Download the Full Version of textbook for Fast Typing at textbookfull.

com

Trusted Platform Modules Why When and How to Use

Them Ariel Segall

https://textbookfull.com/product/trusted-platform-modules-
why-when-and-how-to-use-them-ariel-segall/

OR CLICK BUTTON

DOWNLOAD NOW

Download More textbook Instantly Today - Get Yours Now at textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

The Herbal Alchemist s Handbook A Complete Guide to

Magickal Herbs and How to Use Them Karen Harrison

https://textbookfull.com/product/the-herbal-alchemist-s-handbook-a-
complete-guide-to-magickal-herbs-and-how-to-use-them-karen-harrison/

textboxfull.com

Marketing Plans How to prepare them how to profit from

them 8th Edition Malcolm Mcdonald

https://textbookfull.com/product/marketing-plans-how-to-prepare-them-
how-to-profit-from-them-8th-edition-malcolm-mcdonald/

textboxfull.com

The Illustrated Guide to Pigs How to Choose Them How to

Keep Them 1st Edition Celia Lewis

https://textbookfull.com/product/the-illustrated-guide-to-pigs-how-to-
choose-them-how-to-keep-them-1st-edition-celia-lewis/

textboxfull.com

Philosophy for Life Teach Yourself The Ideas That Shape

Our World and How To Use Them Mel Thompson

https://textbookfull.com/product/philosophy-for-life-teach-yourself-
the-ideas-that-shape-our-world-and-how-to-use-them-mel-thompson/

textboxfull.com
The Wealth Dragon Way: The Why, the When and the How to
Become Infinitely Wealthy John Lee

https://textbookfull.com/product/the-wealth-dragon-way-the-why-the-
when-and-the-how-to-become-infinitely-wealthy-john-lee/

textboxfull.com

Project Management A Z A Compendium of Project Management

Techniques and How to Use Them 1st Edition Alan Wren

https://textbookfull.com/product/project-management-a-z-a-compendium-
of-project-management-techniques-and-how-to-use-them-1st-edition-alan-
wren/
textboxfull.com

The Cat Behavior Answer Book Understanding How Cats Think

Why They Do What They Do and How to Strengthen Our
Relationships with Them Arden Moore
https://textbookfull.com/product/the-cat-behavior-answer-book-
understanding-how-cats-think-why-they-do-what-they-do-and-how-to-
strengthen-our-relationships-with-them-arden-moore/
textboxfull.com

Next Stop Mars The Why How and When of Human Missions 1st
Edition Giancarlo Genta (Auth.)

https://textbookfull.com/product/next-stop-mars-the-why-how-and-when-
of-human-missions-1st-edition-giancarlo-genta-auth/

textboxfull.com

Pruning and Training What When and How to Prune

Christopher Brickell

https://textbookfull.com/product/pruning-and-training-what-when-and-
how-to-prune-christopher-brickell/

textboxfull.com
IET PROFESSIONAL APPLICATIONS OF COMPUTING SERIES 13

Trusted Platform
Modules
Other volumes in this series:

Volume 1 Knowledge Discovery and Data Mining M.A. Bramer (Editor)

Volume 3 Troubled IT Projects: Prevention and turnaround J.M. Smith
Volume 4 UML for Systems Engineering: Watching the wheels, 2nd Edition J. Holt
Volume 5 Intelligent Distributed Video Surveillance Systems S.A. Velastin and
P. Remagnino (Editors)
Volume 6 Trusted Computing C. Mitchell (Editor)
Volume 7 SysML for Systems Engineering J. Holt and S. Perry
Volume 8 Modelling Enterprise Architectures J. Holt and S. Perry
Volume 9 Model-Based Requirements Engineering J. Holt, S. Perry and M. Bownsword
 Trusted Platform
Modules
Why, when and how to use them

Ariel Segall

The Institution of Engineering and Technology

Published by The Institution of Engineering and Technology, London, United Kingdom

The Institution of Engineering and Technology is registered as a Charity in England &

Wales (no. 211014) and Scotland (no. SC038698).

© The Institution of Engineering and Technology 2017

First published 2016

This publication is copyright under the Berne Convention and the Universal Copyright
Convention. All rights reserved. Apart from any fair dealing for the purposes of research
or private study, or criticism or review, as permitted under the Copyright, Designs and
Patents Act 1988, this publication may be reproduced, stored or transmitted, in any
form or by any means, only with the prior permission in writing of the publishers, or in
the case of reprographic reproduction in accordance with the terms of licences issued
by the Copyright Licensing Agency. Enquiries concerning reproduction outside those
terms should be sent to the publisher at the undermentioned address:

The Institution of Engineering and Technology

Michael Faraday House
Six Hills Way, Stevenage
Herts, SG1 2AY, United Kingdom

www.theiet.org

While the author and publisher believe that the information and guidance given in this
work are correct, all parties must rely upon their own skill and judgement when making
use of them. Neither the author nor publisher assumes any liability to anyone for any
loss or damage caused by any error or omission in the work, whether such an error or
omission is the result of negligence or any other cause. Any and all such liability
is disclaimed.

The moral rights of the author to be identified as author of this work have been
asserted by him in accordance with the Copyright, Designs and Patents Act 1988.

British Library Cataloguing in Publication Data

A catalogue record for this product is available from the British Library

ISBN 978-1-84919-893-6 (hardback)

ISBN 978-1-84919-894-3 (PDF)

Typeset in India by MPS Limited

Printed in the UK by CPI Group (UK) Ltd, Croydon
 Contents

Acknowledgments xiii
Glossary and acronym expansions xv

1 Introduction 1
1.1 About this book 1
1.1.1 The enterprise approach 1
1.1.2 User stories 2
1.2 What is trusted computing? 2
1.2.1 What do we mean by ‘trusted’? 3
1.2.2 A brief history of trusted computing 4
1.2.3 The Trusted Computing Group 4
1.3 TPMs at a high level 5
1.3.1 Roots of Trust 5
1.3.2 Chains of trust 7
1.3.3 The TPM threat model 7
1.3.4 What TPMs are good for 9
1.3.5 What TPMs aren’t good for 9
1.3.6 TPM versions 10
1.3.7 Common TPM myths 11
1.4 Where to find TPMs 14
1.5 TPM software options 15

2 When to use a TPM 17

2.1 Machine authentication examples 17
2.2 Data protection examples 18
2.3 Attestation examples 19
2.4 When not to use a TPM 20
2.4.1 When not to use: consumer DRM 20
2.4.2 When not to use: primary defence against physical threats 21
2.5 Complicating factors 21
2.5.1 Identifying TPMs 21
2.5.2 Enterprise PKI integration 22
2.5.3 Universal software support 23
vi Trusted platform modules: why, when and how to use them

3 TPM concepts and functionality 25

3.1 Ownership and authority 25
3.2 Root keys and primary seeds 26
3.2.1 TPM 1.2 root keys 27
3.2.2 TPM 2.0 primary seeds and hierarchies 27
3.3 Non-root keys 30
3.3.1 Root and non-root key relationships 31
3.3.2 Externally created keys and the TPM 32
3.4 Key certification 32
3.5 Roots of trust for measurement 32
3.6 Platform configuration registers 33
3.7 Quotes 34
3.8 NVRAM and key storage 35
3.9 Utility functions 35
3.10 Access control mechanisms 35
3.11 Cryptographic algorithms 36
3.12 Communicating securely with the TPM 36
3.13 The TPM in action 37
3.13.1 Possible TPM states 37
3.13.2 Reboots, and why they matter 37
3.13.3 Clearing: erasing your TPM 38
4 Programming introduction 39
4.1 TSS 1.2 code introduction 39
4.1.1 Categories of TSPI commands 42
4.1.2 TSS objects 43
4.1.3 Policies: providing passwords to the TPM 43
4.1.4 Object attributes 45
4.2 IBM TSS 2.0 code introduction 46
4.2.1 TPM 2.0 utilities sample code 48
4.2.2 File handling helper functions 48
5 Provisioning: getting the TPM ready to use 51
5.1 Provisioning: what it means, and why it matters 51
5.2 Basic steps of 1.2 TPM provisioning 51
5.2.1 Setting up a 1.2 TPM 52
5.2.2 Establishing trust in a 1.2 TPM 56
5.3 2.0 TPM provisioning and hierarchies 60
5.3.1 Changing hierarchy authorizations 61
5.3.2 Changing the hierarchy seeds 62
5.3.3 Creating primary keys and objects 62
5.4 Multiversion TPMs 63
5.5 TPM provisioning user stories 63
5.5.1 User stories: turning the TPM on 63
5.5.2 User stories: establishing trust in the TPM 64
5.5.3 User stories: taking ownership 66
 Contents vii

5.6 Remote verification of TPM keys 67

5.6.1 Certification: 1.2 TPM keys and PKI 67
5.6.2 Certification: the homegrown approach 68
5.7 Provisioning-time key certification user stories 69

6 First steps: TPM keys 71

6.1 TPM keys 71
6.1.1 Advantages and disadvantages of TPM keys 71
6.2 The basic types of TPM keys 72
6.2.1 TPM 1.2 key types 72
6.2.2 TPM 2.0 key attributes 74
6.3 Authorization options for TPM keys 75
6.4 Creating TPM keys 75
6.4.1 Parent keys 75
6.4.2 Key creation commands 77
6.5 Key creation user stories 82
6.6 Migratable and duplicatable keys 83
6.6.1 1.2 Normal migratable keys 83
6.6.2 1.2 Certifiable Migration Keys 87
6.6.3 2.0 Duplicatable keys 91
6.6.4 When to use migratable or duplicatable keys 93
6.7 Migratable key user stories 93
6.8 Loading TPM keys 94
6.8.1 Additional loading features in 2.0 95
6.9 Handles, names, and authorization: using TPM keys in other
commands 95
6.9.1 Key handles and security 95
6.9.2 Pre-defined handles 96
6.10 Authorization sessions 97
6.11 Certifying TPM keys 98
6.11.1 TPM 1.2: certifying identity keys 100
6.11.2 Certifying other TPM keys (1.2 and 2.0) 102
6.11.3 Retrieving public portions of TPM keys 105
6.12 Using keys created outside the TPM 107
6.13 The TPM’s access control models 108
6.13.1 Physical presence 108
6.13.2 TPM 1.2: user authentication, PCRs, and localities 109
6.13.3 TPM 2.0’s Enhanced Authorization 110
6.14 Key access control user stories 114
6.15 TSS 1.2 key management code examples 116
6.15.1 Background: using the SRK 116
6.15.2 Key creation 116
6.15.3 Creating identity keys 119
6.15.4 Key loading 121
6.15.5 Using public keys 123
viii Trusted platform modules: why, when and how to use them

