Re: [tboot-devel] How to validate the PCR measured by TXT?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Here is the text from the draft of the updated TXT spec (empirically
verified on my system):

1.9	PCR Usage
	As part of the measured launch, Intel TXT will extend
measurements of the elements and configuration values of the dynamic
root of trust into certain TPM PCRs.  The constituent values of these
measurements (indicated below) are provided in the SinitMleData
structure described in Appendix C.4.
	While the MLE may choose to extend additional values into these
PCRs, the values described below are those present immediately after the
MLE receives control following the GETSEC[SENTER] instruction.

1.9.1	PCR 17
	PCR 17 is initialized using the TPM_HASH_START/TPM_HASH_END
sequence.  The HASH_DATA provided in this sequence is the concatenation
of the SHA-1 hash of the SINIT ACM that was used in the launch process
and the 4 byte value of the SENTER parameters (in EDX and also in
SinitMleData.EdxSenterFlags).  As part of this sequence, PCRs 17-23 are
reset to 0.  The hash of SINIT is also stored in the
SinitMleData.SinitHash field.
PCR 17 is then extended with the SHA-1 hash of the following items
concatenated in this order:
	SHA-1 hash of SCLEAN ACM - SinitMleData.BiosAcmID (20 bytes)
	STM opt-in indicator - SinitMleData.MsegValid (8 bytes)
	SHA-1 hash of the STM (or all 0s if opt-out) -
SinitMleData.StmHash (20 bytes)
	LCP Control Field of used policy (PD or PO) -
SinitMleData.PolicyControl (4 bytes) 
	SHA-1 hash of used policy - SinitMleData.LcpPolicyHash (20
bytes)

Thus, PCR 17's final value will be:
	Extend ( SHA-1( SinitMleData.SinitHash |
SinitMleData.EdxSenterFlags ) )
	Extend ( SHA-1 ( SinitMleData.BiosAcm.ID |
SinitMleData.MsegValid |
		SinitMleData.StmHash | SinitMleData.PolicyControl |
		SinitMleData.LcpPolicyHash ) )

Where the Extend() operation is a SHA-1 hash of the previous value in
the PCR concatenated with the value being extended (the previous value
is 20 bytes of 0s in the case of the first extend to a PCR).

1.9.2	PCR 18
	PCR 18 will be extended with the SHA-1 hash of the MLE, as
reported in the SinitMleData.MleHash field.

Thus, PCR 18's final value will be:
	Extend ( SinitMleData.MleHash )

