From: Gang W. <gan...@in...> - 2012-01-15 15:27:01
|
changeset d3c948b6d163 in /var/www/tboot.hg details: tboot.hg?cmd=changeset;node=d3c948b6d163 description: Document DA changes in README Add description on the DA changes, the new pcr_map option, and how module measurements are calculated. Signed-off-by: Gang Wei <gan...@in...> diffstat: README | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 42 insertions(+), 0 deletions(-) diffs (62 lines): diff -r 36ed04bdfccf -r d3c948b6d163 README --- a/README Sun Jan 15 23:16:39 2012 +0800 +++ b/README Sun Jan 15 23:16:39 2012 +0800 @@ -163,9 +163,29 @@ ... flags: 0x0000000x +o tboot support a new PCR usage called Details / Authorities PCR Mapping(DA). + DA can be enabled by below tboot command line option (note: default is + legacy): + pcr_map=da|legacy + + With DA PCR Mapping enabled it separates detailed measurements, stored in + PCR17, from authorities measurements stored in PCR18. + + "Details" measurements include hashes of all components participating in + establishing of trusted execution environment and due to very nature of hash + algorithm change of any component entail change of final PCR17 value. + + "Authorities" measurements include hashes of some unique identifying + properties of signing authorities such as public signature verification + keys. This enables authority issue an update of component without affecting + of final PCR18 value, because updated component is signed in the same way as + old one. + PCR Usage: --------- +o Legacy PCR mapping + PCR 17 : It will be extended with the following values (in this order): - The values as documented in the MLE Developers Manual @@ -182,6 +202,28 @@ The default tboot policy will extend, in order, the SHA-1 hashes of all modules (other than 0) into PCR 19. +o Details / Authorities PCR Mapping(DA) + +PCR 17 (Details): + It will be extended with the following values (in this order): + - The values as documented in the MLE Developers Manual + - SHA-1 hash of: tboot policy control value (4 bytes) | + SHA-1 hash of tboot policy (20 bytes) + : where the hash of the tboot policy will be 0s if + TB_POLCTL_EXTEND_PCR17 is clear + - SHA-1 hash of first module in grub.conf (e.g. Xen or Linux kernel) +PCR 18 (Authorities): + It will be extended with the following values (in this order): + - The values as documented in the MLE Developers Manual + - SHA-1 hash of: tboot policy control value (4 bytes) | + SHA-1 hash of tboot policy (20 bytes) + : where the hash of the tboot policy will be 0s if + TB_POLCTL_EXTEND_PCR17 is clear +PCR * : tboot policy may specify modules' measurements to be extended into + PCRs specified in the policy + The default tboot policy will extend, in order, the SHA-1 hashes of all + modules (other than 0) into PCR 17. + Interesting Items of Note: -------------------------- |