6.16 TSS 2.0 key management code examples 125

6.16.1 Key creation 125
6.16.2 Key loading 128
6.16.3 Using public keys 129
6.16.4 Enhanced Authorization policies 130

7 Machine authentication 137

7.1 What is machine authentication? 137
7.1.1 Signing versus encryption 137
7.1.2 The limits of TPM-based machine authentication 138
7.1.3 What about user authentication? 138
7.2 Signing-based machine authentication 139
7.2.1 How it works 139
7.2.2 When to use it 140
7.2.3 The TPM and signing-based authentication 141
7.2.4 Nonces: why they matter and how to use them 144
7.2.5 Mitigating man-in-the-middle attacks 146
7.3 Encryption-based machine authentication 147
7.3.1 How it works 147
7.3.2 When to use it 149
7.4 User identification versus machine authentication 150
7.5 Machine authentication user stories 151
7.6 1.2 TSS machine authentication code examples 153
7.6.1 Setting a signature scheme 153
7.6.2 Signing and verifying hashed data 154
7.6.3 Encryption and decryption 154
7.7 TSS 2.0 machine authentication code examples 154
7.7.1 Signing 154
7.7.2 Verifying signatures 156
7.7.3 Encryption and decryption 157

8 Data protection 159

8.1 The pros and cons of TPMs for data storage 159
8.2 Basic TPM encryption features 161
8.2.1 Storage hierarchies and data protection 162
8.3 Disk encryption, bulk data protection, and secure backups 163
8.4 Small-scale data protection 163
8.4.1 Small-scale local encryption 164
8.5 Secure data transmission 166
8.5.1 Binding, legacy keys, and backwards compatibility 168
8.6 Alternate backup techniques 168
8.7 The TPM’s internal storage (NVRAM) 168
8.7.1 Using NVRAM in 1.2 170
8.7.2 Using NVRAM in 2.0 171
 Contents ix

8.8 Conditional data access 175

8.9 Data protection user stories 176
8.10 TSS 1.2 data protection code examples 179
8.10.1 Binding and unbinding 179
8.10.2 Sealing and unsealing 180
8.10.3 Using NVRAM 181
8.11 TSS 2.0 data protection code examples 184
8.11.1 Creating a sealed blob 184
8.11.2 Decrypting a sealed blob 186
8.11.3 Using NV storage 186
8.11.4 Reading NV contents and manufacturer certificates 190

9 Attestation 193
9.1 Machine state and the TPM 193
9.1.1 Measurement chains of trust 193
9.1.2 The Static Root of Trust for Measurement 194
9.1.3 The Dynamic Root of Trust for Measurement 195
9.2 Using the PCRs 200
9.2.1 Essential PCR operations 200
9.2.2 Measurement and PCRs 202
9.2.3 Beyond measurements: creative uses of PCRs 204
9.2.4 1.2 PCR design 206
9.2.5 2.0 PCR design 207
9.2.6 Choosing PCRs to use 209
9.2.7 PCRs beyond the PC 210
9.3 Basic attestation techniques 211
9.3.1 Quotes 211
9.3.2 Verifying quotes 214
9.3.3 Constrained key attestation 216
9.3.4 Direct anonymous attestation 216
9.4 Machine state measurement in theory and reality 221
9.5 Attestation user stories 221
9.6 TSS 1.2 attestation code examples 225
9.6.1 Reading PCR contents 225
9.6.2 Extending PCRs 225
9.6.3 Resetting PCRs 226
9.6.4 Creating and verifying a quote 227
9.7 TSS 2.0 attestation code examples 232
9.7.1 Creating a PCR selection 232
9.7.2 Reading PCR contents 233
9.7.3 Extending PCRs 233
9.7.4 Resetting PCRs 234
9.7.5 Creating and verifying quotes 235
x Trusted platform modules: why, when and how to use them

10 Other TPM features 237

10.1 The smorgasbord 237
10.2 Clearing the TPM 237
10.2.1 Revoking trust in an EK 239
10.2.2 Clearing user stories 239
10.3 Random number generation 239
10.3.1 Random number user stories 240
10.4 TPM configuration 241
10.4.1 Configuration in 1.2 241
10.4.2 Configuration in 2.0 242
10.4.3 Configuration user stories 247
10.5 Monotonic counters 248
10.5.1 Monotonic counter user stories 249
10.6 Storing extra keys in the TPM 250
10.6.1 Persistent key user stories 251
10.7 Command auditing 252
10.7.1 Command audit user stories 254
10.8 Field upgrades 254
10.9 1.2-exclusive features 255
10.9.1 Temporarily deactivating the TPM 255
10.9.2 Maintenance archives 255
10.9.3 Delegation 257
10.9.4 Tickstamps 260
10.10 2.0-exclusive features 262
10.10.1 Cryptographic primitives 262
10.10.2 Clocks and attesting to local time 265

11 Software, specifications, and more: Where to find other

TPM resources 269
11.1 1.2 Programming tools 269
11.1.1 1.2 Trusted/TCG software stacks (TSS) 269
11.1.2 Microsoft’s TBS 270
11.2 2.0 Programming tools 270
11.2.1 IBM TSS 2.0 270
11.2.2 2.0 TSS.Net and TSS.C++ 271
11.3 Books, courses, and other digested material 271
11.3.1 TPM 1.2 concepts 271
11.3.2 TPM 1.2 programming 271
11.3.3 TPM 2.0 272
11.3.4 Other trusted computing topics 272
11.4 Community 273
11.4.1 The TCG 273
11.4.2 TrouSerS-users mailing list 273
 Contents xi

11.5 1.2 Specifications 274

11.5.1 1.2 TSS specification 274
11.5.2 1.2 TPM specification 276
11.6 2.0 Specifications 279
11.6.1 TCG TSS (TPM Software Stack) specifications 279
11.6.2 2.0 TPM specifications 281
11.6.3 2.0 Supporting specifications 283
11.7 Platform specifications 285
11.7.1 1.2 Platform specifications 285
11.7.2 2.0 Platform specification 286
11.7.3 Specifications applying to multiple TPM versions 286
11.8 Other useful resources 286
11.8.1 The tpm-tools package 286
11.8.2 TPM manufacturers 287
11.8.3 TPM 2.0 simulators 287
11.8.4 Example open-source applications 288
11.8.5 Useful trusted computing tools 289
11.9 Commercial software 289

12 Troubleshooting 291
12.1 When all else fails 291
12.2 There’s no TPM in the BIOS menu 291
12.3 Trouble getting any software working 292
12.3.1 Linux-specific tips 292
12.4 TPM returning errors 292
12.5 TSS 1.2 code returning errors 293
12.6 Problems using TPM data structures 294

13 Conclusion and review 295

13.1 What the TPM is good for 295
13.2 Common TPM use cases 295
13.3 The potential (and peril) of the future 296
13.4 In conclusion 296

Appendix A Basic cryptographic concepts 299

A.1 The limitations of this appendix 299
A.2 Basic vocabulary 299
A.3 Symmetric cryptography 299
A.4 Asymmetric (public key) cryptography 300
A.5 Key derivation functions 301
A.6 Hashes 301
A.6.1 HMACs 301
A.7 Nonces 302
A.8 Zero-knowledge proofs 302
xii Trusted platform modules: why, when and how to use them

Appendix B Command equivalence and requirements charts 305

B.1 Key 305
B.2 TPM 1.2 command equivalence and requirements 306
B.3 TPM 2.0 command requirements 312

Appendix C Complete code samples 317

C.1 1.2 TSS code samples 317
C.1.1 Sealing and unsealing 317
C.1.2 Using NVRAM 321
C.2 2.0 TSS code samples 324
C.2.1 Creating objects 324
C.2.2 Retrieving the TPM’s internal time 342

Copyright Notices 351

Index 353
 Acknowledgments

This book would not have happened without the help of a vast number of people, to
whom I am eternally grateful: Xeno Kovah, who first asked me whether I’d consid-
ered teaching a class on TPMs; my many wonderful former colleagues at MITRE,
particularly Amy Herzog, Joshua Guttman, John Ramsdell, Paul Rowe, Justin Sheehy,
and Brian Sniffen; it’s amazing what you can learn in ten years of being steeped in a
subject while surrounded by smart people. Then there are also the great folks from
the IAD, particularly Grant Wagner, George Coker, and Pete Loscocco, who never
stopped asking really challenging questions; I’d never have figured half of this stuff
out without you. There are all of my test readers, in particular the exceptionally patient
Kevin Riggle and John Mainzer, who waded through multiple versions and sent exten-
sive commentary. And above all, my amazingly patient spouse, Andrew Menard, who
put up with a ridiculous amount of hassle and still never stopped telling me I could
do this.
 Glossary and acronym expansions

