Menu
▾
▴
trustedgrub-users — Topics interesting for TrustedGRUB users
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(7) |
Mar
(2) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
| 2008 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(14) |
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(14) |
Sep
(20) |
Oct
|
Nov
(6) |
Dec
|
| 2010 |
Jan
(2) |
Feb
(6) |
Mar
(2) |
Apr
(7) |
May
(1) |
Jun
(1) |
Jul
(11) |
Aug
(9) |
Sep
(4) |
Oct
(2) |
Nov
(3) |
Dec
(10) |
| 2011 |
Jan
|
Feb
|
Mar
(4) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(5) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
(11) |
Dec
(2) |
| 2014 |
Jan
(3) |
Feb
|
Mar
|
Apr
(8) |
May
(2) |
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
|
From: Marcel S. <tru...@se...> - 2013-11-21 07:57:56
|
Hi Hassan, > trusted grub. Could you please let me know the name of file in which the > check-file utility is implemented? I downloaded the package from > sourceforge but unable to find the source for check-file utility or may be > I overlooked something. If you unpack "TrustedGRUB-1.1.5.src.tar.gz", you will find the commandline tool to verify PCRs in "TrustedGRUB-1.1.5/util/verify_pcr.c". The actual function inside TrustedGRUB is called "load_checkfile (char *checkfile)" in "TrustedGRUB-1.1.5/stage2/boot.c" as well as the command line implementation within the GRUB shell in "TrustedGRUB-1.1.5/stage2/builtins.c" Cheers Marcel |
|
From: hassan k. <has...@gm...> - 2013-11-20 14:03:07
|
Hi List, I am doing some experiments on TPM and its associated tool to learn it better. I wanted to try something new by modifying the check-file utility in trusted grub. Could you please let me know the name of file in which the check-file utility is implemented? I downloaded the package from sourceforge but unable to find the source for check-file utility or may be I overlooked something. best HK |
|
From: Bill M. <bm...@va...> - 2013-11-19 22:06:45
|
Corrected the paragraph about "default", "timeout" and "title" these are NOT extended into PCR-12
________________________________________
From: Bill Martin
Sent: Tuesday, November 19, 2013 2:04 PM
To: tru...@li...
Cc: Greg Powell; Cameron Durham; m.s...@si...
Subject: FW: How do I properly extend the command lines in menu.lst to pcr-12?
Okay, progress using TrustedGRUB 1.1.5!
I have now been able to duplicate the extension of menu.lst and "commands entered from the command line" into TrustedGRUB PCR-12.
Three things: First if you look at TrustedGRUB's builtin.c file, there are certain commands that are associated with the enum BUILTIN_CMDLINE. Any commands that are not associated with this value are NOT extended into PCR-12. For instance the lines beginning with "default," "timeout," and "title" are NOT extended into PCR-12.
Second, order in menu.lst is top to bottom, so "root (hd0)" is extended before the line starting with "kernel"
Third: the kicker is that the stage2 code adds an implicit "boot" command as the last command. I did not see this in the code but took a guess. On the normal command line at boot you have to type "boot" in order to continue the boot. So it makes sense there is an implicit one. So this "boot" command is extended into PCR 12.
And there are no 0x0A ASCII codes at the end of each command line.
Okay this is great progress! In case anyone else is interested.
- Bill Martin
Valicore Technologies
________________________________________
From: Bill Martin
Sent: Monday, November 18, 2013 7:35 PM
To: tru...@li...; Greg Powell; m.s...@si...
Subject: How do I properly extend the command lines in menu.lst to pcr-12?
Hi Trusted Grub users,
I am working on a very interesting task. It involves usage of a TPM NVRAM key that is based on PCRs 12 and 14 at a minimum. I understan how a PCR is extended per se. But I do not understand how menu.lst is extended into PCR 13.
As a test to be sure I am calculating the right hash, I built and compiled TrustedGRUB while my environment variable SHOWSHA1 was set to 1. This way my ./grub/grub command line would show what hash value I would get by typing root (hd0,0).
I understand that stage2 does not include the new line character (ASCII Code 0x0A) at the end of each line and accounted for this.