Joe

On Thursday, April 17, 2008 9:46 AM, Hal Finney wrote:
> On Thu, Apr 17, 2008 at 4:31 AM, Seiji Munetoh
<sei...@gm...>
> wrote: 
>> Hi Folks,
>> 
>>  Is there any way to validate the PCR[17] and PCR18] values?
>> 
>>  In case of Static-RTM, we can validate the PCR values by using
>>  the BIOS eventlog stored at ACPI table.
>>  But for Dynamic-RTM we don't have such eventlog.
>> 
>>  I just tried different tpm_extend combinations from digests
>>  in the tboot's console message. but I can't find the right
>>  combination to produce the PCR17,18 values.
> 
> Hi, Seiji - Joseph Cihula shared the information below with me that
> explains what goes into PCR 17 and PCR 18. He says it will go into the
> next edition of the TXT architecture spec:
> 
>>>>>> I wonder if you could report what is in PCR17 after a tboot
launch
>>>>>> using this SINIT module?
>>>>> 
>>>>> I'm planning to update the TXT Prelim Arch Spec with this
information,
>>>>> but in the meantime, the contents are:
>>>>>     TPM_Extend( SHA1( SINIT AC module) )
>>>>>     TPM_Extend( SHA1( SCLEAN hash (20 bytes) | MsrValidBit (8
bytes) |
>>>>> StmDigest (20 bytes) | LCP Control Field (4 bytes) | LCP Hash (20
bytes)
>>>>> ) ) where the second extend is the hash of the concatenation of
the
>>>>> specified values (72 bytes in all).  You can get the listed values
from
>>>>> the SinitMleData structure.
>>>> 
>>>> In looking at the SinitMleData structure in section C.4 of the
>>>> document, some of these fields have slightly different names. No
>>>> SCLEAN hash is listed, rather there is an SinitHash at offset 36.
Is
>>>> this actually an SCLEAN AC module hash? Then, MsrValidBit is called
>>>> MsegValid and relates to the SMM Transfer Module stuff that I don't
>>>> understand yet. StmDigest is StmHash, LCP Control Field is
>>>> PolicyControl, and LCP Hash is LcpPolicyHash. So the main question
>>>> here is the SINIT vs SCLEAN hash.
>>> 
>>> Sorry for the confusion--here is the mapping of terms above to
fields in
>>> SinitMleData: 
>>> 
>>> SCLEAN hash -> BiosAcmID
>>> MsrValidBit -> MsegValid
>>> StmDigest -> StmHash
>>> LCP Control Field -> PolicyControl
>>> LCP Hash -> LcpPolicyHash
>>> 
>>>>>> And then (sorry about so many questions!) how about the
measurement of
>>>>>> the MLE, which gets hashed, I think, into PCR18 (or maybe PCR19)?
Is
>>>>>> there any information about that, what exactly is hashed and what
>>>>>> sequence of extends are done?
>>>>> 
>>>>> The hash of the MLE is extended into PCR 18.
>>>> 
>>>> I see, thanks. I'm a little unclear about what exactly is hashed
>>>> though. It looks like it might be the linear-address region (under
the
>>>> mapping defined by the MLE page tables) starting from the
>>>> FirstValidPage field in the MLE header as described in Table 9, and
>>>> extending for "MLE size" bytes as recorded in the OsSinitData
>>>> structure? Does that sound right?
>>> 
>>> PCR 18 is extended with the hash of the MLE, as described by the MLE
>>> page table.  The hashing starts at the first valid page and
continues
>>> until a non-valid page.  It will hash to the size specified by
>>> OsSinitData.MleSize.
> 
> Seiji, have you tried reading PCR 17 and PCR 18? What values do you
get?
> 
> 
>>  I'm using Fedora8 and Xen-3.2 on DQ35JO board (BIOS v865)  and my
grub.conf
>> is 
>> 
>>  title Fedora (2.6.21.7-2.fc8xen) XEN 3.2 w/ TBOOT
>>         root (hd0,4)
>>         kernel /boot/tboot.gz
>>         module /boot/xen.gz-3.2 vtd=1 com1=115200,8n1
>>         module /boot/vmlinuz-2.6.21.7-2.fc8xen ro root=LABEL=/1
>>         module /boot/initrd-2.6.21.7-2.fc8xen.img
>>         module /boot/BRLK_SINIT_20070910_release.BIN
>> 
>>  Actually, the xen and kernel digest I found in the console massage
>>  were correct (same as the sha1 digest of  gunziped file).
>> 
>>  But, the digest of SINIT code was somehow different.
>> 
>>  TBOOT:   sinit_hash=
>>         b2 12 60 68 7f 26 f0 cd a9 c7 5e 81 ff 78 92 72 1d 50 ed 4d
>> 
>>  # sha1sum /boot/BRLK_SINIT_20070910_release.BIN
>>  46f4e1c199c2983e8a8a115cd90c88353e7b08dc
> 
> The sinit_hash is not the hash of the entire SINIT module, but only of
> certain portions of it. This is described in section A.1.2 of the
> Preliminary Architecture Specification: "The RSA Signature signs an
> area that includes the sum of the module header and all of the USER
> AREA data field,
> which represents the body of the module. Those parts of the module
header not
> included are: the RSA Signature, the public key, and the scratch
> field." This is the data which gets hashed to form sinit_hash.
> 
> Hal Finney
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save
$100.
> Use priority code J8TL2D2.
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/j
avaone
> _______________________________________________
> tboot-devel mailing list
> tbo...@li...
> https://lists.sourceforge.net/lists/listinfo/tboot-devel