AIK Attestation Identity Key. Often simply called an identity key. A key that acts as
a certifiable pseudonym for a TPM.
AMD A company that manufactures CPUs and other low-level hardware.
API Application program interface. A set of function definitions for building software
applications.
Attestation The presentation of verifiable evidence about a system to another party
(the verifier, sometimes called the appraiser). Usually, the verifier is off-system:
we call this remote attestation. The attestation target is sometimes called the
attester.
Authorization value Password, although usually with many fewer constraints about
the contents than the sort of passwords users generally create. In a TPM context,
sometimes used to imply a value that’s been pre-hashed before transmission,
versus a password transmitted in its entirety to the TPM.
BIOS Basic Input/Output system, though the expansion is almost never used.
BIOS refers to the firmware which initially sets up a PC’s hardware during
boot. Although technically, BIOS and UEFI refer to entirely different firmware
approaches that perform similar functions, because they serve the same purpose
they are often lumped together under the BIOS umbrella. Most mentions of BIOS
in this book actually refer to either BIOS or UEFI.
Blob A TPM-produced data structure whose contents the user is not expected to make
individual use of; a black box.
Boot Loader Software that loads an operating system kernel as part of the boot
process.
CA Certificate Authority. A trusted party participating in a public key infrastructure
who certifies that certain keys can be trusted by anyone who trusts the authority.
Chain of Trust A trusted computing concept in which every component establishes
trust in the next component before handing over control, usually rooted in a Root
of Trust. Often comes up when discussing how measurements of a system state
are created, although other chains of trust exist.
Clear An operation that removes most of the data from the TPM. Intended for use
when a machine is sold or transferred to a new owner, so that old secrets are no
longer accessible.
CMK Certifiable Migration Key. A 1.2 key that can be migrated between machines
with the approval of a trusted authority, and can be certified for external verifiers.
CPU Central processing unit. The core of a modern computer.
CRTM Core Root of Trust for Measurement. Same as SRTM.
xvi Trusted platform modules: why, when and how to use them

CSR Certificate signing request. A request presented to a CA to ask that a particular

key be certified. Normally part of a PKI.
DAA Direct anonymous attestation. A complex form of attestation that can establish
trust in a system without revealing anything about the system’s identity.
DNSSec Domain Name System Security Extensions. A standard for adding security
to DNS, the system that resolves hostnames on networks.
DRM Digital Rights Management. An umbrella term describing technologies for
limiting unauthorized access to specific proprietary resources. Usually used in a
corporate or copyright context.
DRTM Dynamic Root of Trust for Measurement. A special set of CPU functions
designed to allow trust in a system’s software to be established after an untrusted
boot.
EA Enhanced Authorization. A new, very fine-grained, and very flexible approach
to access control, introduced in 2.0 TPMs.
ECC Elliptic Curve Cryptography. An approach to public key cryptography based
on finite field algebra.
EK Endorsement Key. The key on which all trust in a 1.2 TPM is based. In theory,
created and certified by the TPM manufacturer.
EPS Endorsement Primary Seed. The primary seed associated with the endorsement
hierarchy. The cryptographic material on which most remote trust in a 2.0 TPM
is based.
FAPI Feature API. Part of the TCG’s 2.0 TSS. Intended to provide a small subset of
TPM functionality that would be most useful to the majority of users.
FIPS Federal Information Processing Standards. US government standards for
computing, prominently including security.
GRUB A boot loader, popular on Linux.
Handle An identification value that uniquely identifies an object or resource in a
given context. The context might be TPM-specific, program-specific, or software
stack-specific.
Hierarchy In a TPM 2.0 context, hierarchies are sets of keys and other objects rooted
in a shared primary seed, and managed with a shared set of authorization values
and policies. Different hierarchies are intended for different uses, although there
are no constraints on what objects can be created in what hierarchies.
HMAC Hashed Message Authentication Code. A hash combining data with a sym-
metric key; the authenticity can be verified by anyone else with the symmetric
key.
IT Information Technology. IT departments are a common description for the people
who handle computing resources in companies and other large organizations.
IP Among other meanings, Internet Protocol. IP addresses are the standard way in
which machines connected to a network are identified.
KDF Key Derivation Function. Mathematical function for securely deriving a key
from some initial input, called a seed.
MAC Mandatory Access Control. A system where access control is always present
and enforced. Compare to Discretionary Access Control, where access control is
something imposed in individual instances as desired.
 Glossary and acronym expansions xvii

MAC Media Access Control, although almost no one uses the expansion. MAC
addresses are used to identify individual network interface hardware devices on
a network.
NV storage Non-volatile storage. Storage areas whose contents are not erased on a
reboot. Sometimes called NVRAM.
NVRAM Non-volatile Random-Access Memory. Sometimes called NV Storage.
OAEP Optimal Asymmetric Encryption Padding. A padding scheme often used with
TSA, to create safe input to the encryption function.
OIAP Object-Independent Authorization Protocol. An authorization session proto-
col used to securely transmit authorization data to the TPM.
OS Operating System.
OSAP Object-Specific Authorization Protocol. An authorization session protocol
used to securely transmit authorization data to the TPM.
Owner The person who is the local authority on how the TPM should be used (or
not used). Usually, the literal owner of the machine, either an individual or IT
department.
PC Although this stands for Personal Computer, in this context it actually refers to
the x86 family of computer architectures, including both desktops and servers.
PCA Privacy Certificate Authority. A CA that participates in the TCG-designed AIK
certification protocol.
PCRs Platform Configuration Registers. A set of registers in the TPM with highly
controlled behaviour, used to contain system measurements or user data. The
contents can be used to constrain access toTPM resources, or certified for external
verification with a quote.
PKCS One of the Public Key Cryptography Standards. Defines a programming
interface for using cryptographic hardware.
PKI Public Key Infrastructure. A distributed architecture for establishing trust in
public keys. Usually involves at least one CA.
PPS Platform Primary Seed. The primary seed associated with the platform
hierarchy.
Primary Seed A hidden value used to generate keys in 2.0 platforms. Each hierarchy
has its own primary seed. Serves the same trust role as the root keys in 1.2 TPMs.
Root Key A key that acts as a root of trust on a given platform with a 1.2 TPM.
RoT Root of Trust. A component which is inherently trusted, and which is used to
establish trust in other components.
RTM Root of Trust for Measurement. The system component that is trusted to take
an initial measurement of a system, allowing a chain of trust to be started.
RTR Root of Trust for Reporting. The key that all external trust in a given TPM (and
therefore system) is eventually rooted in. In 1.2 TPMs, the EK; in 2.0 TPMs,
manufacturer-certified primary keys based on the Endorsement Primary Seed.
RTS Root of Trust for Storage. The key that is trusted to protect secrets in a system,
directly or indirectly. In 1.2 TPMs, the SRK; in 2.0 TPMs, primary keys based
on the Storage Primary Seed.
RSA A widely used public key cryptosystem based on the difficulty of factoring the
products of two large prime numbers.
xviii Trusted platform modules: why, when and how to use them

SAPI System Level API. Part of the TCG’s 2.0 TSS.

SGX Software Guard Extensions. A set of new Intel CPU extensions providing
additional security functionality.
SHA-1/SHA-256 Members of the widely used Secure Hash Algorithm family of
hash functions. SHA-1 is being slowly phased out of use as of the end of 2015,
owing to discovered weaknesses. SHA-256 is the recommended replacement.
SPS Storage Primary Seed. The primary seed associated with the storage hierarchy.
SRK Storage Root Key. A 1.2 TPM key which serves as the Root of Trust for Storage.
SRTM Static Root of Trust for Measurement. Same thing as CRTM.
State A computing term referring to a program’s or system’s status and available
information at a given point in time.
SVM Secure Virtual Machine. A set of CPU technologies created and sold by AMD.
Tamper Resistance Tampering, in this context, refers to physical attacks against
hardware; anything from a novice with a screwdriver to expert nation-state spies
with acid, liquid nitrogen, and lasers. Tamper resistance generally refers to hard-
ware capable of resisting some amount of tampering. This is distinct from tamper
proofing, which implies an actual immunity to most forms of tampering. Tamper
proofing is usually found in very expensive hardware sold to governments, and
often contains explosives; you will rarely encounter it in consumer or corporate
contexts.
TBS Trusted Base Services. A Microsoft interface for using 1.2 TPMs.
TCG Trusted Computing Group. An industry coalition that creates most trusted
computing standards, including the TPM standards.
TCPA Trusted Computing Platform Association. An industry coalition that was a
precursor to the Trusted Computing Group.
TCSI TSS Core Service Interface. A mid-level layer of the 1.2 Trusted Software
Stack API.
TDDL TCG Device Driver Library. A low-level layer of the 1.2 Trusted Software
Stack API.
TPM Trusted Platform Module.
Trusted In a TPM context, something whose behaviour is predictable. This allows
individuals to make their own determination about which behaviour can be
trusted in a colloquial sense.
TSPI TSS Service Provider Interface. The layer of the 1.2 Trusted Software Stack
API intended for use primarily by applications.
TSS Trusted Software Stack or TPM Software Stack. A software layer to make using
the TPM easier.
TXT Trusted Execution Technology. A set of CPU technologies created and sold by
Intel.
UEFI Unified Extensible Firmware Interface. A modern, standardized replacement
for a BIOS.
X.509 A widely used standard that defines formats for public key certificates,
certificate signing requests, and revocation lists.
 Chapter 1
Introduction

1.1 About this book

One of the major problems with trusted computing adoption has been a lack of good
introductory information. People wondering what this technology is, why they should
care about it, or how they should get started using it have generally not had very many
resources to turn to. In this book, I will begin with the most basic questions of what the
technology is; talk about when this technology is most useful (and, equally important,
when it’s not); and then start introducing the technical details of why and how to use
the technology. If you’re still at the stage of wondering if this technology is relevant
to you, start with the first couple of chapters; there’s enough complexity here that a
classic engineer’s ‘jump in feet first’ approach is inefficient. If you’re familiar with
the basics of trusted computing technology already, Chapters 4 and up will provide
you with useful reference material, but you may also find new ideas for how trusted
computing can be applied in your environment in Chapter 2.
This book is intended for a technical audience, but not one with any particular
familiarity with trusted computing, hardware, or security concepts. If you need a
refresher on or introduction to the basic cryptographic vocabulary used in this book,
see Appendix A.
While this book does contain example code demonstrating how to use the func-
tionality described, it is not intended to be a comprehensive reference for programming
for the Trusted Platform Module (TPM). Instead, I provide background information
and examples which should allow those with some coding experience to use freely
available resources (primarily in the form of relevant specifications) to implement
whatever TPM-based functionality they need. Similarly, my primary goal for this
book is to teach system designers what the TPM can do and what they might want
to use it for, and provide all the information you’ll need to look up the details for
your own projects. A comprehensive book containing everything anyone could ever
possibly need would rapidly turn into an unusable tome, so I’m aiming instead to
provide you with everything you’ll need to work independently.