For instance from Linux
$ echo "root (hd0,0)" | head -c -1 | sha1sum | awk '{print $1}'
4b2eb731bd397d16a1f74102d30efca9aadc8646
>From running ~/TrustedGrub-1.1.5/TrustedGrub-1.1.5/grub/grub I got the same hash value above when I typed root (hd0,0) after the grub >.
So given that I have the following in my menu.lst
default=0
timeout=5
title My Bootloader
root (hd0,0)
kernel /boot/bzImage /root/dev/sda1
I should get a result in PCR 12 that is extended such that
a = Hash (0x0000000000000000000000000000000000000000 | Hash of "default=0" without the 0x0a)
b = Hash (a | Hash of "timeout=5" without the 0x0a)
c = Hash (b | Hash of "title My Bootloader" without the 0x0a)
d = Hash (c | Hash of "root (hd0,0)" without the 0x0a)
PCR 12 = Hash(d | Hash of "kernel /boot/bzImage /root/dev/sda1" again without the trailing 0x0a)
I tried this also in reverse, starting with the Kernel command line too. I got the wrong answer both times.
I verified my intermediate values a, b, c, and d were calculated according to spec.
Now my question here (finally) is this: Does the stage2 ignore the default, timeout, and title commands when extending into PCR at boot? I noticed when I boot from TrustedGrub and hit c for comand line I cannot enter a default or timeout. Could this be my problem?
I also noticed that the stage 2 code has a call update_pcr that seems to only be called in case of a checkfile command or kernel command. This also bugs me.
I can extend PCR-14 nicely as it is a hash of the string "/boot/bzImage" - the odd thing is that I did not have to worry about 0x0a for PCR 14.
There is a tcg_hash_extend_pcr.in the "yikes) assembler code asm.S that might be doing something different with these PCRs during boot.
Anyone there available to help answer these questions?
thanks
Bill
|
|
From: Bill M. <bm...@va...> - 2013-11-19 22:05:07
|
Okay, progress using TrustedGRUB 1.1.5!
I have now been able to duplicate the extension of menu.lst and "commands entered from the command line" into TrustedGRUB PCR-12.
Three things: First if you look at TrustedGRUB's builtin.c file, there are certain commands that are associated with the enum BUILTIN_CMDLINE. Any commands that are not associated with this value are NOT extended into PCR-12. For instance the lines beginning with "default," "timeout," and "title" are extended into PCR-12.
Second, order in menu.lst is top to bottom, so root (hd0) is extended before the line starting with "kernel"
Third: the kicker is that the stage2 code adds an implicit "boot" command as the last command. I did not see this in the code but took a guess. On the normal command line at boot you have to type "boot" in order to continue the boot. So it makes sense there is an implicit one. So this "boot" command is extended into PCR 12.
And there are no 0x0A ASCII codes at the end of each command line.
Okay this is great progress! In case anyone else is interested.
- Bill Martin
Valicore Technologies
________________________________________
From: Bill Martin
Sent: Monday, November 18, 2013 7:35 PM
To: tru...@li...; Greg Powell; m.s...@si...
Subject: How do I properly extend the command lines in menu.lst to pcr-12?
Hi Trusted Grub users,
I am working on a very interesting task. It involves usage of a TPM NVRAM key that is based on PCRs 12 and 14 at a minimum. I understan how a PCR is extended per se. But I do not understand how menu.lst is extended into PCR 13.
As a test to be sure I am calculating the right hash, I built and compiled TrustedGRUB while my environment variable SHOWSHA1 was set to 1. This way my ./grub/grub command line would show what hash value I would get by typing root (hd0,0).
I understand that stage2 does not include the new line character (ASCII Code 0x0A) at the end of each line and accounted for this.
For instance from Linux
$ echo "root (hd0,0)" | head -c -1 | sha1sum | awk '{print $1}'
4b2eb731bd397d16a1f74102d30efca9aadc8646
>From running ~/TrustedGrub-1.1.5/TrustedGrub-1.1.5/grub/grub I got the same hash value above when I typed root (hd0,0) after the grub >.
