Boot logs all components regardless of validity, creating an unforgeable audit trail in Platform Configuration Registers (PCRs) for later analysis by a remote verifier.
Glossary
Measured Boot

What is Measured Boot?
Measured Boot is a security process that computes and cryptographically logs the hash of every firmware and software component during the boot sequence, storing these measurements in a Trusted Platform Module's Platform Configuration Registers for subsequent remote attestation.
The resulting PCR values enable remote attestation, where a client cryptographically signs a quote of its boot state using an Attestation Identity Key (AIK). A remote server compares this quote against known-good golden measurements to determine if the platform is in a trusted state before releasing secrets or granting network access, forming the foundation of zero-trust device authentication.
Key Characteristics of Measured Boot
Measured Boot is a process that computes and securely logs the cryptographic hash of each firmware and software component during the boot sequence into Platform Configuration Registers (PCRs). Unlike Secure Boot, which enforces execution policy, Measured Boot creates an immutable, verifiable record of what actually ran, enabling remote attestation.
The Measurement Process
The Core Root of Trust for Measurement (CRTM) initiates the process by hashing the next boot component before execution. Each subsequent stage measures the next, extending hashes into Platform Configuration Registers (PCRs) using the operation: New PCR = Hash(Old PCR || New Hash). This cryptographic chaining ensures the final PCR values uniquely represent the exact boot sequence, making it impossible to forge a measurement log without detection.
PCRs and the TPM
Platform Configuration Registers are shielded memory locations within a Trusted Platform Module (TPM). They do not store hashes directly but rather a cumulative digest. Key characteristics include:
- PCR 0: Typically holds the CRTM, BIOS, and platform firmware measurements.
- PCR 7: Often used for Secure Boot policy and key state.
- PCRs 8-15: Defined for the operating system bootloader and kernel. The TPM's hardware isolation prevents software from resetting PCRs to arbitrary values except through a system reboot.
Measured Boot vs. Secure Boot
These two technologies are complementary but distinct:
- Secure Boot is an enforcement mechanism. It verifies digital signatures and halts the boot process if a component is untrusted.
- Measured Boot is a recording mechanism. It logs every component's hash regardless of trust, allowing a remote party to decide later if the state is acceptable. A system can implement both: Secure Boot enforces integrity, while Measured Boot provides auditable proof of the running configuration.
The Event Log
Alongside PCR extensions, the system maintains a TCG Event Log in system memory. This log records the exact sequence of hashes extended into the PCRs. During remote attestation, a verifier replays the event log to reconstruct the expected PCR values and compares them against the TPM-signed quote. Any mismatch indicates log tampering. The event log provides the semantic meaning—the 'what'—while the PCR provides the cryptographic proof.
Remote Attestation
The ultimate goal of Measured Boot is to enable a remote verifier to assess platform trustworthiness. The process:
- A challenger requests a quote.
- The TPM signs the current PCR values with an Attestation Identity Key (AIK).
- The signed quote and event log are sent to the verifier.
- The verifier replays the log and compares it to the signed PCRs. This allows a cloud orchestrator or enterprise server to verify that a node booted a known-good kernel before admitting it to the production cluster.
Sealing and Policy Enforcement
Measured Boot enables sealing, where data is encrypted to a specific platform state. A TPM can release a decryption key only if the current PCR values match a predefined policy. Use cases include:
- Unlocking a disk encryption key only if the boot sequence is unaltered.
- Releasing a service's TLS private key only to a verified, untampered OS. If malware modifies the bootloader, the PCR values change, and the TPM refuses to unseal the key, rendering the encrypted data inaccessible to the attacker.
Measured Boot vs. Secure Boot
A technical comparison of two distinct firmware verification mechanisms used to establish platform trust during the boot sequence.
| Feature | Measured Boot | Secure Boot | Combined Implementation |
|---|---|---|---|
Primary Objective | Log and attest platform state | Enforce signature-based execution policy | Attestable enforcement |
Verification Mechanism | Cryptographic hashing to PCRs | Digital signature validation | Hash + Signature |
Enforcement Action | None (passive logging) | Halt boot on invalid signature | Halt and log |
Prevents Execution of Untrusted Code | |||
Enables Remote Attestation | |||
Requires TPM | |||
Modifies Boot Flow | No (observational only) | Yes (blocks unauthorized components) | Yes |
Standard Specification | TCG PC Client Platform Firmware Profile | UEFI Forum Secure Boot Specification | TCG + UEFI Combined |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about Measured Boot, its relationship to TPMs, and how it differs from Secure Boot in establishing platform integrity.
Measured Boot is a process that computes and securely logs the cryptographic hash of every firmware, driver, and OS component during the boot sequence into Platform Configuration Registers (PCRs) within a Trusted Platform Module (TPM). Unlike Secure Boot, which halts execution on a signature mismatch, Measured Boot simply records the state—whether good or bad—without stopping the boot. The core mechanism uses the TPM's PCR_Extend operation, which concatenates a new hash with the existing PCR value and hashes the result, creating an unforgeable, append-only log. This log can later be presented to a remote verifier through Remote Attestation to prove the platform's boot integrity.
Related Terms
Measured Boot is a foundational component of platform integrity. These related concepts form the complete chain of trust, from immutable hardware roots to remote verification and recovery.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us