1.1.1 The enterprise approach

While there are some good use cases for trusted computing at an individual level,
mostly involving protection of sensitive data, many of the most powerful trusted
computing use cases need a large infrastructure to be most effective. All of the use
2 Trusted platform modules: why, when and how to use them

cases for machine authentication and attestation, for example, require that there be a
mechanism for one machine to recognize the keys belonging to another; a large public
key infrastructure (PKI) makes this feasible and scalable, but few individuals and no
existing trusted third parties want to bother with the overhead required. Additionally,
large enterprises – be they companies, government agencies, or other organizations –
are far more likely than most individuals to need to track machine identity and state
over a network. Therefore, this book has been written with a focus on enterprise use
cases and support infrastructure.
Of course, this isn’t to say that the book can’t be useful if you’re not in an enterprise
Information Technology (IT) department. Whether you’re a student, a hobbyist, or a
professional, this book should give you a solid grounding in what TPMs are capable
of, what they’re good for, and what they’re not. Just keep in mind while you’re reading
that if you’re not working in an enterprise context, you may have to think a little beyond
the printed use cases to see how they apply to your own scenarios.

1.1.2 User stories

Throughout this book, I will present short user stories featuring fictional characters,
intended to illustrate both a variety of use cases for this technology and the sorts of
decisions that might lead to choosing one approach over another. These examples will
be far from comprehensive; after all, part of the goal of this book is for you to gain
an understanding of how this technology might apply in your own situation. Instead,
they are meant to illustrate the concepts presented in each chapter in a practical
setting, and hopefully encourage you to think how your own decisions might be
similar or different from those made by Alice, Bob and their colleagues at Example,
Incorporated.

1.2 What is trusted computing?

‘Trusted computing’ is an umbrella term, with almost as many definitions as there
are people talking about it. The definition we’ll use in this book is a more formalized
version of the way the Trusted Computing Group (TCG) (see Section 1.2.3) uses
the term:
Trusted computing refers to computing systems which use hardware to provide security
support to software and to create systems with more predictable behaviour.
This covers a wide range of systems. Technologies which fall under the trusted
computing umbrella include:
Trusted Platform Modules: The focus of this book, TPMs are chips, usually
attached to a device’s motherboard, which provide assorted cryptographic
functions. I’ll be providing much more detail later.
Self-encrypting Drives: Fast hardware-supported cryptographic data protection,
built into a hard drive.
 Introduction 3

Secure CPU Modes: These include Intel’s TXT and SGX, as well as AMD’s SVM,
and provide functionality such as software measurement, code signature check-
ing, and secure execution, all in a remotely verifiable fashion.
Trusted Network Connect: A suite of networking protocols capable of integrating
information from platform-level trusted computing into network access decision-
making, but which can also be used without any secure hardware.
Multilevel Computing: In the government world, different classification levels of
information must be kept carefully segregated, often on distinct machines or net-
works. Multilevel computing systems combine hardware and software to create
a trustworthy whole capable of securely handling information at multiple, highly
separated, classification levels simultaneously.
You may notice that I’ve included here both hardware components and the sys-
tems which use that hardware. That’s because the various definitions of ‘trusted
computing’ vary so widely. However, it’s very common to see ‘trusted computing’
used as an alternative term for TPMs and systems which use them.
Why do I introduce a definition that’s so very hard to pin down? I do it simply to
familiarize you with a term you’ll encounter often in this field, used by people who
may not agree with each other. You may not always know exactly what it means, but
at least you’ll know to dig in a little further and find out what’s actually behind it in
a particular instance. And if a vendor tries to sell you something that uses ‘trusted
computing’ without providing details, that can be a warning sign that they don’t
understand the technology well enough to build a useful product.1

1.2.1 What do we mean by ‘trusted’?

To a layperson, ‘trusted’ usually means something close to ‘good’. Trusted computing
terminology employs the word slightly differently. According to the TCG (more on
them shortly) and researchers in this area:

A trusted component is one which is predictable.

Why do we use predictable, rather than good, as our baseline? On the face of
it, this seems nonsensical. A virus can be a trusted component according to this
definition, if I know what its attack pattern is and what files it will corrupt. A well-
known commercial OS may not be, despite a reputable manufacturer and good coding
practices, if its behaviour is so complex that I can’t determine what it may do in any
given situation.
The reason we take this approach is twofold. First, anything that is predictable
is much easier to evaluate. Either I can predict a component’s behavior in response
to certain stimuli, or I can’t; and if I can, I can make useful judgments about its
performance. Secondly, it’s universal. ‘Good’ means something very different on
a power station control panel (where the requirement of remaining in operation no

1
For example, I’ve seen vendors try to claim that their product should have the ‘trusted’ label because it
contained a TPM…which had never even been turned on, and was not being used in any way.
4 Trusted platform modules: why, when and how to use them

matter what is critical) from what it does in a high-security government workstation

(where it may be better that the system becomes inoperable than to have it leak secrets)
and again from what it means on a home computer. Predictability, on the other hand,
doesn’t change, whatever the situation.
Furthermore, this predictability-based definition of ‘trust’ is very powerful,
because it lets us build a more colloquial version of ‘trust’ on top of it. If I can
predict that this virus will behave badly, then I can take appropriate action, such as
not executing it. Different system owners can use the same trusted system information
and take the actions that reflect their own needs.
That said, the levels of predictability today’s systems give us is primitive. For
the computer science readers, no one in the field is claiming to have solved the
halting problem. Instead, we’re using reasonable approximations: if we can identify a
component, then we can evaluate it in other contexts, and decide whether it’s suitable
for our purposes. Most trusted computing technologies are designed, in the end, either
to allow a component to be identified, or to identify other related components, or both.

1.2.2 A brief history of trusted computing

For a long time, the only entities interested in trusted computing were governments,
who invested in custom-built systems and software for their high-security needs.
The Orange Book is a famous set of government guidelines from the mid-1980s for
evaluating trusted computer systems; it and others from the Rainbow Book series
on trusted systems, published by the US Department of Defense, are now available
online for the curious.
In the early 2000s, the Trusted Computing Platform Alliance (TCPA) was formed,
as a joint effort by several major consumer technology companies. The TCPA’s goals
were diverse and sometimes contradictory, including both increasing consumer trust in
home computing systems for purposes such as banking and financial applications and
increasing copyright-holders’trust in consumer systems for digital rights management
(DRM), as well as generally improving computer security for home and enterprise
systems. It drew up the first designs for what would eventually become TPMs. The
TCPA was replaced by the TCG in 2003.

1.2.3 The Trusted Computing Group

The TCG, an industry consortium featuring contributors from around the world, seeks
to provide standards for trusted computing technologies and to increase the use of
trusted computing. The technologies covered by the TCG are quite diverse, ranging
from self-encrypting drives and networking protocols to trusted cloud architectures
and speciality embedded systems. By producing common standards with contribu-
tions from manufacturers and consumers of these technologies, theTCG seeks to make
adoption easy at all levels, and thus improve the security of commercial computing
infrastructure. By making the standards open and vendor-neutral, the TCG hopes to
both lower the barrier to entry and reduce some of the fears of vendor lock-in and
anticonsumer conspiracies that dogged the early TCPA efforts.
 Introduction 5

Companies that wish to contribute to trusted computing standards or get early

access to the works in progress can join the TCG. Although full membership
(and a vote) costs money, they also accept some non-voting (and non-paying)
contributors, who participate in standards development.
The TCG’s website, with all of their publications (including released standards,
draft standards out for public review and comment, and a variety of supplemen-
tary materials) as well as contact information for those who wish to get involved, is
http://www.trustedcomputinggroup.org.

1.3 TPMs at a high level

Trusted Platform Modules, or TPMs, are small, inexpensive chips which provide a
limited set of security functions. They are most commonly found as a motherboard
component on laptops and desktops aimed at the corporate or government markets,
but can also be found on many consumer-grade machines and servers, or can be pur-
chased as independent components. Their role is to serve as a Root of Trust—a highly
trusted component from which we can bootstrap trust in other parts of our system.
TPMs can be used to bootstrap trust: in secrets, particularly cryptographic keys; in
a platform’s identity; and, when combined with related technologies, called Roots of
Trust for Measurement, in a system’s software state.
TPMs provide the following features, which we’ll be discussing in more detail
throughout this book:

● A Root of Trust for Reporting

● A Root of Trust for Storage
● Limited internal storage
– Platform Configuration Registers (PCRs)
– Key storage
– Data storage
● Random number generation (RNG)
● Highly constrained cryptographic functions

Figure 1.1 shows a high-level diagram of the TPM subcomponents which support
these features, although individual implementations vary.