So given that I have the following in my menu.lst
default=0
timeout=5
title My Bootloader
root (hd0,0)
kernel /boot/bzImage /root/dev/sda1
I should get a result in PCR 12 that is extended such that
a = Hash (0x0000000000000000000000000000000000000000 | Hash of "default=0" without the 0x0a)
b = Hash (a | Hash of "timeout=5" without the 0x0a)
c = Hash (b | Hash of "title My Bootloader" without the 0x0a)
d = Hash (c | Hash of "root (hd0,0)" without the 0x0a)
PCR 12 = Hash(d | Hash of "kernel /boot/bzImage /root/dev/sda1" again without the trailing 0x0a)
I tried this also in reverse, starting with the Kernel command line too. I got the wrong answer both times.
I verified my intermediate values a, b, c, and d were calculated according to spec.
Now my question here (finally) is this: Does the stage2 ignore the default, timeout, and title commands when extending into PCR at boot? I noticed when I boot from TrustedGrub and hit c for comand line I cannot enter a default or timeout. Could this be my problem?
I also noticed that the stage 2 code has a call update_pcr that seems to only be called in case of a checkfile command or kernel command. This also bugs me.
I can extend PCR-14 nicely as it is a hash of the string "/boot/bzImage" - the odd thing is that I did not have to worry about 0x0a for PCR 14.
There is a tcg_hash_extend_pcr.in the "yikes) assembler code asm.S that might be doing something different with these PCRs during boot.
Anyone there available to help answer these questions?
thanks
Bill
|
|
From: Bill M. <bm...@va...> - 2013-11-19 03:35:33
|
Hi Trusted Grub users,
I am working on a very interesting task. It involves usage of a TPM NVRAM key that is based on PCRs 12 and 14 at a minimum. I understan how a PCR is extended per se. But I do not understand how menu.lst is extended into PCR 13.
As a test to be sure I am calculating the right hash, I built and compiled TrustedGRUB while my environment variable SHOWSHA1 was set to 1. This way my ./grub/grub command line would show what hash value I would get by typing root (hd0,0).
I understand that stage2 does not include the new line character (ASCII Code 0x0A) at the end of each line and accounted for this.
For instance from Linux
$ echo "root (hd0,0)" | head -c -1 | sha1sum | awk '{print $1}'
4b2eb731bd397d16a1f74102d30efca9aadc8646
>From running ~/TrustedGrub-1.1.5/TrustedGrub-1.1.5/grub/grub I got the same hash value above when I typed root (hd0,0) after the grub >.
So given that I have the following in my menu.lst
default=0
timeout=5
title My Bootloader
root (hd0,0)
kernel /boot/bzImage /root/dev/sda1
I should get a result in PCR 12 that is extended such that
a = Hash (0x0000000000000000000000000000000000000000 | Hash of "default=0" without the 0x0a)
b = Hash (a | Hash of "timeout=5" without the 0x0a)
c = Hash (b | Hash of "title My Bootloader" without the 0x0a)
d = Hash (c | Hash of "root (hd0,0)" without the 0x0a)
PCR 12 = Hash(d | Hash of "kernel /boot/bzImage /root/dev/sda1" again without the trailing 0x0a)
I tried this also in reverse, starting with the Kernel command line too. I got the wrong answer both times.
I verified my intermediate values a, b, c, and d were calculated according to spec.
Now my question here (finally) is this: Does the stage2 ignore the default, timeout, and title commands when extending into PCR at boot? I noticed when I boot from TrustedGrub and hit c for comand line I cannot enter a default or timeout. Could this be my problem?
I also noticed that the stage 2 code has a call update_pcr that seems to only be called in case of a checkfile command or kernel command. This also bugs me.
I can extend PCR-14 nicely as it is a hash of the string "/boot/bzImage" - the odd thing is that I did not have to worry about 0x0a for PCR 14.
There is a tcg_hash_extend_pcr.in the "yikes) assembler code asm.S that might be doing something different with these PCRs during boot.
