Menu
▾
▴
trustedgrub-users — Topics interesting for TrustedGRUB users
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(7) |
Mar
(2) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
| 2008 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(14) |
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(14) |
Sep
(20) |
Oct
|
Nov
(6) |
Dec
|
| 2010 |
Jan
(2) |
Feb
(6) |
Mar
(2) |
Apr
(7) |
May
(1) |
Jun
(1) |
Jul
(11) |
Aug
(9) |
Sep
(4) |
Oct
(2) |
Nov
(3) |
Dec
(10) |
| 2011 |
Jan
|
Feb
|
Mar
(4) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(5) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
(11) |
Dec
(2) |
| 2014 |
Jan
(3) |
Feb
|
Mar
|
Apr
(8) |
May
(2) |
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
|
From: Sansar C. <sun...@ya...> - 2011-11-09 09:44:47
|
Thanks for the quick answer Marcel. Can you please provide me a patch that logs the measurements into a file? (measurements that are displayed with -DSHOW_SHA1 option) I know I'm asking for something that is not every trustedGRUB user needs. But asking doesn't hurt ;) Cheers Sansar ________________________________ From: Marcel Selhorst <m.s...@si...> To: Sansar Choinyambuu <sun...@ya...>; "tru...@li..." <tru...@li...> Sent: Wednesday, November 9, 2011 10:09 AM Subject: Re: [Trustedgrub-users] trustedGRUB measurements log Good morning Sansar, no, TrustedGRUB currently does not extend the hashes into the EventLog, this is planned for the next release. Your only option to see the hashes is indeed the -DSHOW_SHA1 compiler option (yet). BR, Marcel Am 09.11.2011 08:57, schrieb Sansar Choinyambuu: > Hello > > > > Is there a log file from trustedGRUB, where I could find, which measurement values it has actually extended to the certain PCR? > I've seen there is debugging option -DSHOW_SHA1, which shows the measurements during the boot. Are these measurements logged somewhere? > > Also, do you produce so called Events while the PCR is extended? I tried to get the EventLog after the machine is booted with trustedGRUB but always get 0 as returned number of events. ( Tspi_TPM_GetEventLog) > > Thanks in advance > Sansar > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Save $700 by Nov 18 > Register now > http://p.sf.net/sfu/rsa-sfdev2dev1 > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies - http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 get public key from keyserver Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stüble, Markus Bernhammer Vorsitzender des Aufsichtsrates: Harald Stöber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Sansar C. <sun...@ya...> - 2011-11-09 07:57:36
|
Hello Is there a log file from trustedGRUB, where I could find, which measurement values it has actually extended to the certain PCR? I've seen there is debugging option -DSHOW_SHA1, which shows the measurements during the boot. Are these measurements logged somewhere? Also, do you produce so called Events while the PCR is extended? I tried to get the EventLog after the machine is booted with trustedGRUB but always get 0 as returned number of events. ( Tspi_TPM_GetEventLog) Thanks in advance Sansar |
|
From: John M. W. <joh...@pi...> - 2011-09-15 09:56:34
|
A noob questions... In looking at the TrustedGRUB docs I see the following information regarding the use of PCR 8 & 9 for the stage 2 hash. It says that PCR 9 is used in connection with a boot from an LBA device, which I assume can be a USB thumb drive. However, it also says that when PCR 9 is used that PCR 8 will be blank. If PCR 8 is previously set as a reference, then does it get wiped when booting from the thumb drive? Could PCR 8 be set as reference for a Linux boot and PCR 9 set as a reference for a Windows boot -- both booting from /dev/hda? Thanks! John |
|
From: Check, E. R <ec...@mi...> - 2011-08-24 19:46:59
|