1.3.1 Roots of Trust

You may notice that we’ve now encountered the phrase ‘Roots of Trust’ quite a few
times. So, what are they?
Roots of trust are just that: roots, the pieces at the very bottom of the system.
These are the components on which all other trust is based, and which themselves
are trusted inherently (Figure 1.1). An important aspect of a root of trust is that it is
fundamentally unverifiable; after all, if I have a proposed root of trust, and another
6 Trusted platform modules: why, when and how to use them

TPM

Nonvolatile memory Cryptographic coprocessor

Volatile memory Execution engine (processor)

Random number generator

Figure 1.1 A high-level illustration of a TPM’s component parts

component which I’m using to verify it, then that second component is really the root
of trust, and the originally proposed root is above2 it in the trust hierarchy.
Now, this inherent trust can (and should!) be based on out-of-band assumptions.
I may not be able to verify that this chip is actually correct, but I can (hopefully) verify
that it came from a reliable vendor, which I can reasonably assume means that it was
built according to a standard which I can evaluate. But it’s important to remember
that that chain of logic is built on a set of assumptions: that the chip really came from
the vendor I think it came from, that the vendor really did implement the standard,
that there aren’t any bugs in the implementation or weaknesses in the standard, and
so forth; and to remember that if this chip we are identifying as a root of trust has a
problem, we’re going to have problems trusting anything built on top of it. This is one
reason that enterprises with very strict security needs should pay careful attention
to their supply chain when purchasing root of trust components; if your roots are
good, you’ll have a good chance of noticing problems above them, but if your root is
compromised, the rest of the system can’t be trusted.
Another important point is that trust is not generic! I trust my electrician to repair
the wires in my house, but not to access my bank account; I trust my bank to keep my
money secure, but not to keep my house from burning down. Similarly, I trust my TPM
to keep my keys secure, but not to keep my antivirus up to date. Therefore, whenever
we talk about a root of trust, we need to specify what kind of trust we’re talking about.
In PCs, we commonly run into the following roots of trust:
● Root of Trust for Storage (RTS): A component that protects secrets. Responsible
for maintaining both secrecy and integrity of those secrets. Some trusted systems
break this down into separate roots for confidentiality and integrity.
● Root of Trust for Reporting (RTR): A component that provides accurate report-
ing on data stored inside it. In the PC context, this more specifically applies to
accurate reporting of stored system state data. Note that the RTR is not responsible

2
Because of the root metaphor, trust hierarchies are sometimes presented in the opposite orientation to
other hierarchies, where ‘below’ is usually indicative of less power.
 Introduction 7

for creating the data, just for honestly informing the rest of the world about the
data’s content.
● Root of Trust for Measurement (RTM): A component that measures other soft-
ware and stores those measurements in a secure location. In the PC context, the
RTM is normally part of the boot process – see Section 9.1.1 for details – which
stores measurements in the TPM.
Other trusted computing systems, which I won’t be discussing in this book, but
which you may encounter if you’re working with phones, cars, or in other non-PC
scenarios, may contain different roots of trust, such as:
● Root of Trust for Verification: A component that verifies an integrity measure-
ment against a policy. Normally found in systems such as some embedded or
mobile devices, where the device manufacturer also defines some approved
software.
● Root of Trust for Update: A component that verifies the legitimacy of an update,
usually by checking an authorized signature. Most commonly used for firmware
updates.

1.3.2 Chains of trust

Merely trusting our lowest-level components isn’t sufficient for real-world use, where
we often need to establish trust in a wide range of software, keys, and other data.
Chains of trust allow us to bootstrap from the low-level root of trust to a higher-level
trusted object, by using our trust in the root to establish trust in secondary objects, and
then our trust in the secondary objects to establish trust in tertiary objects, and so forth.
The chains of trust that we’ll be referring to most frequently in this book are
measurement chains of trust (Figure 1.2) (sometimes called boot chains of trust
because they’re triggered most frequently during system boot), which let us bootstrap
from the Root of Trust for Measurement (RTM) to measurements of higher-level
software; and storage chains of trust (Figure 1.3), which let us bootstrap from the
Root of Trust for Storage (RTS) to trust in the security of other data and keys. We’ll
cover measurement chains of trust in much more detail in Chapter 9, and storage
chains of trust in Chapter 6.

1.3.3 The TPM threat model

The primary threat TPMs are intended to protect against is software-based attacks
aimed to steal information, such as keys, or to modify the system without the user’s
consent. TPMs also provide some protection against simple hardware attacks; being
inexpensive consumer chips, they are not designed to defend against a sophisticated
attacker, but the built-in tamper resistance provides some protection against casual
thieves.
TPMs also provide some protection against well-meaning but inexpert users and
developers. The TPM’s cryptographic functions are dramatically more constrained
than would be necessary if it functioned merely as a cryptographic coprocessor, run-
ning encryption and decryption operations on command. The TPM’s sometimes very
8 Trusted platform modules: why, when and how to use them

Root of trust for measurement

Measure Launch

Trusted component A

Measure Launch

Trusted component B

Measure Launch

Figure 1.2 An abstract measurement chain of trust. Each component in the chain
measures the next component before handing off control to it, placing
those measurements into the TPM. We can trust the measurement of
component A because we trust the root. If the measurement of
component A corresponds to a piece of software we trust, we can then
trust the measurement of component B, and so on until all trusted
components have been measured and launched. The TPM provides us
with a safe place to store these measurements

Storage key Signing key

Identity key Storage key Signing key

Storage root key

Figure 1.3 A 1.2 storage chain of trust. The Storage Root Key encrypts the secret
data of several other keys, including another storage key. That storage
key, in turn, can be used to encrypt the secret data of more keys. Our
trust in the security of all of the keys relies, in the end, on our trust in
the Storage Root Key
 Introduction 9

complex limitations on the use of keys or commands act as safeguards against poten-
tially dangerous actions. For example, the limitations in 1.2 TPMs against the same
key being used for both signing and decryption operations directly prevent an entire
class of attacks which can result in unintentionally signed data, accidentally decrypted
secrets, or the loss of key material. Without those constraints, it would be easy for
an uninformed user or software bug to take actions with very severe unnoticed and
unintended consequences. It is important to note, however, that many actions which
would be limited in an ideal perfect-security world are essential for the smooth oper-
ation of real-world systems. TPMs therefore have plenty of compromises in their
design; places where they will allow common (but dangerous) operations, or where
they will inconveniently prevent such an operation even if that makes compatibility
difficult. Some of the biggest differences in TPM versions (see Section 1.3.6) result
from changing opinions about which compromises are necessary.

1.3.4 What TPMs are good for

Protecting Cryptographic Keys: The keys a TPM creates are either stored inside
the TPM, in its internal protected storage, or encrypted with other protected keys
for secure storage outside the TPM. These keys never exist unencrypted outside
the TPM, and are thus protected from software-based theft of the key material.
Protected Cryptographic Functions: TPMs can perform both generic and special-
ized cryptographic functions internally, ensuring that key material is safe even
during use.
Protected State Registers: TPMs can be used to track system state and other data
recorded by software, in registers that are easy to add data to but very difficult
to forge. In combination with TPM-aware software, these can be used to create
verifiable records of software on the system.
Trustworthy Reporting: The TPM has several functions that allow a remote party
to verify parts of the TPM’s internal state, including keys and register contents.
Used in combination with external state reporting tools, this can be used for
remote attestation of the system’s state.
Cheap Tamper Resistance: TPMs aren’t designed for protecting high-security data
against expert attackers, but they do provide hardware-level protection more than
adequate for defence against casual thieves, for a very low cost.
Through the course of this book, we’ll talk about how these simple advantages
can be turned into powerful real-world functionality. TPMs can be used to identify
machines, protect data from theft, and allow verification of a machine’s software.
They are very powerful building blocks for inexpensive system security today.

1.3.5 What TPMs aren’t good for

Fast, frequent cryptography: Commercial TPMs are built to be inexpensive, not
fast. Don’t try using them for operations requiring high speed and volume, such
as packet encryption.
10 Trusted platform modules: why, when and how to use them

System monitoring: While TPMs can be used to support system-monitoring soft-

ware and provide reliable cryptography for reporting on the results of such
monitoring, a TPM does not perform any monitoring itself. All system measure-
ments are provided by external components. (See Section 9.1.1.) The external
components available today are primarily useful for boot-time state verification,
rather than runtime system monitoring.
Bulk Encryption: This is particularly true for 1.2 TPMs (see Section 1.3.6), which,
in addition to being small and inexpensive chips, do not support the symmetric
encryption algorithms that are best for large-scale encryption.
System control: TPMs have no ability to control the system they’re installed in;
they cannot prevent bad software from booting, shut down a system if malware
is detected, or otherwise change the state of software. They are entirely passive
devices.

