[tboot-devel] How to validate the PCR measured by TXT?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Folks,

Is there any way to validate the PCR[17] and PCR18] values?

In case of Static-RTM, we can validate the PCR values by using
the BIOS eventlog stored at ACPI table.
But for Dynamic-RTM we don't have such eventlog.

I just tried different tpm_extend combinations from digests
in the tboot's console message. but I can't find the right
combination to produce the PCR17,18 values.

I'm using Fedora8 and Xen-3.2 on DQ35JO board (BIOS v865)
and my grub.conf is

title Fedora (2.6.21.7-2.fc8xen) XEN 3.2 w/ TBOOT
        root (hd0,4)
        kernel /boot/tboot.gz
        module /boot/xen.gz-3.2 vtd=1 com1=115200,8n1
        module /boot/vmlinuz-2.6.21.7-2.fc8xen ro root=LABEL=/1
        module /boot/initrd-2.6.21.7-2.fc8xen.img
        module /boot/BRLK_SINIT_20070910_release.BIN

Actually, the xen and kernel digest I found in the console massage
were correct (same as the sha1 digest of  gunziped file).

But, the digest of SINIT code was somehow different.

TBOOT:   sinit_hash=
        b2 12 60 68 7f 26 f0 cd a9 c7 5e 81 ff 78 92 72 1d 50 ed 4d

# sha1sum /boot/BRLK_SINIT_20070910_release.BIN
46f4e1c199c2983e8a8a115cd90c88353e7b08dc

Thanks,
--
Seiji