Olga, Thank you! Much appreciated. Am I correct in my assumption that the only way to have encryption work while also using a checkfile would be to use full disk encryption? Otherwise, the encrypted partition would not be accessible/decrypted until after the bootloader finishes, and files to be checked would be inaccessible, correct? Thank you, Eitan From: Olga Chen [mailto:ol...@gm...] Sent: Tuesday, August 23, 2011 10:39 AM To: Check, Eitan R Cc: tru...@li... Subject: Re: [Trustedgrub-users] Using a Checkfile with Encrypted Volumes The current version of TrustedGrub is based on Grub 0.97, which does not support logical volumes. If there is ever a version of TrustedGrub that is based on Grub 2, then it will have LVM support. On Tue, Aug 23, 2011 at 10:21 AM, Check, Eitan R <ec...@mi...<mailto:ec...@mi...>> wrote: Hi Everyone, I'm currently running a CentOS 6 box with tGRUB. I am using LVM, and I have the logical volumes encrypted. Is there any possible way I can have the checkfile check its hash values against files in an encrypted logical volume, or even against files in just a plain, unencrypted logical volume? Any information would be greatly appreciated. Thanks, Eitan ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Trustedgrub-users mailing list Tru...@li...<mailto:Tru...@li...> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users |
|
From: Olga C. <ol...@gm...> - 2011-08-23 14:39:12
|
The current version of TrustedGrub is based on Grub 0.97, which does not support logical volumes. If there is ever a version of TrustedGrub that is based on Grub 2, then it will have LVM support. On Tue, Aug 23, 2011 at 10:21 AM, Check, Eitan R <ec...@mi...> wrote: > Hi Everyone,**** > > ** ** > > I’m currently running a CentOS 6 box with tGRUB. I am using LVM, and I > have the logical volumes encrypted. Is there any possible way I can have > the checkfile check its hash values against files in an encrypted logical > volume, or even against files in just a plain, unencrypted logical volume? > **** > > ** ** > > Any information would be greatly appreciated.**** > > ** ** > > Thanks,**** > > Eitan**** > > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > |
|
From: Check, E. R <ec...@mi...> - 2011-08-23 14:21:09
|
Hi Everyone, I'm currently running a CentOS 6 box with tGRUB. I am using LVM, and I have the logical volumes encrypted. Is there any possible way I can have the checkfile check its hash values against files in an encrypted logical volume, or even against files in just a plain, unencrypted logical volume? Any information would be greatly appreciated. Thanks, Eitan |
|
From: Yash J. <yas...@gm...> - 2011-08-17 15:18:17
|
Hello All, i wanted to read PCRs through INT 1A in GRUB. I tried to understand the function update_pcr available in trusted GRUB's boot.c but i could not understand completely. I request a help to read the PCR values from GRUB using INT 1A, command BB02. especially with the values to be updated in TCG_BUFFER_ADDRESS. Any document/Link will also be helpful. Thanks and Regards, Yeshpal. |
|
From: Olga C. <ol...@gm...> - 2011-07-29 19:24:00
|
TrustedGRUB is comparing the hashes it calculates every time to the ones in check.file. So if you boot a different configuration, the comparison will fail. The idea is also to tie (or in TPM-speak "seal") something like an encryption key to the PCRs updated by TrustedGRUB, so that if something changes in your boot sequence, the "unseal" will not work - thus telling you that something was changed. On Fri, Jul 29, 2011 at 8:32 AM, Yash Jain <yas...@gm...> wrote: > Looping Forum... > > > ---------- Forwarded message ---------- > From: Yash Jain <yas...@gm...> > Date: Fri, Jul 29, 2011 at 5:58 PM > Subject: Re: [Trustedgrub-users] Checkfile > To: Marcel Selhorst <m.s...@si...> > > > Thanks for the solution, > I tried with the Linux sha1sum and it is working fine. > I used checkfile to authenticate the kernel. > I tried the following procedure, > 1. Calculated the sha1 of kernel image. > 2. added the sha1 and the filename as recommended for checkfile. > 3. Added the checkfile in my menu.lst file. > > /etc/check.file > <HASH Value of kernel image> <kenel_path> > > /boot/menu;lst - added > checkfile /etc/check.file. > > My understanding is, when ever any thing is loaded by GRUB(including > kernel, modules). The GRUB will calculate the sha1 of these images and > compare with one stored in the TPM. If they match GRUB, will boot the > OS otherwise will halt the system.so that we have an integrity of > kernel maintained. > and also, if we add the kernel itself in checkfile, it is sure that my > system is booted only with the authenticated kernel and whenever i > need to upgrade the kernel i will change the TPM SHA1 by another > authenticated module which would be loaded by GRUB so that the > integrity and maintainability both are assured. > > After browsing the source, i have a couple of questions, > 1. why is SHA1 updated in TPM every time during boot, by doing this if > i give