Anyone there available to help answer these questions?
thanks
Bill
|
|
From: hassan k. <has...@gm...> - 2013-11-13 16:05:13
|
Hi All, Thanks, now I understood what understood what trusted grub is doing. Anyhow is there any website/server where a list of good known hashes are already maintained so that I can verify the lower PCR values i.e. (BIOS => PCR_0 , BIOS Configurations => PCR_1, etc...). As I understood there will be lots of variation in the PCR_0 value as different mother boards have different BIOS code embedded in them. best, HK On Fri, Nov 8, 2013 at 8:52 PM, Marcel Selhorst <tru...@se...>wrote: > Hi Hassan, > > > I installed trusted grub and then checked PCR Values. PCRs from 0-7 have > > values but PCR's from 8 to 16 were empty (the sample out is below). My > > understanding is trusted grub only measures what is before OS and not the > > OS itself. Can we make trusted grub to measure the OS as well as the > > applications that will be launched over OS? > > as the other repliers already mentioned, it is the task of the OS to > continue the chain-of-trust to the applications, once it got control > from the bootloader. Once the OS is running, TrustedGRUB doesn't have > any control anymore on what is loaded / executed. IMA is indeed a very > good approach to look into, if you want to continue your measurements. > > However, your TrustedGRUB installation seems not to be correct, since > all PCRs 8-16 are empty. Please re-check that you installed stage1 and > stage2 correctly and that no other stage1_5 or similar files are in > /boot resp. /boot/grub. > > Thanks > Marcel > |
|
From: Marcel S. <tru...@se...> - 2013-11-08 20:10:08
|
Hi Hassan, > I installed trusted grub and then checked PCR Values. PCRs from 0-7 have > values but PCR's from 8 to 16 were empty (the sample out is below). My > understanding is trusted grub only measures what is before OS and not the > OS itself. Can we make trusted grub to measure the OS as well as the > applications that will be launched over OS? as the other repliers already mentioned, it is the task of the OS to continue the chain-of-trust to the applications, once it got control from the bootloader. Once the OS is running, TrustedGRUB doesn't have any control anymore on what is loaded / executed. IMA is indeed a very good approach to look into, if you want to continue your measurements. However, your TrustedGRUB installation seems not to be correct, since all PCRs 8-16 are empty. Please re-check that you installed stage1 and stage2 correctly and that no other stage1_5 or similar files are in /boot resp. /boot/grub. Thanks Marcel |
|
From: Olga C. <ol...@gm...> - 2013-11-08 13:16:38
|
TrustedGrub doesn't measure OS or apps after the boot process is over. If you want the applications measured after the OS is launched, IMA (Integrity Measurement Architecture) may be used for that. They have a wiki on sourceforge. http://sourceforge.net/p/linux-ima/wiki/Home/ -- per aspera ad astra -- On Thu, Nov 7, 2013 at 11:24 AM, hassan khan <has...@gm...>wrote: > Hi All, > > I installed trusted grub and then checked PCR Values. PCRs from 0-7 have > values but PCR's from 8 to 16 were empty (the sample out is below). My > understanding is trusted grub only measures what is before OS and not the > OS itself. Can we make trusted grub to measure the OS as well as the > applications that will be launched over OS? > > > > > These are the values of my PCR's....! > > PCR-00: 4A C8 6E 50 2D 12 E3 D3 B9 36 D8 73 B3 E2 B0 C2 A2 DA 62 DB > PCR-01: C6 3C 72 22 1F F3 C1 80 14 74 6E CF 79 42 17 F8 FE F8 E3 D6 > PCR-02: 50 DE 5F 3C 5B 2E 1D 75 D1 AB 19 27 4A 3B 76 33 4E DC 1D 7A > PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 > PCR-04: 7F 89 1F BE CC 3B 3C 2A 6D 37 10 25 4E 80 03 9B C8 F8 B9 93 > PCR-05: BA 6C 4D 8A CA A6 01 F5 05 FC 6A 42 F9 D5 69 0A A0 7C 6B 32 > PCR-06: 78 CD 77 59 86 6A 77 D0 31 03 C2 03 5B F7 DC 7E 61 DC 19 2E > PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 > PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-17: AD 0E 10 F1 05 2F D6 E4 A3 BB 6F AB 9F 7E 63 F0 98 8E F9 ED > PCR-18: 32 3E 59 33 AE BF CF 73 42 87 3F 7E F4 4B AF 5C 0F B9 E3 68 > PCR-19: 95 B0 74 64 CE BF E9 7E 52 CB 8D 8E 60 B6 BD E5 94 A4 42 0B > PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > > best, > HK > > > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. > Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > |
|
From: Oliver W. <ma...@ol...> - 2013-11-08 07:13:51
|
