Re: [tboot-devel] How to validate the PCR measured by TXT?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Sat, Apr 26, 2008 at 4:40 AM, Cihula, Joseph <jos...@in...> wrote:
>
> On Friday, April 25, 2008 7:47 AM, Jun Koi wrote:
>  > On 4/17/08, Seiji Munetoh <sei...@gm...> wrote:
>  >> Hi Folks,
>  >>
>  >>  Is there any way to validate the PCR[17] and PCR18] values?
>  >>
>  >>  In case of Static-RTM, we can validate the PCR values by using
>  >>  the BIOS eventlog stored at ACPI table.
>  >>  But for Dynamic-RTM we don't have such eventlog.
>  >
>  > Do you know if there is any good reason why tboot doesn't log events
>  > into eventlog?
>
>  Did you mean why tboot doesn't copy the extend information into the BIOS
>  event log or why TXT itself doesn't put them there?
>
>  For the former, it is a combination of lack of time, issues with the
>  eventlog, and motivation.  Regarding the eventlog, the current TCG
>  specification does not provide for BIOS to indicate where the log data
>  ends.  There is a soon-to-be-released update for the spec that will
>  specify that the end space be filled with ff's, but that will require
>  updated BIOSes.  Regarding motivation, it wasn't clear how useful or
>  important it would be.
>
>  The values for PCR 17 and 18 are available in the SinitMleData struct in
>  the TXT heap.  So MLEs can access it and expose it to whatever SW needs
>  it.
>
>  For TXT not doing it, the reasons are very similar.  In addition, we
>  didn't want to tie the launch process to BIOS and its configuration.
>

Thanks Joseph for the informative answer.

Jun