a wrong kernel to grub still it will boot. > 2. where am i using the TPM's EK to store the SHA1. In other words, > can we use the TPM's EK to update the SHA1 from trusted boot. > 3.We are using calculating the Hash for grub_open, grub_read adn > grub_close, is this done to make sure that what ever is loaded is > authenticated using SHA1, if so i could not get any hints on what if > we load the wrong module/image. or in other words, how are these > fuctions(grub_opn,grub_read and grub_close) different from the > existing GRUB in terms of their functionality. > 4. In file boot.c, when will the while loop while(curr_length < > max_length) terminates because i didn't got any hint on these in > source code. > > Please find the check_file.file that i have used, attached with this mail. > > Thanks in advance for you patience and time. > > Regards, > Yeshpal Jain. > > > On Thu, Jul 28, 2011 at 6:53 PM, Marcel Selhorst <m.s...@si...> > wrote: > > Hi, > > > > I found the issue. The problem is, that you have a 64-bit machine, > however > > the code requires to be compiled for 32-bit. If you compile with "-m32", > it > > works. > > > > $ gcc -m32 create_sha1.c > > > > I will fix this in the installer script for the next release. > > Thanks for finding this issue. > > > > Thanks, > > Marcel > > > > Am 28.07.2011 15:00, schrieb Olga Chen: > >> I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 > and it > >> gives me 40-byte output, so I am not sure why your version gives you 80 > >> bytes. > >> Actually, when I created my checkfile, I used sha1sum utility on Linux > >> instead of utils/create_sha1. You might want to try that. In the > meantime, > >> maybe someone can shed the light onto why you are getting an 80-byte > output. > >> > >> Olga > >> > >> On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> > wrote: > >> > >>> Hello All, > >>> I wanted to add a sha1 in a checkfile. > >>> i followed the procedure mentioned in read me file of trusted grub, > >>> 1. executed the file ./utils/create_sha1 <myfile> > >>> It gave me 80 digit checksum with the filename, copied the same data > >>> into file but my system does not boot. > >>> > >>> I checked in the boot.c, it parses only first forty bytes fron the > >>> file and expects ' '<space>, but i am not understanding then why > >>> create_sha1 is giving me 80 bytes of result. > >>> > >>> Please help. > >>> > >>> Thanks and Regards, > >>> Yeshpal Jain. > >>> > >>> > >>> > ------------------------------------------------------------------------------ > >>> Got Input? Slashdot Needs You. > >>> Take our quick survey online. Come on, we don't ask for help often. > >>> Plus, you'll get a chance to win $100 to spend on ThinkGeek. > >>> http://p.sf.net/sfu/slashdot-survey > >>> _______________________________________________ > >>> Trustedgrub-users mailing list > >>> Tru...@li... > >>> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > >>> > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> Got Input? Slashdot Needs You. > >> Take our quick survey online. Come on, we don't ask for help often. > >> Plus, you'll get a chance to win $100 to spend on ThinkGeek. > >> http://p.sf.net/sfu/slashdot-survey > >> > >> > >> > >> _______________________________________________ > >> Trustedgrub-users mailing list > >> Tru...@li... > >> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > > > -- > > Sirrix AG security technologies - http://www.sirrix.com > > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > > Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 > > get public key from keyserver > > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > > > Vorstand: Ammar Alkassar (Vors.), Christian Stüble > > Vorsitzender des Aufsichtsrates: Dipl.-Ing. Harald Stöber > > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken > > > > This message may contain confidential and/or privileged information. If > you > > are not the addressee, you must not use, copy, disclose or take any > action > > based on this message or any information herein. If you have received > this > > message in error, please advise the sender immediately by reply e-mail > and > > delete this message. > > > > > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > |
|
From: Yash J. <yas...@gm...> - 2011-07-29 12:32:52
|
Looping Forum... ---------- Forwarded message ---------- From: Yash Jain <yas...@gm...> Date: Fri, Jul 29, 2011 at 5:58 PM Subject: Re: [Trustedgrub-users] Checkfile To: Marcel Selhorst <m.s...@si...> Thanks for the solution, I tried with the Linux sha1sum and it is working fine. I used checkfile to authenticate the kernel. I tried the following procedure, 1. Calculated the sha1 of kernel image. 2. added the sha1 and the filename as recommended for checkfile. 3. Added the checkfile in my menu.lst file. /etc/check.file <HASH Value of kernel image> <kenel_path> /boot/menu;lst - added checkfile /etc/check.file. My understanding is, when ever any thing is loaded by GRUB(including kernel, modules). The GRUB will calculate the sha1 of these images and compare with one stored in the TPM. If they match GRUB, will boot the OS otherwise will halt the system.so that we have an integrity of kernel maintained. and also, if we add the kernel itself in checkfile, it is sure that my system is booted only with the authenticated kernel and whenever i need to upgrade the kernel i will change the TPM SHA1 by another authenticated module which would be loaded by GRUB so that the integrity and maintainability both are assured. After browsing the source, i have a couple of questions, 1. why is SHA1 updated in TPM every time during boot, by doing this if i give a wrong kernel to grub still it will boot. 2. where am i using the TPM's EK to store the SHA1. In other words, can we use the TPM's EK to update the SHA1 from trusted boot. 3.We are using calculating the Hash for grub_open, grub_read adn grub_close, is this done to make sure that what ever is loaded is authenticated using SHA1, if so i could not get any hints on what if we load the wrong module/image. or in other words, how are these fuctions(grub_opn,grub_read and grub_close) different from the existing GRUB in terms of their functionality. 4. In file boot.c, when will the while loop while(curr_length < max_length) terminates because i didn't got any hint on these in source code. Please find the check_file.file that i have used, attached with this mail. Thanks in advance for you patience and time. Regards, Yeshpal Jain. On Thu, Jul 28, 2011 at 6:53 PM, Marcel Selhorst <m.s...@si...> wrote: > Hi, > > I found the issue. The problem is, that you have a 64-bit machine, however > the code requires to be compiled for 32-bit. If you compile with "-m32", it > works. > > $ gcc -m32 create_sha1.c > > I will fix this in the installer script for the next release. > Thanks for finding this issue. > > Thanks, > Marcel > > Am 28.07.2011 15:00, schrieb Olga Chen: >> I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 and it >> gives me 40-byte output, so I am not sure why your version gives you 80 >> bytes. >> Actually, when I created my checkfile, I used sha1sum utility on Linux >> instead of utils/create_sha1. You might want to try that. In the meantime, >> maybe someone can shed the light onto why you are getting an 80-byte output. >> >> Olga >> >> On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> wrote: >> >>> Hello All, >>> I wanted to add a sha1 in a checkfile. >>> i followed the procedure mentioned in read me file of trusted grub, >>> 1. executed the file ./utils/create_sha1 <myfile> >>> It gave me 80 digit checksum with the filename, copied the same data >>> into file but my system does not boot. >>> >>> I checked in the boot.c, it parses only first forty bytes fron the >>> file and expects ' '<space>, but i am not understanding then why >>> create_sha1 is giving me 80 bytes of result. >>> >>> Please help. >>> >>> Thanks and Regards, >>> Yeshpal Jain. >>> >>> >>> ------------------------------------------------------------------------------ >>> Got Input? Slashdot Needs You. >>> Take our quick survey online. Come on, we don't ask for help often. >>> Plus, you'll get a chance to win $100 to spend on ThinkGeek. >>> http://p.sf.net/sfu/slashdot-survey >>> _______________________________________________ >>> Trustedgrub-users mailing list >>> Tru...@li... >>> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users >>> >> >> >> >> ------------------------------------------------------------------------------ >> Got Input? Slashdot Needs You. >> Take our quick survey online. Come on, we don't ask for help often. >> Plus, you'll get a chance to win $100 to spend on ThinkGeek. >> http://p.sf.net/sfu/slashdot-survey >> >> >> >> _______________________________________________ >> Trustedgrub-users mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > > -- > Sirrix AG security technologies - http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 > get public key from keyserver > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stüble > Vorsitzender des Aufsichtsrates: Dipl.-Ing. Harald Stöber > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken > > This message may contain confidential and/or privileged information. If you > are not the addressee, you must not use, copy, disclose or take any action > based on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail and > delete this message. > > |