Hi, Am 07.11.2013 17:24, schrieb hassan khan: > Hi All, > > I installed trusted grub and then checked PCR Values. PCRs from 0-7 have > values but PCR's from 8 to 16 were empty (the sample out is below). My > understanding is trusted grub only measures what is before OS and not > the OS itself. Can we make trusted grub to measure the OS as well as the > applications that will be launched over OS? > No this is not possible - the bootloader has no knowledge about what is a operating system or even an application. Besides - as todays os are multithreaded and multiuser it is quite worthless to push anything to the PCR which does not run in a deterministic way. The correct way looks like: * let trusted grub check your "initial" kernel * let the inital kernel check the main kernel and libs and write results to the pcr * decide what you want to have meassured by your system and write code that populates the pcrs. Oliver -- Protect your environment - close windows and adopt a penguin! PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721 |
|
From: hassan k. <has...@gm...> - 2013-11-07 16:24:23
|
Hi All, I installed trusted grub and then checked PCR Values. PCRs from 0-7 have values but PCR's from 8 to 16 were empty (the sample out is below). My understanding is trusted grub only measures what is before OS and not the OS itself. Can we make trusted grub to measure the OS as well as the applications that will be launched over OS? These are the values of my PCR's....! PCR-00: 4A C8 6E 50 2D 12 E3 D3 B9 36 D8 73 B3 E2 B0 C2 A2 DA 62 DB PCR-01: C6 3C 72 22 1F F3 C1 80 14 74 6E CF 79 42 17 F8 FE F8 E3 D6 PCR-02: 50 DE 5F 3C 5B 2E 1D 75 D1 AB 19 27 4A 3B 76 33 4E DC 1D 7A PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-04: 7F 89 1F BE CC 3B 3C 2A 6D 37 10 25 4E 80 03 9B C8 F8 B9 93 PCR-05: BA 6C 4D 8A CA A6 01 F5 05 FC 6A 42 F9 D5 69 0A A0 7C 6B 32 PCR-06: 78 CD 77 59 86 6A 77 D0 31 03 C2 03 5B F7 DC 7E 61 DC 19 2E PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: AD 0E 10 F1 05 2F D6 E4 A3 BB 6F AB 9F 7E 63 F0 98 8E F9 ED PCR-18: 32 3E 59 33 AE BF CF 73 42 87 3F 7E F4 4B AF 5C 0F B9 E3 68 PCR-19: 95 B0 74 64 CE BF E9 7E 52 CB 8D 8E 60 B6 BD E5 94 A4 42 0B PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 best, HK |
|
From: Marcel S. <tru...@se...> - 2013-09-12 12:31:38
|
Hi Bill, sorry for the late response, I didn't see your mail earlier, since you haven't subscribed to the mailing list. Also, I pasted all your emails into this one... > Am I right that PCR-14 is calculated based on what menu.lst > specifies is the kernel and initramfs? I was previously under the > impression that PCR-14 could not be changed without tpm_create again. All the PCRs are freshly calculated each time your system boots. > A firmware update seems to be accomplished by having root privilege > to edit menu.lst and change the kernel information. What firmware update are you referring to? TrustedGRUB doesn't have a firmware. > To be more clear, we want the ability to incrementally change the > kernel without reloading the whole kernel. How would this work with > TrustedGRUB? How would you incrementally change the kernel? If you change the kernel, you have to reload it. If you therefore reboot your system, the new kernel will be measured by TrustedGRUB and extended into the according PCRs. > Someone please tell me if I was under the false impression that > during stages of the boot, the bootloader would verify the PCR > contents match certain values, like PCR 14 matches the kernel and > modules. No, the bootloader doesn't verify anything (except if you use the checkfile-functionality). What TrustedGRUB does is to load files, measure them and extend the hashes into your TPM. > What I have seen: > PCRs 12, 13, and 14 do not always stay the same between boots of the > system, based on alternative boots and checkfiles specified in > menu.lst. Moreover, the verification of the PCRs seems to be done > outside of TrustedGRUB. Correct, if you boot different files, the PCRs will be different. The verification has to be done externally (e.g. by remote attestation). If you want to locally enforce a certain configuration, you need to seal data (eg. a harddisk encryption key) to a certain PCR-configuration. > A program can always get the PCRs by reading /sys/class/misc/tpm0/device/pcrs yes. > When he says these registers CAN BE USED TO VERIFY, he seems to be > saying the verification is done outside TrustedGRUB. yes. As said before, TrustedGRUB only loads and hashes files upon boot time. No reference values (except in the checkfile) are used and no enforcement is done within TrustedGRUB. This all has to be done externally. Please notice the difference between Trusted Boot and Secure Boot. In case you'd like more information on TrustedGRUB and TPMs in general, I'd recommend the following document: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Studies/TSS_Apps/TSS-Apps_en.pdf?__blob=publicationFile http://projects.sirrix.com/trac/trustedgrub/wiki/Documentation Best regards Marcel |
