Menu
▾
▴
Re: [Trustedgrub-users] Pb with checkfile and measure
|
From: Marcel S. <m.s...@si...> - 2010-07-06 12:38:03
|
Hi Chloé, it seems you are mixing up the two different Trusted Computing extensions for GRUB, one is TrustedGRUB and one is GRUB-IMA. The measure-command you want to use is from GRUB-IMA, but since this one is not available within TrustedGRUB, the according PCRs will not be modified. However, the checkfile-command is indeed from TrustedGRUB, but the resulting PCR-value is not equal to the hash value. The value you see in the PCR register is the SHA1-value of the concatenation of the old value with the hash to be added: PCR_New = SHA1( PCR_Old | new_hash_to_be_added ) In your case, PCR-13 will be the only file hashed into PCR-13. The hash-chain therefore is: PCR_13_step0 = 0000000000000000000000000000000000000000 PCR_13_step1 = SHA1 ( 0000000000000000000000000000000000000000d26efadb318ce4dbad4314746834adb37519a0f8 ) which should result in the value 0x0fdc1385..... as seen in your PCR-13. I have written a small utility helping you to calculate, that your PCR value is correct. It is called "verify_pcr" and should be installed on your machine in /usr/local/bin or so. Simply execute: verify_pcr NULL /boot/chloe (NULL means the initial value of the PCR followed by the files, that are hashed into PCR-13). Best regards, Marcel Am 28.06.2010 15:15, schrieb chloé Fouquet: > Hi, > I have install TrustedGrub on my computer and I'm not sure it does it job. > My menu.lst is the following : > > title Linux test checkfile + measure > root (hd0,1) > kernel /boot/vmlinuz-2.6.28-15-generic root=/dev/mapper/systemvg-root > initrd /boot/initrd.img-2.6.28-15-generic > checkfile /boot/grub/checkfiles > measure (hd0,1)/boot/chloe 8 > measure (hd0,1)/boot/vmlinuz-2.6.28-15-generic 17 > > the file checkfiles is : > d26efadb318ce4dbad4314746834adb37519a0f8 (hd0,1)/boot/chloe > > dans after I have rebooted my machine, my PCR-13 value is > PCR-13: 0F DC 13 85 D6 CA 0E 7A CD 25 62 45 2F A9 68 97 65 3F 58 EA > > Shouldn't it be the hash value contains in the file checkfiles ? > > Is the syntax correct for the function measure ? Because I have nothing in > PCR 17 after rebooting... > > Thanks for looking > > Chloe > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
