Re: [tboot-devel] How to validate the PCR measured by TXT?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

There are a lot of challenges to making a meaningful and reproducible
measurement of executing or executed code.  Since BIOS will have already
executed quite a bit of code, the contents of its persistent data are
likely to depend on the code that was executed post-boot (i.e. MBR,
bootloader, etc.) and perhaps even pluggable hardware (e.g. USB).  Thus,
if any of this code changes how it uses BIOS, the BIOS's measurement may
change as well.  Additionally, the best you could do with this type of
measurement would be to compare it to a "golden" value taken with the
same boot and hardware conditions on a known-good system.

For Xen, it is much easier to simply avoid calling back into BIOS.
Linux, however, has many more BIOS calls and it would be more of a
challenge to remove those.

Joe

From: Martin Thiim [mailto:ma...@th...] 
Sent: Monday, June 02, 2008 11:41 AM
To: Cihula, Joseph
Cc: Hal Finney; Jun Koi; tbo...@li...
Subject: Re: [tboot-devel] How to validate the PCR measured by TXT?

Ah, so that's why you added an alternative memory map in TXT ;-)

Clearly, when TXT goes to the extent of not even trusting the
BIOS-supplied memory map,  one should be careful calling any BIOS code.
However, I'm wondering if it would be possible to validate the BIOS
after the MLE launch by simply hashing the code involved without using
any PCR's etc.? After all, the code in the MLE would more or less have
full control of the computer and should thus be able to read the BIOS
code and compare it against a (trusted) list. The danger is that the MLE
would have to hash all code that is included in the code paths of the
functions it will call. Someone told me, but I don't know if it's true,
that BIOS'es these days are so big that not all is present in the
address space at any given time (due to the limited numer of addresses
in real mode). Instead it does some sort of bank switching. If this is
true it will require knowledge of the bank-switching mechanism in order
to do a full hash of the BIOS and even then the MLE would have to be
able to guarentee that no one can tamper with the mechanism during
execution of the BIOS functions etc.

Best regards,

Martin Thiim

On 5/27/08, Cihula, Joseph <jos...@in...> wrote:

	Hal's answer is spot-on.  One of TXT's goals is to remove BIOS
from the
	trust chain, and so we would prefer not to have to trust it,
which means
	not calling into it from the TCB.  TXT does, however, support
	verification of BIOS (of any of the static PCRs) as part of its
launch
	control policy.

	The TXT support in Xen disables the two BIOS calls (for the e820
table
	and video initialization) that Xen would otherwise make.  This
has
	worked fine for all of the TXT systems that I am aware of and is
likely
	due to TXT only being available on newer systems (with fewer
issues in
	these areas).

	Joe

	-----Original Message-----
	From: Hal Finney [mailto:hal...@gm...]
	Sent: Sunday, May 25, 2008 3:34 PM
	To: Jun Koi
	Cc: Cihula, Joseph; tbo...@li...
	Subject: Re: [tboot-devel] How to validate the PCR measured by
TXT?

	Hello Jun -

	On Thu, May 22, 2008 at 11:49 PM, Jun Koi <jun...@gm...>
wrote:
	> So basically the question is: should we execute other code
outside our
	> "trusted code"? In this example, BIOS code is not trusted. Or
we
	> should avoid that as much as we can?

	That certainly makes sense to me. There are really two points
here.
	The first is that we don't trust the BIOS because we don't know
what
	is in it. The TXT launch does not measure the BIOS and so the
TXT PCRs
	do not depend on BIOS contents. Any call we make to BIOS would
run
	code that could not be verified.

	The second point is that if we did originally do a measured
boot, so
	that PCR's 0-7 contain information about BIOS and other aspects
of the
	computer configuration, then if we made a call to BIOS, in
principle
	we could trust that. The verifier could check that the BIOS
	configuration was as expected and if the BIOS was known to be
trusted
	by that verifier, the call would be OK. But there are still
problems.

	One problem is the size of the Trusted Computer Base (TCB).
Including
	the whole BIOS into the TCB makes it larger (although I don't
know how
	the BIOS size will compare with Xen). Also, BIOSes often do not
have
	much transparency so it may be hard to get hold of the source
code and
	know what the BIOS is doing. Also, there are many different
brands and
	varieties of BIOS so it would be hard to trust very many of
them.
	Another point is that some BIOSes have not done measured boot
properly
	and it may be possible to reflash the BIOS to lie about the
measured
	boot.

	Part of the goal of TXT technology is to reduce the size of the
TCB
	and avoid dependence on measured boot. Avoiding calls into the
BIOS
	would be a good idea for any TXT Measured Launch Environment
(MLE)
	including Xen. However I don't know whether Xen has done as you
	suggest, and avoids BIOS calls when in trusted mode.

	Hal Finney

------------------------------------------------------------------------
-
	This SF.net email is sponsored by: Microsoft
	Defy all challenges. Microsoft(R) Visual Studio 2008.
	http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
	_______________________________________________
	tboot-devel mailing list
	tbo...@li...
	https://lists.sourceforge.net/lists/listinfo/tboot-devel