Some Chrome devices are shipped with a secure module to provide a number of hardware level security features.
What does ChromeOS use the secure module for?
- Prevent software and firmware version rollback.
- Maintain information to detect transitions between normal and developer modes.
- Protect data encryption keys.
- Protect certain user keys ("hardware-backed" certificates).
- Provide tamper evidence for installation attributes.
- Protect stateful partition encryption keys.
- Attest secure module hardware-backed keys.
- Attest device mode.
No remote computer has access to the secure module.
What does ChromeOS not use the secure module for?
- Trusted boot (the secure module isn’t used as part of the ChromeOS verified boot solution).
- Runtime platform configuration measurement.
- Whole-disk encryption. In particular, the secure module isn’t used to unwrap an encryption key during the boot process.