Introduction In this article I demonstrate a software attack that allows an operating system to set the PCRs of a discrete TPM device to arbitrary values and unseal any secret that uses a PCR based sealing policy (such as disk encryption keys used by unattended unlock TPM FDE schemes). Previous work We've previously demonstrated a trivial hardware attack here, that attack allowed an attacker with physical access to achieve a clean TPM state by booting any operating system, then briefly grounding...