|
From: Bill M. <bm...@va...> - 2013-09-10 16:03:44
|
Someone please tell me if I was under the false impression that during stages of the boot, the bootloader would verify the PCR contents match certain values, like PCR 14 matches the kernel and modules. What I have seen: PCRs 12, 13, and 14 do not always stay the same between boots of the system, based on alternative boots and checkfiles specified in menu.lst. Moreover, the verification of the PCRs seems to be done outside of TrustedGRUB. Perhaps with a encrypted file of expected PCRs? A program can always get the PCRs by reading /sys/class/misc/tpm0/device/pcrs One excerpt from http://resources.infosecinstitute.com/linux-tpm-encryption-initializing-and-using-the-tpm/ "TrustedGRUB is an extension to a normal GRUB boot loader, which has been modified to support the TPM. We can use TrustedGRUB to connect to the TPM and measure the binary configuration and store the resulting measurements in the Platform Configuration Registers (PCR) in the TPM. These registers can then be used to verify the software configuration running on the TPM-enabled platform." When he says these registers CAN BE USED TO VERIFY, he seems to be saying the verification is done outside TrustedGRUB. Exerpt from http://courses.cs.washington.edu/courses/cse550/10au/other_for_site/cse551_final_paper_draft5_final.pdf: 3.1 Verifying That Registers Change Using TPM tools once the operating system has booted, we are able to do some basic functions with the TPM from the command line. One important thing to observe is that the hashed values in the PCRs actually change when the code being loaded changes. TrustedGRUB gives us options of which kernel and modules to load. By selecting two different kernels to load from the boot-menu, we have verified that the hashes change. Figure 3 illustrates the PCR digest from two different boots with different kernels being loaded. Changes are highlighted in bold. As expected, PCRs 12 and 14 are different. PCR12 is the hash of the command line arguments selected from the boot menu and PCR 14 is the hash of the kernel code being loaded. Similarly we observed that adding a three line script to a directory of startup programs changed PCR-14 thus validating that small changes result in different hashes as well as large changes like loading a different kernel.  Kernel: 2.6.28-16-generic PCR-00: F6 44 C8 1F FE D3 62 65 BE EE 8D 72 BC 5A 45 E3 B1 B9 CF F2 PCR-01: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-02: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-03: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-04: 42 96 8A 3A 55 E1 67 1B D5 09 B3 9B C7 52 34 6D 70 9A FE CB PCR-05: 1F 9A E5 C6 58 5A 57 C6 3B 93 FB FC A9 C0 7A 0E E4 F1 10 A6 PCR-06: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-07: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-08: 94 C3 C8 5F 09 EC 25 C2 C6 05 BA F7 2E CB 49 F9 7E E6 C0 FC PCR-09: 93 CD A5 03 69 E2 41 BD BF 8B 22 D5 8B 07 21 6E F0 BF 7B 44 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 17 AE 0B D7 E1 B6 8C FE E0 4C 77 E1 B6 C1 ED 2C D3 1E A9 6B PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: BC 09 40 C2 25 76 2C 23 5D 0F 58 26 6C 10 6D BD 9C 4B C4 D5 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  Kernel: 2.6.28-11-generic PCR-00: F6 44 C8 1F FE D3 62 65 BE EE 8D 72 BC 5A 45 E3 B1 B9 CF F2 PCR-01: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-02: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-03: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-04: 42 96 8A 3A 55 E1 67 1B D5 09 B3 9B C7 52 34 6D 70 9A FE CB PCR-05: 1F 9A E5 C6 58 5A 57 C6 3B 93 FB FC A9 C0 7A 0E E4 F1 10 A6 PCR-06: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-07: A8 9F B8 F8 8C AA 95 90 E6 12 9B 63 3B 14 4A 68 51 44 90 D5 PCR-08: 94 C3 C8 5F 09 EC 25 C2 C6 05 BA F7 2E CB 49 F9 7E E6 C0 FC PCR-09: 93 CD A5 03 69 E2 41 BD BF 8B 22 D5 8B 07 21 6E F0 BF 7B 44 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: BF F2 05 B6 B0 41 4A B8 5C 76 85 F8 34 3D 0D D9 A0 4C 22 2C PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-14: 23 88 21 8F 0E A8 12 C7 0D EB A1 C6 1C A1 CC 4A 78 8B 25 69 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Note that PCRs 12 and 14 are different between the two. |
