Menu
▾
▴
[Trustedgrub-users] Fwd: Checkfile
|
From: Yash J. <yas...@gm...> - 2011-07-29 12:32:52
|
Looping Forum... ---------- Forwarded message ---------- From: Yash Jain <yas...@gm...> Date: Fri, Jul 29, 2011 at 5:58 PM Subject: Re: [Trustedgrub-users] Checkfile To: Marcel Selhorst <m.s...@si...> Thanks for the solution, I tried with the Linux sha1sum and it is working fine. I used checkfile to authenticate the kernel. I tried the following procedure, 1. Calculated the sha1 of kernel image. 2. added the sha1 and the filename as recommended for checkfile. 3. Added the checkfile in my menu.lst file. /etc/check.file <HASH Value of kernel image> <kenel_path> /boot/menu;lst - added checkfile /etc/check.file. My understanding is, when ever any thing is loaded by GRUB(including kernel, modules). The GRUB will calculate the sha1 of these images and compare with one stored in the TPM. If they match GRUB, will boot the OS otherwise will halt the system.so that we have an integrity of kernel maintained. and also, if we add the kernel itself in checkfile, it is sure that my system is booted only with the authenticated kernel and whenever i need to upgrade the kernel i will change the TPM SHA1 by another authenticated module which would be loaded by GRUB so that the integrity and maintainability both are assured. After browsing the source, i have a couple of questions, 1. why is SHA1 updated in TPM every time during boot, by doing this if i give a wrong kernel to grub still it will boot. 2. where am i using the TPM's EK to store the SHA1. In other words, can we use the TPM's EK to update the SHA1 from trusted boot. 3.We are using calculating the Hash for grub_open, grub_read adn grub_close, is this done to make sure that what ever is loaded is authenticated using SHA1, if so i could not get any hints on what if we load the wrong module/image. or in other words, how are these fuctions(grub_opn,grub_read and grub_close) different from the existing GRUB in terms of their functionality. 4. In file boot.c, when will the while loop while(curr_length < max_length) terminates because i didn't got any hint on these in source code. Please find the check_file.file that i have used, attached with this mail. Thanks in advance for you patience and time. Regards, Yeshpal Jain. On Thu, Jul 28, 2011 at 6:53 PM, Marcel Selhorst <m.s...@si...> wrote: > Hi, > > I found the issue. The problem is, that you have a 64-bit machine, however > the code requires to be compiled for 32-bit. If you compile with "-m32", it > works. > > $ gcc -m32 create_sha1.c > > I will fix this in the installer script for the next release. > Thanks for finding this issue. > > Thanks, > Marcel > > Am 28.07.2011 15:00, schrieb Olga Chen: >> I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 and it >> gives me 40-byte output, so I am not sure why your version gives you 80 >> bytes. >> Actually, when I created my checkfile, I used sha1sum utility on Linux >> instead of utils/create_sha1. You might want to try that. In the meantime, >> maybe someone can shed the light onto why you are getting an 80-byte output. >> >> Olga >> >> On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> wrote: >> >>> Hello All, >>> I wanted to add a sha1 in a checkfile. >>> i followed the procedure mentioned in read me file of trusted grub, >>> 1. executed the file ./utils/create_sha1 <myfile> >>> It gave me 80 digit checksum with the filename, copied the same data >>> into file but my system does not boot. >>> >>> I checked in the boot.c, it parses only first forty bytes fron the >>> file and expects ' '<space>, but i am not understanding then why >>> create_sha1 is giving me 80 bytes of result. >>> >>> Please help. >>> >>> Thanks and Regards, >>> Yeshpal Jain. >>> >>> >>> ------------------------------------------------------------------------------ >>> Got Input? Slashdot Needs You. >>> Take our quick survey online. Come on, we don't ask for help often. >>> Plus, you'll get a chance to win $100 to spend on ThinkGeek. >>> http://p.sf.net/sfu/slashdot-survey >>> _______________________________________________ >>> Trustedgrub-users mailing list >>> Tru...@li... >>> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users >>> >> >> >> >> ------------------------------------------------------------------------------ >> Got Input? Slashdot Needs You. >> Take our quick survey online. Come on, we don't ask for help often. >> Plus, you'll get a chance to win $100 to spend on ThinkGeek. >> http://p.sf.net/sfu/slashdot-survey >> >> >> >> _______________________________________________ >> Trustedgrub-users mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > -- > Sirrix AG security technologies - http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 > get public key from keyserver > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stüble > Vorsitzender des Aufsichtsrates: Dipl.-Ing. Harald Stöber > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken > > This message may contain confidential and/or privileged information. If you > are not the addressee, you must not use, copy, disclose or take any action > based on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail and > delete this message. > > |