1.3.6 TPM versions

There are three versions of PC TPMs that you may see references to. The version
numbers here refer to the version of the TPM specification implemented.
● 1.1 TPMs were the first on to the market. Rare even at the time, these were
replaced by the new version in the mid-2000s; you’re unlikely ever to encounter
one unless you’re using some rather unusual and now-obsolete hardware. We
won’t be covering them in this book, although many of the same principles apply.
● 1.2 TPMs are very common; as of the end of 2015, almost all commercially
available TPMs are 1.2 TPMs. They use RSA for encryption and signatures, and
SHA1 for hashes. Their functionality is highly constrained, to make safe usage
of keys, data, and cryptography more likely, and because the older technology
could not support a multitude of features at the desired cost point. Software for
using 1.2 TPMs exists on Windows and Linux platforms. (Apple devices do not
have TPMs as of the end of 2015.)
● 2.0 TPMs arrived on the market in late 2014, although as of the end of 2015
they were still being sold primarily to platform manufacturers rather than con-
sumers. 2.0 TPMs support both the older RSA and SHA1 algorithms and the
newer elliptic curve cryptography (ECC) and SHA256 hashing; in addition, they
now support symmetric cryptography, which was previously not included owing
to cryptographic export regulations. 2.0 TPMs are more compliant with external
standards such as X.509, are highly configurable, and support extremely powerful
and flexible authentication mechanisms, but a higher level of skill is required to
use them safely. As of the end of 2015, there is only a small amount of software
support for 2.0 TPMs, although Application Program Interfaces (APIs) have been
released.
● Some TPMs are 1.2/2.0 TPMs, and can be used in either a 1.2 or a 2.0 mode,
although they may have reduced 1.2 command sets. These chips are designed
to be compatible with today’s 1.2-focused infrastructures, while providing future
proofing against a day when the 1.2 algorithms are no longer considered secure,
or when enough 2.0-compatible TPMs have entered the market for enterprises to
Exploring the Variety of Random
Documents with Different Content
 Toujours, il pensait à ce fils que sa femme ne lui donnait pas, à
ce fils qu’il désirait si obstinément pour que son nom se perpétuât,
pour que la famille continuât de régner sur la Maison.
Lorsqu’il parlait maintenant de cet enfant, ce n’était plus, comme
naguère, avec attendrissement, mais avec nervosité, irritabilité. Très
vite, il devenait amer et même, parfois, proférait une menace :
— Je te dis que je veux un garçon, un Rabier… et que je
l’aurai !… De toi ou d’une autre !… Si tu ne te décides pas, un de ces
jours, j’en fais un à la première venue… et je le reconnais ! Alors, on
verra bien !…
Mme Mireille était meurtrie. Mais, se rappelant ce que lui avait
prédit Casi en regardant palpiter la flamme de la bougie, elle restait
inébranlable dans sa décision de n’accepter jamais plus la maternité.
Et ce n’était pas tout : une fois encore, les affaires périclitaient.
Si l’on ne pouvait dire que cette situation fût imputable à M.
Adolphe, du moins s’expliquait-elle par la présence constante d’un
grand mutilé dans la Maison dont, peu à peu, à cause de cette
présence, notables et civils riches s’étaient écartés.
Beaucoup d’entre eux, qui, étant d’âge à être mobilisés, avaient
pourtant réussi à passer à travers les mailles des filets qu’aux
applaudissements des vieillards sanguinaires on traînait alors
périodiquement sur la France afin d’y pêcher tout ce qui jouissait
d’assez de jeunesse, de force et de santé pour mériter d’être envoyé
au carnage, beaucoup d’entre eux éprouvaient un malaise, lorsque,
venant au 17 dans le dessein de s’y dissiper, ils se trouvaient face à
face avec M. Adolphe.
Ce colosse, vêtu de gabardine, qui, lui, connaissait l’enfer loin de
quoi ils avaient réussi à se tenir, où il avait troqué ses yeux contre
une médaille et une croix, et qui, après avoir étonné par sa sérénité,
se montrait souvent taciturne et parfois irascible, se dressait
maintenant comme un reproche devant ses hôtes.
Même silencieux, il leur disait que, là-bas, sur des kilomètres, la
terre était farcie, fourrée, bourrée de morts, que, dans des centaines
d’hôpitaux, des hommes qui, en réalité, n’avaient pas plus de
raisons qu’eux-mêmes d’être des suppliciés, souffraient et
mouraient, que, sur toute l’étendue du territoire, une multitude de
victimes pleuraient pour leurs membres perdus, leurs corps
désarticulés par la mutilation ou ruinés par la maladie.
Et, lorsqu’il parlait, racontait ce qu’il avait vu, — du temps qu’il
pouvait encore voir ! — le son de cette voix leur était insupportable.
— Il nous embête, celui-là, avec ses croix et ses discours,
pensaient-ils. On ne vient tout de même pas au bobinard pour y
recevoir des leçons !
Ils vidaient rapidement leurs verres et se retiraient.
D’autres, dont les fils ou les gendres étaient au front et qui
allaient chercher au 17 l’oubli de leurs angoisses paternelles, en
ressortaient, aussitôt qu’ils avaient aperçu M. Adolphe, avec l’effroi
d’apprendre un malheur, lorsqu’ils rentreraient chez eux.
Hommes jeunes ou déjà sur l’âge, qui avaient participé à la
démonstration de sympathie dont le héros de la rue des Trois-
Raisins avait été l’objet lors de son retour ou s’y étaient associés par
la pensée, tous, maintenant, désertaient l’établissement où, seul,
l’élément militaire continuait de fréquenter.
Sans pouvoir s’en expliquer la cause, M. Adolphe constata ces
désertions. De même, il constata le fléchissement des recettes.
— Il y a quelque chose, disait-il parfois à Mme Mireille, quelque
chose qui ne va pas.
Mme Mireille ne savait que trop ce qui n’allait pas et pourquoi, en
dépit du sacrifice qu’elle avait fait, dans le dessein de la fixer, la
fortune, une fois encore, se détournait d’eux. Pour ne point le dire ou
éclater en sanglots, elle se mordait les lèvres.
Souvent, il ajoutait :
— Et puis, tu ne surveilles pas ton monde. Je suis sûr que tu te
laisses gruger.
Malgré l’injustice du reproche, elle ne répondait pas. Mais, loin de
l’apaiser, ce silence irritait son mari dont l’humeur, si égale naguère,
s’aigrissait au point que, parfois, il lui arrivait de molester ou d’injurier
les clients.
— Si ça continue, nous ne reviendrons plus, lui avait dit une fois
l’un d’eux.
Sous un tel outrage à sa personne, à sa qualité de mutilé, à son
nom, à sa Maison, M. Adolphe s’était dressé terrible : front livide,
lèvres tremblantes, mains crispées.
— Mais foutez donc le camp tout de suite, nom de Dieu, foutez le
camp !… Tous !… Tous !… Tous !…
Pour le faire taire, pour le calmer, Mme Mireille s’était jetée sur lui
qu’elle croyait devenu dément. Il l’avait saisie par les poignets et,
visage contre visage, lui avait crié :
— Toi !… Toi !… Je commence à en avoir assez, tu sais ! Je finirai
par te crever !…
Mme Mireille avait blêmi, ces dames avaient échangé des
regards, le salon s’était vidé.
 XIV

Un lundi matin, M. Adolphe dit à sa femme :

— Le piano est faux, il faut commander l’accordeur pour cet
après-midi, vers quatre heures.
Le garçon, par qui Mme Mireille envoya chercher l’homme de l’art,
rapporta sa réponse : occupé toute la journée, il ne pouvait venir que
le lendemain ou le surlendemain.
M. Adolphe réfléchit, compta sur ses doigts.
— Qu’on y retourne, ordonna-t-il d’une voix impérieuse, et qu’on
lui dise que je l’attends sans faute jeudi à la même heure. Je ne
veux de lui ni demain, ni après.
Mme Mireille n’avait jamais discuté aucune des décisions de son
mari. Elle dépêcha de nouveau le garçon.
Cette fois, la réponse fut conforme au désir du maître.
— Nous réglerons donc cette affaire-là jeudi sur le coup de
quatre heures, prononça-t-il.

L’accordeur fut exact.

Il prit possession du tabouret que M. Adolphe lui céda, mit un
diapason entre ses dents et commença d’éprouver chaque note.
Ponctuel comme s’il se fût agi d’une affaire de service, le
capitaine William-George Ellis, dont c’était le jour, survint peu après.
 Déjà parée pour la soirée, c’est-à-dire vêtue d’une seule tunique
de gaze, très courte, sans manches, et de bas verts, la négresse
était assise, cigarette aux lèvres, devant un cahier de chansons
qu’elle feuilletait. En reconnaissant le pas de l’Anglais, elle se leva,
sourit et, selon le protocole établi, monta avec lui.
M. Adolphe n’écoutait plus les sons émis par l’instrument. Il
tendait l’oreille vers l’escalier dont chaque marche sonnait sous le
martèlement de la mule de Mme Bambou et gémissait sous la botte
de l’officier.
A l’étage, une porte s’ouvrit. Elle se referma. Tout bruit cessa.
M. Adolphe croisa les bras, emplit d’air sa poitrine et dit à
l’accordeur :
— Maintenant, jouez la Valse des Roses un peu forte, sans arrêt,
jusqu’à ce que je revienne… Et quoi qu’il arrive ne vous occupez de
rien. C’est pour faire une blague !
Il enleva ses bottes qu’il jeta sous une banquette, et, mains en
avant, traversa le salon en fredonnant :

Viens avec moi, pour fêter le printemps,

Nous cueillerons des lilas et des roses…

puis s’engagea dans l’escalier, dont il saisit fortement la rampe.

Opérant sur celle-ci des tractions successives, il touchait à peine
les marches qui ne craquaient pas plus que si un enfant allant pieds
nus les eût foulées.
M. Adolphe arriva sur le palier au moment que Mme Bambou le
traversait.
En apercevant ce colosse médaillé, aux paupières closes, qui
allait en chaussettes dans l’étroit espace où il avait réussi à venir, à
la manière d’un chat, elle accrocha ses ongles à ses dents qui se
heurtaient et s’aplatit contre une cloison.
Les yeux agrandis, les jambes tremblantes, elle haletait.
 Et son épouvante s’accroissait de cette circonstance : dans le
salon elle entendait jouer, comme si c’eût été par lui-même, la
langoureuse musique dont l’homme qui était là, devant elle, aimait à
bercer son inaction de l’après-midi.
Mme Bambou n’était pas très éloignée de supposer qu’il y avait
de la sorcellerie dans tout cela et que son patron, dont les mains, qui
continuaient de ramer, atteignirent le mur, glissèrent dessus et
s’arrêtèrent sur une porte, avait le pouvoir de se dédoubler.
Puis elle vit ceci :
M. Adolphe sortir un pistolet automatique de la poche de sa
vareuse, l’armer, chercher de nouveau la porte, la caresser jusqu’à
ce qu’il eut trouvé le bouton qu’il tourna et qui grinça.
Mais l’huis résista : le verrou avait été poussé à l’intérieur. Une
voix féminine, la voix de Mme Mireille, s’éleva courroucée.
— Qu’est-ce que c’est ?
M. Adolphe eut un rire muet.
— Qu’est-ce que c’est ? répéta la voix. Qui est là ?
Reculant d’un pas, puis faisant une flexion sur les jarrets, puis
donnant de l’épaule dans la porte qui céda sous la violence du choc,
M. Adolphe fut projeté plutôt qu’il n’entra dans la chambre.
— C’est moi ! dit-il.
Mme Bambou avait bondi dans l’escalier. Quatre détonations
qu’elle entendit coup sur coup précipitèrent son élan.
Sa tunique de gaze s’étant accrochée à un barreau, elle se crut
poursuivie, poussa un cri de bête traquée, arracha de son corps
l’étoffe légère, sauta les marches qui la séparaient encore du salon
où elle arriva nue, hurlante, les yeux fous, les cheveux en désordre.
Fidèle à la consigne qu’il avait reçue, croyant que la tumultueuse
entrée de cette négresse frénétique, vêtue de bas vert-pomme,
faisait partie de la blague annoncée, l’accordeur continuait de jouer

Nous cueillerons des lilas et des roses.

