Menu
▾
▴
Re: [Trustedgrub-users] Fwd: Checkfile
|
From: Olga C. <ol...@gm...> - 2011-07-29 19:24:00
|
TrustedGRUB is comparing the hashes it calculates every time to the ones in check.file. So if you boot a different configuration, the comparison will fail. The idea is also to tie (or in TPM-speak "seal") something like an encryption key to the PCRs updated by TrustedGRUB, so that if something changes in your boot sequence, the "unseal" will not work - thus telling you that something was changed. On Fri, Jul 29, 2011 at 8:32 AM, Yash Jain <yas...@gm...> wrote: > Looping Forum... > > > ---------- Forwarded message ---------- > From: Yash Jain <yas...@gm...> > Date: Fri, Jul 29, 2011 at 5:58 PM > Subject: Re: [Trustedgrub-users] Checkfile > To: Marcel Selhorst <m.s...@si...> > > > Thanks for the solution, > I tried with the Linux sha1sum and it is working fine. > I used checkfile to authenticate the kernel. > I tried the following procedure, > 1. Calculated the sha1 of kernel image. > 2. added the sha1 and the filename as recommended for checkfile. > 3. Added the checkfile in my menu.lst file. > > /etc/check.file > <HASH Value of kernel image> <kenel_path> > > /boot/menu;lst - added > checkfile /etc/check.file. > > My understanding is, when ever any thing is loaded by GRUB(including > kernel, modules). The GRUB will calculate the sha1 of these images and > compare with one stored in the TPM. If they match GRUB, will boot the > OS otherwise will halt the system.so that we have an integrity of > kernel maintained. > and also, if we add the kernel itself in checkfile, it is sure that my > system is booted only with the authenticated kernel and whenever i > need to upgrade the kernel i will change the TPM SHA1 by another > authenticated module which would be loaded by GRUB so that the > integrity and maintainability both are assured. > > After browsing the source, i have a couple of questions, > 1. why is SHA1 updated in TPM every time during boot, by doing this if > i give a wrong kernel to grub still it will boot. > 2. where am i using the TPM's EK to store the SHA1. In other words, > can we use the TPM's EK to update the SHA1 from trusted boot. > 3.We are using calculating the Hash for grub_open, grub_read adn > grub_close, is this done to make sure that what ever is loaded is > authenticated using SHA1, if so i could not get any hints on what if > we load the wrong module/image. or in other words, how are these > fuctions(grub_opn,grub_read and grub_close) different from the > existing GRUB in terms of their functionality. > 4. In file boot.c, when will the while loop while(curr_length < > max_length) terminates because i didn't got any hint on these in > source code. > > Please find the check_file.file that i have used, attached with this mail. > > Thanks in advance for you patience and time. > > Regards, > Yeshpal Jain. > > > On Thu, Jul 28, 2011 at 6:53 PM, Marcel Selhorst <m.s...@si...> > wrote: > > Hi, > > > > I found the issue. The problem is, that you have a 64-bit machine, > however > > the code requires to be compiled for 32-bit. If you compile with "-m32", > it > > works. > > > > $ gcc -m32 create_sha1.c > > > > I will fix this in the installer script for the next release. > > Thanks for finding this issue. > > > > Thanks, > > Marcel > > > > Am 28.07.2011 15:00, schrieb Olga Chen: > >> I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 > and it > >> gives me 40-byte output, so I am not sure why your version gives you 80 > >> bytes. > >> Actually, when I created my checkfile, I used sha1sum utility on Linux > >> instead of utils/create_sha1. You might want to try that. In the > meantime, > >> maybe someone can shed the light onto why you are getting an 80-byte > output. > >> > >> Olga > >> > >> On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> > wrote: > >> > >>> Hello All, > >>> I wanted to add a sha1 in a checkfile. > >>> i followed the procedure mentioned in read me file of trusted grub, > >>> 1. executed the file ./utils/create_sha1 <myfile> > >>> It gave me 80 digit checksum with the filename, copied the same data > >>> into file but my system does not boot. > >>> > >>> I checked in the boot.c, it parses only first forty bytes fron the > >>> file and expects ' '<space>, but i am not understanding then why > >>> create_sha1 is giving me 80 bytes of result. > >>> > >>> Please help. > >>> > >>> Thanks and Regards, > >>> Yeshpal Jain. > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> Got Input? Slashdot Needs You. > >>> Take our quick survey online. Come on, we don't ask for help often. > >>> Plus, you'll get a chance to win $100 to spend on ThinkGeek. > >>> http://p.sf.net/sfu/slashdot-survey > >>> _______________________________________________ > >>> Trustedgrub-users mailing list > >>> Tru...@li... > >>> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > >>> > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> Got Input? Slashdot Needs You. > >> Take our quick survey online. Come on, we don't ask for help often. > >> Plus, you'll get a chance to win $100 to spend on ThinkGeek. > >> http://p.sf.net/sfu/slashdot-survey > >> > >> > >> > >> _______________________________________________ > >> Trustedgrub-users mailing list > >> Tru...@li... > >> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > > > -- > > Sirrix AG security technologies - http://www.sirrix.com > > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > > Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 > > get public key from keyserver > > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > > > Vorstand: Ammar Alkassar (Vors.), Christian Stüble > > Vorsitzender des Aufsichtsrates: Dipl.-Ing. Harald Stöber > > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken > > > > This message may contain confidential and/or privileged information. If > you > > are not the addressee, you must not use, copy, disclose or take any > action > > based on this message or any information herein. If you have received > this > > message in error, please advise the sender immediately by reply e-mail > and > > delete this message. > > > > > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > |
