I finally have everything almost working, I can create and seal to policies, and I am able to make objects persistent. However, I have so far been unable to create MEANINGFUL pcr policies. Looking at the regtests, in testunseal.sh, on the line:
It appears as though I am just taking the value in pcr 16 when it is extended from 20 0's to aaa (which happens to be 1d47f68aced515f7797371b554e32d47981aa0a0), but I CANNOT get this to work with any other pcr using its pre-determined value through the boot process, and I am extremely confused as to why this is. I am reading a PCR, removing the spaces between the byte values, putting this into a file e.g. policies/policypcr1.txt, and then using this in the exact same way as policies/policypcr16aaasha1.txt is used in testunseal.sh, but I am always unable to unseal the file due to incorrect PCR value.
The other thing I have been attempting is to use the "Policy PCR no select" method from regtests/testpolicy.sh, as I was under the impression that not selecting any specific PCRs meant that it was sealed to the state of all of them, and this seems to work, however, it does not appear to actually seal to the PCR state in terms of the values in the PCRs, but rather just seals to the PCR counter. For example, if you extend a PCR value after sealing the object with the policy file, you can still unseal the object, provided that you re-run policypcr in the policy session after extending, and this is not what I want, as I am trying to seal the data to the original values in the PCRs that are determined by the policy.
Is there a way to seal to the actual values that are currently in a PCR, and/or am I just doing something wrong when following the "seal PCR 16 to aaasha1" example? Also, how can I go about sealing to multiple PCR values? Can I just pass them all to policymakerpcr (this would still fall back to my original issue with not being able to correctly create a policy related to the currently contained PCR values)?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It would be easier if these three questions were separate threads. I'll do my best.
Paragraph: Send me off-line, email, the exact sequence you used, every step, including all files and results, and with the policygetdigest result after every relevant command, and I'll look at it.
Paragraph 2: Selection 00 00 00 means no PCRs. Is there any spec inference that no PCRs == all PCRs? To select all PCRs, use selection ff ff ff.
Paragraph 3: One never seals to "current TPM PCRs" directly. You read the PCRs, calculate a policy, and then seal to that policy.
Last edit: Ken Goldman 2016-07-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the reply, and sorry for putting everything into one big thread, I got kind of carried away in trying to explain my methods/issues.
I will send you the sequence I used, but I also have a question about your answer to Paragraph 2: If I were to pass ff ff ff as my selection, what would this look like for the policymakerpcr command?
I believe that the reason I get stuck in this while loop is due to what may be a possible bug in policymakerpcr.c.
The help description for policymakerpcr says that the input file parameter (-if) should be a file that contains "PCR values, hex ascii, one per line, 24 max" which makes sense, as there are 24 possible PCRs for a given hash algorithm. However, in the code, the for loop does not support this, as pcrCount only goes from 0 to 23. This means that the loop does not run a 25th time, and thus you do not get to the line:
at the time when it would set prc to NULL (provided that you are including all 24 PCR values in your inFile), and thus, prc still contains the last string in your inFile, so you get stuck in
while ((rc == 0) && (prc != NULL));
This can be fixed by simply doing pcrCount <= IMPLEMENTATION_PCR in the for loop on line 234, unless it is intentional that you are only supposed to use 23 PCRs in your inFile (which doesn't make much sense to me), in which case, the help description for policymakerpcr should be updated.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It already said pcrCount < IMPLEMENTATION_PCR on that line. That was fine.
The bug was that the "while" line was simply left over, extraneous. Remove it. In addition, change ffffff to ffffffff in two places to support a byte mask of ffffff.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Okay,
I finally have everything almost working, I can create and seal to policies, and I am able to make objects persistent. However, I have so far been unable to create MEANINGFUL pcr policies. Looking at the regtests, in testunseal.sh, on the line:
It appears as though I am just taking the value in pcr 16 when it is extended from 20 0's to aaa (which happens to be 1d47f68aced515f7797371b554e32d47981aa0a0), but I CANNOT get this to work with any other pcr using its pre-determined value through the boot process, and I am extremely confused as to why this is. I am reading a PCR, removing the spaces between the byte values, putting this into a file e.g. policies/policypcr1.txt, and then using this in the exact same way as policies/policypcr16aaasha1.txt is used in testunseal.sh, but I am always unable to unseal the file due to incorrect PCR value.
The other thing I have been attempting is to use the "Policy PCR no select" method from regtests/testpolicy.sh, as I was under the impression that not selecting any specific PCRs meant that it was sealed to the state of all of them, and this seems to work, however, it does not appear to actually seal to the PCR state in terms of the values in the PCRs, but rather just seals to the PCR counter. For example, if you extend a PCR value after sealing the object with the policy file, you can still unseal the object, provided that you re-run policypcr in the policy session after extending, and this is not what I want, as I am trying to seal the data to the original values in the PCRs that are determined by the policy.
Is there a way to seal to the actual values that are currently in a PCR, and/or am I just doing something wrong when following the "seal PCR 16 to aaasha1" example? Also, how can I go about sealing to multiple PCR values? Can I just pass them all to policymakerpcr (this would still fall back to my original issue with not being able to correctly create a policy related to the currently contained PCR values)?
It would be easier if these three questions were separate threads. I'll do my best.
Paragraph: Send me off-line, email, the exact sequence you used, every step, including all files and results, and with the policygetdigest result after every relevant command, and I'll look at it.
Paragraph 2: Selection 00 00 00 means no PCRs. Is there any spec inference that no PCRs == all PCRs? To select all PCRs, use selection ff ff ff.
Paragraph 3: One never seals to "current TPM PCRs" directly. You read the PCRs, calculate a policy, and then seal to that policy.
Last edit: Ken Goldman 2016-07-19
Thanks for the reply, and sorry for putting everything into one big thread, I got kind of carried away in trying to explain my methods/issues.
I will send you the sequence I used, but I also have a question about your answer to Paragraph 2: If I were to pass ff ff ff as my selection, what would this look like for the policymakerpcr command?
does not work, as ffffff is not taken as a valid argument for -bm, and
seems to get stuck, as it prints
"PCR #
PCR length 20
(pcr values)"
for PCRs 0-23, but then does not return me to the command line.
EDIT: Looking at the policrmakerpcr.c file, it appears the code stalls due to the line:
however, using printf("%d\n%s\n", rc, prc) reveals that rc = 0 and prc = 00000000000000000000000000000000000000000
Last edit: Zach Smith 2016-07-19
I believe that the reason I get stuck in this while loop is due to what may be a possible bug in policymakerpcr.c.
The help description for policymakerpcr says that the input file parameter (-if) should be a file that contains "PCR values, hex ascii, one per line, 24 max" which makes sense, as there are 24 possible PCRs for a given hash algorithm. However, in the code, the for loop does not support this, as pcrCount only goes from 0 to 23. This means that the loop does not run a 25th time, and thus you do not get to the line:
at the time when it would set prc to NULL (provided that you are including all 24 PCR values in your inFile), and thus, prc still contains the last string in your inFile, so you get stuck in
This can be fixed by simply doing pcrCount <= IMPLEMENTATION_PCR in the for loop on line 234, unless it is intentional that you are only supposed to use 23 PCRs in your inFile (which doesn't make much sense to me), in which case, the help description for policymakerpcr should be updated.
It already said pcrCount < IMPLEMENTATION_PCR on that line. That was fine.
The bug was that the "while" line was simply left over, extraneous. Remove it. In addition, change ffffff to ffffffff in two places to support a byte mask of ffffff.