 Mme Lucie rentrait de la ville. Mme Bambou tomba dans ses bras.
— M. Adolphe vient de tirer sur Mme Mireille et sur l’Angliche, là-
haut, dans ma chambre.
Puis elle s’évanouit.
La cousine la poussa sur une banquette :
— Arrêtez donc votre musique à la noix, vous, nom de Dieu ! cria-
t-elle. Et occupez-vous de Madame.
Elle se précipita dans l’escalier.
L’accordeur comprit que, décidément, il devait se passer des
événements exceptionnels. Il termina la phrase commencée, rabattit
le couvercle du piano, fit pivoter son tabouret, enleva ses lunettes et
considéra le corps de bronze qui se tordait sur la peluche saumon
de la banquette.
— Encore que cette personne de couleur soit déparée par des
seins un peu flasques, elle est assez harmonieuse de formes,
remarqua-t-il.
Il était fort intéressé par le spectacle qui lui était offert, peu ému
et très perplexe quant aux services qu’il pouvait rendre à cette
femme dont les yeux étaient blancs, les mâchoires serrées, qui
émettait des cris stridents et se retournait les ongles en cardant de la
si belle peluche.
A tout hasard, il la gifla avec force cinq ou six fois et constata
qu’il éprouvait un certain plaisir à appliquer ce traitement.

— En voilà une brute !

— Il tape comme un sourd !
— Voulez-vous la laisser tranquille !
— Il va lui casser les dents, ma petite !
L’accordeur fit volte-face : huit femmes aux cheveux enguirlandés
de faux géraniums, de faux myosotis, de fausses capucines, et qui
étaient nues sous des tuniques de gaze, de mousseline ou de surah,
se trouvaient devant lui.
Au bruit des détonations, elles avaient quitté leurs chambres en
hâte et, se bousculant, étaient descendues au salon afin de
s’enquérir de ce qui se passait.
Bien qu’elles fussent de volumes, de teints, de types différents,
l’accordeur les estima également désirables et se félicita que la
saison de l’amour fût, depuis longtemps déjà, terminée pour lui, car il
eût été fort embarrassé s’il lui eût fallu élire l’une d’elles.
— Mesdames !… Mes hommages !… prononça-t-il en s’inclinant.
— On s’en fout de vos hommages, répliqua Mme Carmen qui
l’écarta pour s’occuper de Mme Bambou.
Il faut croire que l’intervention dont la négresse venait d’être
l’objet était parfaitement appropriée à son cas, puisque son corps,
raidi tout à l’heure, se détendait, puisque ses mains cessaient de
griffer et ses jambes de s’agiter, puisque, enfin, ses yeux avaient
perdu leur aspect effrayant et pris une expression de douceur et de
puéril étonnement pour regarder le visage de la compagne penchée
sur elle.
— Tu me reconnais, mon noiraud ? demanda Mme Carmen avec
sollicitude.
— Oui, répondit Mme Bambou en sanglotant à petits coups dans
la saignée de son bras replié. J’ai froid, ajouta-t-elle.
Elle grelottait.
Heureux de démontrer que, malgré les apparences selon quoi on
venait de le juger peut-être un peu légèrement, son âme n’était pas
tout à fait insensible, l’accordeur étendit avec beaucoup de soin son
pardessus sur la négresse.
Considérant tour à tour Mme Bambou et le vieil homme, ces
dames ne parvenaient point à établir une corrélation entre la scène
dont elles venaient d’être témoins et les détonations qu’elles avaient
entendues.
 Elles échangeaient des regards interrogateurs, des hochements
de tête, des haussements d’épaules, des gestes par quoi chacune
exprimait à la fois son ignorance et son désir d’entendre sa
compagne émettre une hypothèse qu’elle-même ne voulait pas
prendre la responsabilité de formuler.
— Qu’est-ce qui s’est donc passé ?… Qui a tiré ? Y a-t-il
quelqu’un de blessé ? demanda Mme Joujou à la négresse.
Mais celle-ci continua de pleurer et ne répondit pas.

Une sorte de hululement vint de l’escalier. Toutes les têtes se

tournèrent vers la porte.
Paupières gonflées, visage tuméfié et verni par les larmes,
poitrine secouée de sanglots, Mme Lucie parut.
On s’élança vers elle. Elle fit effort pour reprendre son souffle.
— Madame est morte, réussit-elle à articuler.
Ces dames comprirent. Toutes poussèrent le même cri suivi de
lamentations semblables à celles, qu’en Orient, les pleureuses juives
modulent sur les tombeaux.
— Et l’Angliche ? demanda Mme Andrée.
— Lui ? Crevé !
— Et M. Adolphe ?
— Il a jeté son revolver dans un coin et maintenant… maintenant,
il est étendu par terre, à côté des deux cadavres… Il pleure !
Mme Zizi apporta une chaise, Mme Lucie s’y laissa tomber. Elle
posa les coudes sur la table, cacha son visage dans ses mains.
Entre deux hoquets, elle disait d’une voix brisée ;
— Quand on pense qu’il l’a tuée !… Tuer une femme comme
ça !… Une femme qui a tenu la Maison tout le temps qu’il a été là-
bas… qui avait l’œil à tout… qui l’aimait comme on n’aime pas
quelqu’un !
 « Une femme qui était sérieuse et dévouée et toujours à
l’ouvrage… Qui ne savait qu’inventer pour augmenter les bénéfices,
même qu’elle avait trouvé le moyen de faire payer une taxe de luxe
aux clients !… Et maintenant, la voilà morte… elle qui aurait fait la
fortune de son mari et de sa fille… Pauvre Mireille !…
« C’est pas juste !… Non, c’est pas juste, car, par le fait, c’est
pour lui et pour la petite qu’elle avait repris le peignoir trois après-
midi par semaine. »
Elle suffoqua sous son chagrin et poursuivit :
— Mais aussi, pourquoi ne l’avait-elle pas prévenu ? Pourquoi ne
lui avait-elle pas fait toucher les billets qu’elle recevait… Il ne se
serait pas forgé des idées, cet homme… Il n’aurait pas cru que
c’était pour le plaisir de la chose…
— Trop bonne, dit Mme Andrée.
— Trop délicate dans ce qu’elle était, dit Mme Joujou.
— Voilà où ça mène, constata Mme Zizi.
— Sainte Mireille ! murmura Mme Carmen en joignant les mains.
Assises sur les chaises, les banquettes, les tables, elles
sanglotaient…
La nuit tombait dans le salon.
L’accordeur reprit son pardessus et, marchant sur la pointe des
pieds, se retira.
 XV

Vingt-quatre heures se sont écoulées. La Maison est fermée.

