Reiner Sailer <email@example.com> on the LKML has said "You retrieve not only the measurement list from a system (kernel) but also a signature over the TPM PCR holding the integrity value. Nonces (random numbers) are used to protect against replay of old signed TPM PCR contents by the kernel. Since PCR is signed inside the TPM together with the nonce, corrupt system software can't cheat unnoticedly.". So it seems they have thought of replay attacks.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds