[Trustedgrub-users] FW: How do I properly extend the command lines in menu.lst to pcr-12?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Okay, progress using TrustedGRUB 1.1.5!

I have now been able to duplicate the extension of menu.lst and "commands entered from the command line" into TrustedGRUB PCR-12.

Three things: First if you look at TrustedGRUB's builtin.c file, there are certain commands that are associated with the enum BUILTIN_CMDLINE. Any commands that are not associated with this value are NOT extended into PCR-12. For instance the lines beginning with "default," "timeout," and "title" are extended into PCR-12.

Second, order in menu.lst is top to bottom, so root (hd0) is extended before the line starting with "kernel"

Third: the kicker is that the stage2 code adds an implicit "boot" command as the last command. I did not see this in the code but took a guess. On the normal command line at boot you have to type "boot" in order to continue the boot. So it makes sense there is an implicit one. So this "boot" command is extended into PCR 12.

And there are no 0x0A ASCII codes at the end of each command line.

Okay this is great progress! In case anyone else is interested.

- Bill Martin
  Valicore Technologies

________________________________________
From: Bill Martin
Sent: Monday, November 18, 2013 7:35 PM
To: tru...@li...; Greg Powell; m.s...@si...
Subject: How do I properly extend the command lines in menu.lst to pcr-12?

Hi Trusted Grub users,

I am working on a very interesting task. It involves usage of a TPM NVRAM key that is based on PCRs 12 and 14 at a minimum. I understan how a PCR is extended per se. But I do not understand how menu.lst is extended into PCR 13.

As a test to be sure I am calculating the right hash, I built and compiled TrustedGRUB while my environment variable SHOWSHA1 was set to 1. This way  my ./grub/grub command line would show what hash value I would get by typing root (hd0,0).

I understand that stage2 does not include the new line character (ASCII Code 0x0A) at the end of each line and accounted for this.

For instance from Linux

$  echo "root (hd0,0)" | head -c -1 | sha1sum | awk '{print $1}'
4b2eb731bd397d16a1f74102d30efca9aadc8646

>From running ~/TrustedGrub-1.1.5/TrustedGrub-1.1.5/grub/grub I got the same hash value above when I typed root (hd0,0) after the grub >.

So given that I have the following in my menu.lst
default=0
timeout=5
title My Bootloader
root (hd0,0)
kernel /boot/bzImage /root/dev/sda1

I should get a result in PCR 12 that is extended such that

a = Hash (0x0000000000000000000000000000000000000000 | Hash of "default=0" without the 0x0a)
b = Hash (a | Hash of "timeout=5" without the 0x0a)
c = Hash (b | Hash of "title My Bootloader" without the 0x0a)
d = Hash (c | Hash of "root (hd0,0)" without the 0x0a)
PCR 12 = Hash(d | Hash of "kernel /boot/bzImage /root/dev/sda1" again without the trailing 0x0a)

I tried this also in reverse, starting with the Kernel command line too. I got the wrong answer both times.

I verified my intermediate values a, b, c, and d were calculated according to spec.

Now my question here (finally) is this: Does the stage2 ignore the default, timeout, and title commands when extending into PCR at boot? I noticed when I boot from TrustedGrub and hit c for comand line I cannot enter a default or timeout. Could this be my problem?

I also noticed that the stage 2 code has a call update_pcr that seems to only be called in case of a checkfile command or kernel command. This also bugs me.

I can extend PCR-14 nicely as it is a hash of the string "/boot/bzImage" - the odd thing is that I did not have to worry about 0x0a for PCR 14.

There is a tcg_hash_extend_pcr.in the "yikes) assembler code asm.S that might be doing something different with these PCRs during boot.

Anyone there available to help answer these questions?

thanks

Bill