Il pèse sur elle cette torpeur qui s’empare des logis où la mort
vient de passer. Mme Lucie qui ne peut, encore qu’elle le souhaite
sincèrement, se défendre de songer à son propre avenir et se
consacrer tout entière à la douleur, règne, dolente, silencieuse et
hagarde, sur ces dames.
Celles-ci, après avoir poussé tant de cris, versé tant de larmes,
échangé tant de réflexions, n’ont plus de pensées, ni de paroles.
Reprises par leur fatalisme, il semble même que la force d’avoir du
chagrin les ait abandonnées.
Inactives et sordides, elles errent, du salon à leurs chambres, où
elles s’occupent à réunir les quelques pauvres objets qui leur
appartiennent en propre, qu’elles ont apportés lors de leur entrée au
17 et qu’elles vont remporter puisque, demain, il leur faudra partir…
Hier, après le drame, la police, à qui Mme Lucie dépêcha son
frère dès qu’elle eut repris ses esprits, est arrivée. Elle a emmené M.
Adolphe, harcelé le personnel de questions, mis les scellés sur la
chambre de Mme Bambou après avoir fait réparer la porte par un
menuisier.
Puis, le soir, la foule ayant été chassée de la rue où, devant
chaque maison, les dames formaient des groupes bariolés et
commentaient l’événement, le corps de Mme Mireille fut chargé sur
une voiture de l’hôpital civil pendant que celui du capitaine William-
George Ellis était emporté par une ambulance automobile de
l’hôpital anglais.
Un peu plus tard, une infirmière de la Maternité, munie d’un ordre
du Maire, vint chercher la petite Aimée-Désirée qui, déjà, sommeillait
dans le berceau où, depuis un siècle, tous les bébés Rabier avaient
dormi et qui ne s’éveilla point.
Dès qu’elles furent avisées qu’un officier des Armées de Sa
Majesté avait été assassiné en un lieu où, à moins de vouloir
offenser tout l’Empire, nul ne saurait soutenir qu’un gentleman ait
jamais mis les pieds, les autorités militaires britanniques, concluant à
un guet-apens, exigèrent de mener l’enquête en même temps que la
police française.
Elles placèrent devant la porte du 17, avec mission de ne laisser
entrer ni sortir personne, deux gendarmes blonds armés du revolver
et de la cravache de cuir, vêtus de kaki et portant le brassard rouge
marqué des deux initiales noires M. P.
Aujourd’hui, toute la matinée, tout l’après-midi, des curieux, parmi
lesquels officiers et soldats anglais en grand nombre montraient, par
leur attitude, qu’ils partageaient l’opinion du Commandement quant
aux circonstances ayant entouré le meurtre du capitaine William-
George Ellis, ont continué de défiler dans la rue.
Regards levés vers les volets fermés, ils commentaient avec
passion l’événement. Les dames portières des autres maisons leur
fournissaient avec volubilité et abondance des détails dont ils se
montraient friands et que, grisées par leur propre éloquence, elles
inventaient du reste à mesure.
Maintenant, dans la rue des Trois-Raisins où règne la nuit, où les
lanternes grillagées plaquent, çà et là, des taches rouges, les
hommes se meuvent comme des ombres.
De cette foule enfiévrée monte un brouhaha confus, fait de
conversations, de bribes de chansons, de sifflets, d’exclamations et
d’appels lancés par la voix tentatrice des portières promettant mille
délices à ceux qui pénétreront dans les eldorados dont elles ont la
garde.
Un bruit de moteur et de ferrailles secouées couvre tous les
autres : un camion automobile de l’armée britannique, chargé de
soldats, vient de s’arrêter perpendiculairement à la rue de façon à en
obstruer l’issue.
Les hommes sautent sur le pavé où sonnent les fers de leurs
talons. Autant qu’on peut en juger, ils sont une trentaine.
Les voici alignés sur deux rangs. Un coup de sifflet déchire l’air.
Ils avancent lourdement dans la rue au pas cadencé.
Des cris de surprise, suivis de cris d’effroi, partent de la foule,
qui, dans un grand bruit de semelles cloutées raclant le sol, disparaît
comme si, d’une seule soufflée, un vent violent l’avait emportée
jusqu’à l’autre extrémité de la rue.
Les dames portières rentrent dans les maisons, poussent les
verrous. Les lumières s’éteignent dans les lanternes.
Les soldats continuent d’avancer. Sans un mot, sans un cri, ils se
jettent sur les deux M. P. en faction et les désarment.
Leurs rangs s’ouvrent. Huit d’entre eux qui portent sur leurs
épaules une poutre de chêne sont démasqués. Ils font face au 17.
Quelqu’un siffle, en deux temps, entre ses dents. Sur ce rythme,
le bélier frappe la porte blindée qui résonne, geint, craque, s’abat.
Des hurlements de démentes s’élèvent dans la maison où
soudain, on le discerne entre les lames des persiennes, les lumières
sont éteintes.
Un commandement :
— Light !
Quatre torches s’allument. Chaque homme tire une lampe
électrique de sa poche et la Maison absorbe les trente soldats de Sa
Majesté.
Quand ils paraissent dans le salon, ils sont accueillis par le cri de
« Vive l’Angleterre » poussé par un personnage qu’ils ne
s’attendaient point à trouver là.
Cheveux mêlés, teint cuit, barbe non faite, moustache tombante,
œil éteint, le quidam ricane, se dandine et, pour se maintenir en
équilibre, s’accroche à une table.
— Vive l’Angleterre ! répète-t-il avec difficulté. Vivent les soldats
de la noble Angleterre !
C’est, en personne, le frère de Mme Lucie.
Depuis des mois qu’il tient, dans la Maison, l’emploi de portier,
qu’il est soumis à la triple surveillance de sa sœur, de Mme Mireille et
de M. Adolphe, il n’a jamais pu boire à sa soif.
Il a donc profité du désarroi qui, depuis hier soir, règne au 17,
pour rattraper le temps perdu et consommer, en une seule fois, la
quantité de liquide dont il fut frustré.
— J’ai royalement bu ! murmure-t-il, sur le ton de la confidence.
Royalement bu !… Et ce qu’il y a de rigolo, c’est que personne ne
s’en est aperçu !… Un autre, à ma place, serait saoul… Moi pas !…
Il s’interrompt, paraît réfléchir, puis, se touchant le front comme
s’il venait de retrouver le fil de ses pensées :
— J’ai rudement sommeil !… Alors, je vous souhaite le bonsoir,
les gars !
Il pose l’index sur ses lèvres.
— Surtout n’allez pas raconter à Lucie que vous m’avez
rencontré… Elle me chercherait des raisons.
Ayant dit, il s’écroule et instantanément s’endort.
Les soldats le poussent sous une banquette et se mettent en
quête de ces dames.
Ils n’ont pas besoin de les chercher longtemps.
Il leur suffit de monter à l’étage, d’enfoncer les portes à coups
d’épaules ou de bottes pour les trouver pâles, tremblantes, claquant
des dents, debout devant leurs lits.
Qu’importe si, en cette nuit qui est pour elles nuit de chômage
forcé, elles ne sont ni lavées, ni peignées ? Qu’importe si elles ont
de gros bas de coton, des savates éculées, des peignoirs de pilou
constellés de taches ?
Les guerriers sont gens d’appétits robustes. Ceux-ci le
prouveraient s’il en était besoin.
Ils font magnifiquement leur métier d’hommes.
Mme Lucie qui, en sa qualité de cousine et de sous-maîtresse, a
essayé de leur résister, est la proie de quatre gaillards bien décidés
à lui faire payer cher son indocilité.
L’un a saisi à pleine main sa chevelure qu’il a roulée autour de
son poignet pour ne pas perdre la prise.
Deux autres lui tiennent les bras, le quatrième les jambes et c’est
ainsi qu’on la descend au salon où l’électricité a été donnée ainsi
qu’aux plus beaux soirs.
Entre les mèches qui pleurent sur son visage, elle voit toutes ces
dames, nues comme elle, aux mains de soldats qui les immobilisent
sur les banquettes pour permettre à leurs camarades, qu’ils
relèveront tout à l’heure, d’user d’elles.
Cris de triomphe, vivats, applaudissements et rires se mêlent aux
cris de douleur, aux exclamations rageuses, aux sanglots des
patientes.
Mme Lucie est assise sur une table. On l’y renverse. Par les
cheveux, les mains et les pieds, on l’y maintient. On danse, on
chante, on vocifère, on siffle autour d’elle. Et elle subit tant d’assauts
que, malgré son habitude et sa vigueur, elle s’évanouit.
On la fait glisser sur le marbre. Elle tombe sur la banquette.
Mme Andrée, puis Mme Carmen, puis Mme Bambou, puis Mme Zizi
subissent la même épreuve jusqu’à l’évanouissement.
Ces garçons ne sont-ils pas des sportifs ? Et, partant, ne
convient-il pas qu’ils s’amusent à établir laquelle de ces femmes
fournira la plus longue carrière avant de perdre connaissance ?
Honneur et gloire à la race blonde ! C’est Mme Joujou qui est
recordwoman.
 La meute bat des mains, trépigne, siffle, chante devant ce corps
blafard, aux monstrueuses boursouflures, devant ce corps inerte qui,
sur le marbre blanc, semble celui d’une bête morte, tuée pour la
boucherie et qu’on va dépecer.
— She is all right ! scande un des soldats.
Tous, détachant chaque syllabe du ban, répètent en chœur :
— She is all right !
— Who is all right ? interroge le premier.
— Djoudjou !
Alors, le chef de ban bat la mesure et, par trois fois, une
immense acclamation roule :
— Hipp ! Hipp ! Hipp ! Hurrah !… Hipp ! Hipp ! Hipp ! Hurrah !…
Hipp Hipp ! Hipp ! Hurrah !…
Le frère de Mme Lucie se réveille. Il réussit à se dégager, rampe
sur le sol, s’assied, jambes écartées, au milieu du salon, passe sur
son visage verni de sueur ses mains chargées de poussière.
Les soldats applaudissent.
Le succès qu’on lui fait le flatte. Il salue gracieusement, multiple
les sourires, envoie des baisers, et apercevant tout à coup les corps
des pensionnaires étendus çà et là, pousse des gloussements de
joie en se frappant sur les cuisses.
— Alors, les gars, alors les Alliés, c’est la nouba à ce que je vois,
la grande nouba, s’écrie-t-il.
Il demande à boire.
Comme on ne comprend pas, il fait le geste de porter un verre à
ses lèvres. On lui passe une bouteille. Il s’y abreuve avec avidité,
puis, aux applaudissements renouvelés de l’assistance que cet
intermède a divertie, il reprend son mouvement de reptation et
disparaît de nouveau sous la banquette en hurlant :
— Vive l’Angleterre !
La troupe compte un musicien. Il s’assied devant le piano, et
voici le God save the King et le Tipperary et le Rule Britannia.
 Un autre prend possession de l’étagère aux liqueurs. Il tend à
ses camarades des verres à bière pleins de rhum, de cognac, de
chartreuse, de kummel, de curaçao.
Trois sergents, qui ont exploré la cave, arrivent chargés de
paniers.
— Tchampeine ! crient-ils.
On les acclame. L’alcool contenu dans les verres est versé sur
les corps de ces dames. Les bouteilles passent de mains en mains,
comme des briques lancées par des maçons faisant la chaîne. Les
bouchons sautent. Le vin s’échappe des goulots. Des bouches le
happent.
Et quand le flacon est vide, on le jette dans une glace, dans le
lustre, ou bien on en martèle les touches du piano.
Car l’heure n’est plus à la musique, ni à l’amour, ni aux chants, ni
aux rires.
L’heure est à la force !
Comme s’ils obéissaient à un signal, les hommes se lèvent.
Beaucoup sont très rouges, quelques-uns très pâles. Ils chancellent.
Mais il leur reste assez d’équilibre pour gravir l’escalier à la course,
se répandre dans les chambres, en ouvrir fenêtres et persiennes,
faire passer dans la rue meubles, miroirs, literie, lingerie multicolore
et accessoires de toilette — tout ce qu’ils peuvent atteindre.
Ils redescendent dans le salon empuanti d’alcool, de fumée et de
vin, dans le salon où tout est détruit.
Tout ? Non ! Il y a encore le piano et les tables de marbre.
Un piano, ça se renverse. Et l’on danse dessus jusqu’à ce qu’il
éclate. Des tables de marbre ? Il suffit de les basculer sur le sol
carrelé pour qu’elles s’y brisent.
Voilà qui est fait ! Et proprement et rapidement fait !
Les vainqueurs quittent la Maison. Ils butent sur le tas de
meubles brisés et d’objets qu’ils ont jetés à la rue.
Une voix commande :
 — Oil !
Les deux conducteurs de camion surviennent, porteurs de bidons
de pétrole qu’ils éventrent à coups de couteau. Le liquide se répand
sur le bois, les matelas, la lingerie qu’une torche enflamme.
— Hurrah !
La vieille Angleterre qui, jamais, n’a pardonné une offense, qui,
jamais, n’a manqué de châtier durement ceux qui attentèrent à son
renom ou à ses biens, vient de venger le capitaine William-George
Ellis.
Rule Britannia !

Et maintenant ?…
Maintenant, M. Adolphe appartient à la justice.
Elle peut le frapper ou l’absoudre, qu’importe !
Privé de son Antigone, jamais il ne rentrera au 17 où, pendant
plus de cent ans, les siens ont si rudement peiné pour acquérir une
honnête aisance, où il était fondé à espérer que, grâce à la guerre
longue, il aurait l’orgueil, lui, premier de sa race, d’asservir la fortune,
où, enfin, un fils né de sa chair lui aurait succédé.
Les Rabier ont cessé de régner sur la Maison…

FIN
 ACHEVÉ D’IMPRIMER
POUR LA COLLECTION « ÉCHANTILLONS »
LE DIX SEPTEMBRE MIL NEUF CENT VINGT-CINQ
SUR LES PRESSES
DE L’IMPRIMERIE BUSSIÈRE
SAINT-AMAND (CHER)
*** END OF THE PROJECT GUTENBERG EBOOK MIREILLE DES
TROIS RAISINS ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com