|
From: Bill M. <bm...@va...> - 2013-09-09 22:10:49
|
To be more clear, we want the ability to incrementally change the kernel without reloading the whole kernel. How would this work with TrustedGRUB? ________________________________________ From: Bill Martin Sent: Monday, September 09, 2013 1:41 PM To: tru...@li... Subject: TrustedGRUB and Kernel update (Firmware Update) and PCR-14 Am I right that PCR-14 is calculated based on what menu.lst specifies is the kernel and initramfs? I was previously under the impression that PCR-14 could not be changed without tpm_create again. A firmware update seems to be accomplished by having root privilege to edit menu.lst and change the kernel information. Comments please? Thanks Bill |
|
From: Bill M. <bm...@va...> - 2013-09-09 20:41:36
|
Am I right that PCR-14 is calculated based on what menu.lst specifies is the kernel and initramfs? I was previously under the impression that PCR-14 could not be changed without tpm_create again. A firmware update seems to be accomplished by having root privilege to edit menu.lst and change the kernel information. Comments please? Thanks Bill |
|
From: Marcel S. <tru...@se...> - 2013-07-17 18:20:18
|
Hi Bill, > So at this point I figure I was successful. Now I wanted to create my > own check file. But it's risky. So I saw you can verify_pcr. It's not risky, you can create the checkfile and first test it within the GRUB command shell (upon boot, press 'c' and type checkfile (hd0,x)/path/to/checkfile). If everything works, you can add it to your menu.lst. > I have not seen any verify_pcr command whatsoever. I ran Grub, > thinking it would have the command. What I got is this: It is in the util-folder of the TrustedGRUB-package and is compiled automatically, when you run the build_tgrub.sh-install-script. > [root@localhost home]# grub Probing devices to guess BIOS drives. > This may take a long time. > Trusted GRUB 1.1.5 (http://trustedgrub.sf.net) [ No TPM detected! ] > (640K lower / 3072K upper memory) In order to detect, whether a TPM is available, BIOS calls are required to be executed. Since Linux is already in protected mode, these calls will not work and you will - inside the GRUB shell under Linux - always see, that no TPM is available. Please boot and see, what TrustedGRUB says when the menu is shown. You should then be able to see "TPM detected". Best regards! Marcel |
|
From: Bill M. <bm...@va...> - 2013-07-12 22:56:01
|
I noticed someone else had this same error with TrustedGRUB 1.1.3 and posted it somewhere but there was no answer to his problem http://www.grounation.org/?post/2008/07/04/8-how-to-use-a-tpm-with-linux I enabled TPM (version 1.2) on my x86_64 system. Installed TrustedGRUB 1.1.5 on my system. I have seen at boot up that TPM is detected and TrustedGrub is working. I also note I have created the public EK. So at this point I figure I was successful. Now I wanted to create my own check file. But it's risky. So I saw you can verify_pcr. I have not seen any verify_pcr command whatsoever. I ran Grub, thinking it would have the command. What I got is this: [root@localhost home]# grub Probing devices to guess BIOS drives. This may take a long time. Trusted GRUB 1.1.5 (http://trustedgrub.sf.net) [ No TPM detected! ] (640K lower / 3072K upper memory) [ Minimal BASH-like line editing is supported. For the first word, TAB lists possible command completions. Anywhere else TAB lists the possible completions of a device/filename. ] So it is the same as what Sudhanshu in the link above got but with older TrustedGRUB. Can someone help me? I tried doing tpm_clear and then redisabling the TPM in bios then reenabling in BIOS over power recycles. And recreating my public key and SRK - several times. This did not change anything. So why do I get "No TPM Detected" in TrustedGrub? thanks Bill Martin bm...@va... |
|
From: 王秉楠 <wan...@gm...> - 2013-03-17 11:02:41
|
Dear all:
I am a student studying on trusted computing. Thanks to your work, I
have installed the trusted grub successfully. Now, I want to do some coding
experiments based on your work. While, I am much confused about how to set
a trusted grub development environment so that I can debug easily. From the
screenshots on the website, I happend to find that you were using Qemu. And
I just find some instructions like this.
