Re: [Trustedgrub-users] Kernel upgrade question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Olga,

> So I downloaded a .deb package for the 2.6.34.1-blackjack kernel and
> installed it using dpkg. That booted with no problems with TrustedGrub!
> Apparently, if you use the package manager, then the new kernel installs
> and boots fine.

great!

> I guess there was something wrong with my manual
> install.

Hmm, maybe, hard for me to reproduce that from here ;)

> Actually, that brings up another question. I guess, I am not quite sure
> what is going on behind the scenes in TrustedGrub. Why is it that if you
> upgrade the kernel, the new kernel image and initrd hashes are instantly
> verified?

No, they are not verified, they are simply "measured", which means, that
the content of your PCR-12 and PCR-14 reflect the booted kernel / initrd.
If you exchange the kernel, these PCRs will be different.
If you for example seal something (like a HDD encryption key) to these
PCRs, than you won't be able to unseal the data due to the excanged kernel.

The only way you can use TrustedGRUB to verify your kernel is if you use
the checkfile()-functionality. There you have to add the file(s) you want
to verify along with a reference value into a file and add the checkfile
command to the menu.lst.
This feature is nice, if you want to verify arbitrary files, for example
your shadow / passwd-files / modules / whatever. For example:

# cat /boot/checkfile-2.6.35.1
a667bb647e6b5491e9a9797333dbc88ba9082aa9 (hd0,0)/etc/passwd
05b105697bb997e4db516b92201d541f5710a72f (hd0,0)/etc/shadow

# cat /boot/grub/menu.lst
title=Gentoo Linux 64-Bit 2.6.35.1
checkfile=(hd0,0)/boot/checkfile-2.6.35.1
kernel=(hd0,0)/boot/vmlinuz-2.6.35.1

TrustedGRUB will load these files from disk, measure them, extend them into
PCR-13 and will verify the calculated hash against the hash stored in the
checkfile.

Best regards,
Marcel
-- 
Sirrix AG security technologies -- http://www.sirrix.com
Dipl.-Ing. Marcel Selhorst  eMail: m.s...@si...
Tel: +49 (234) 610071-126   Fax: +49 (234) 610071-526
Tel: +49 (681)  95986-126   Fax: +49 (681)  95986-526
Get my public key from keyserver, KeyId: 0x7C9821CC
Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC

Vorstand: Ammar Alkassar (Vors.), Christian Stueble
Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken

This message may contain confidential and/or privileged information.
If you are not the addressee, you must not use, copy, disclose or
take any action based on this message or any information herein.
If you have received this message in error, please advise the sender
immediately by reply e-mail and delete this message.