How does Librem Key + HEADS tamper detection work without a TPM?


In this post of the purism news feed, it is claimed that in certain cases the Librem Key and HEADS can achieve firmware tampering detection without a built-in TPM. The explanation given there was not detailed enough for me to understand how this can possibly work. As I understand it, we can consider a TPM that is part of the laptop as some kind of “reliable agent” in the sense that when somebody replaces the firmware, they do not gain the ability to control the TPM, such as forcing it to release its stored secrets. The typical setup utilizes this to give the TPM a measurement of the firmware code as it starts up, and then the TPM releases the secret only when that measurement is correct. This means that on startup, the machine can only present a valid authentication token when it booted from the expected firmware.

I don’t understand how we can still achieve authentication when we lose this “reliable agent”. The article states that instead of using the TPM to release a secret upon a measurement that is pre-approved, we now send the measurement directly to the Librem Key, which can then directly decide whether the system has been tampered with or not. However, can’t an attacker exploit this in a similar way as is done with a typical firmware attack? The attacker first does her own measurement of the firmware to see what is “approved”. Then the attacker modifies the firmware so that after starting up, it ignores the true measurement of their malicious firmware, and sends a forged measurement to the Librem Key. Because it is only on the USB bus, the Librem Key cannot know that the measurement it is receiving is falsified, and so doesn’t it get tricked in this way? Isn’t the TPM important precisely because it is directly on the system, and so can reliably obtain the true value of the firmware measurement?

Thanks in advance to anyone that can provide more details on how this method of tamper detection works without a TPM.