http://v3.sk/~lkundrak/grub2-gdb/howto.html
I have little experince about this, so I am eager for your responses.
Any instructioction will be appreciated. Thx~
|
|
From: dinesh c. <din...@ya...> - 2012-10-25 19:58:17
|
http://wineyoo.design1host.com/images/other/8biiduca.php |
|
From: dinesh c. <din...@ya...> - 2012-10-24 15:40:25
|
http://ktp.esumm.com/wp/wp-content/themes/default/gu8j0p00.php |
|
From: dinesh c. <din...@ya...> - 2012-10-22 22:05:30
|
http://janguentherbraun.ca/wp-content/themes/default/zg1onvms.php |
|
From: dinesh c. <din...@ya...> - 2012-07-04 11:07:33
|
http://www.noborders.org.ua/wp-content/themes/esp/riaj86vv.php 7/4/2012 4:07:10 AM |
|
From: Olga C. <ol...@gm...> - 2012-02-07 21:45:48
|
Hello everyone, I know this question came up before, but does anyone know if there are any plans to create a version of TrustedGRUB based on GRUB 2? thanks, Olga |
|
From: Ortwin A. <ang...@gm...> - 2012-01-19 09:02:31
|
Hello there! I have a question regarding stage1_5. Is there a way to use a embedded stage1_5 in a *trusted* way with TrustedGrub? I have a problem with checksum mismatches of the MBR (stage1) when using only stage2. Every time i install the grub boot-loader the checksum of the MBR (stage1) changes, resulting in a PCR mismatch. As far as i understand is that the stage1 needs a hard coded jump address to know where stage2 or stage1_5 is to continue booting. Since stage2 is stored in a ext2 partition the jump address (sector) is never the same. If i could use the embedded stage1_5 i would not have that problem, since stage1_5 is embedded directly after the MBR, always on the same address. Since stage1_5 has some primitive filesystem drivers it can than load stage2 from the boot partition. Could you please clarify that? I'm not really sure if i'm on the right way ;) Here i found some useful information about the grub stages: http://thestarman.pcministry.com/asm/mbr/GRUB.htm Many thanks, Ortwin |
|
From: Yash J. <yas...@gm...> - 2011-11-09 14:15:16
|
Hello All, Does anyone knows, what could be the approximate release date of trusted grub on grub2. Thanks and Regards, Yeshpal Jain. |
|
From: Marcel S. <m.s...@si...> - 2011-11-09 09:52:20
|
Good morning Sansar, no, TrustedGRUB currently does not extend the hashes into the EventLog, this is planned for the next release. Your only option to see the hashes is indeed the -DSHOW_SHA1 compiler option (yet). BR, Marcel Am 09.11.2011 08:57, schrieb Sansar Choinyambuu: > Hello > > > > Is there a log file from trustedGRUB, where I could find, which measurement values it has actually extended to the certain PCR? > I've seen there is debugging option -DSHOW_SHA1, which shows the measurements during the boot. Are these measurements logged somewhere? > > Also, do you produce so called Events while the PCR is extended? I tried to get the EventLog after the machine is booted with trustedGRUB but always get 0 as returned number of events. ( Tspi_TPM_GetEventLog) > > Thanks in advance > Sansar > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Save $700 by Nov 18 > Register now > http://p.sf.net/sfu/rsa-sfdev2dev1 > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies - http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 get public key from keyserver Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stüble, Markus Bernhammer Vorsitzender des Aufsichtsrates: Harald Stöber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
5 messages has been excluded from this view by a project administrator.