|
From: Marcel S. <m.s...@si...> - 2011-07-28 13:23:35
|
Hi, I found the issue. The problem is, that you have a 64-bit machine, however the code requires to be compiled for 32-bit. If you compile with "-m32", it works. $ gcc -m32 create_sha1.c I will fix this in the installer script for the next release. Thanks for finding this issue. Thanks, Marcel Am 28.07.2011 15:00, schrieb Olga Chen: > I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 and it > gives me 40-byte output, so I am not sure why your version gives you 80 > bytes. > Actually, when I created my checkfile, I used sha1sum utility on Linux > instead of utils/create_sha1. You might want to try that. In the meantime, > maybe someone can shed the light onto why you are getting an 80-byte output. > > Olga > > On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> wrote: > >> Hello All, >> I wanted to add a sha1 in a checkfile. >> i followed the procedure mentioned in read me file of trusted grub, >> 1. executed the file ./utils/create_sha1 <myfile> >> It gave me 80 digit checksum with the filename, copied the same data >> into file but my system does not boot. >> >> I checked in the boot.c, it parses only first forty bytes fron the >> file and expects ' '<space>, but i am not understanding then why >> create_sha1 is giving me 80 bytes of result. >> >> Please help. >> >> Thanks and Regards, >> Yeshpal Jain. >> >> >> ------------------------------------------------------------------------------ >> Got Input? Slashdot Needs You. >> Take our quick survey online. Come on, we don't ask for help often. >> Plus, you'll get a chance to win $100 to spend on ThinkGeek. >> http://p.sf.net/sfu/slashdot-survey >> _______________________________________________ >> Trustedgrub-users mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedgrub-users >> > > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies - http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel +49(681) 959 86-126 Fax +49(681) 959 86-526 get public key from keyserver Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stüble Vorsitzender des Aufsichtsrates: Dipl.-Ing. Harald Stöber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbrücken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Olga C. <ol...@gm...> - 2011-07-28 13:00:52
|
I am using TrustedGRUB 1.1.5, and I just checked my utils/create_sha1 and it gives me 40-byte output, so I am not sure why your version gives you 80 bytes. Actually, when I created my checkfile, I used sha1sum utility on Linux instead of utils/create_sha1. You might want to try that. In the meantime, maybe someone can shed the light onto why you are getting an 80-byte output. Olga On Thu, Jul 28, 2011 at 6:01 AM, Yash Jain <yas...@gm...> wrote: > Hello All, > I wanted to add a sha1 in a checkfile. > i followed the procedure mentioned in read me file of trusted grub, > 1. executed the file ./utils/create_sha1 <myfile> > It gave me 80 digit checksum with the filename, copied the same data > into file but my system does not boot. > > I checked in the boot.c, it parses only first forty bytes fron the > file and expects ' '<space>, but i am not understanding then why > create_sha1 is giving me 80 bytes of result. > > Please help. > > Thanks and Regards, > Yeshpal Jain. > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users > |
|
From: Yash J. <yas...@gm...> - 2011-07-28 10:01:18
|
Hello All, I wanted to add a sha1 in a checkfile. i followed the procedure mentioned in read me file of trusted grub, 1. executed the file ./utils/create_sha1 <myfile> It gave me 80 digit checksum with the filename, copied the same data into file but my system does not boot. I checked in the boot.c, it parses only first forty bytes fron the file and expects ' '<space>, but i am not understanding then why create_sha1 is giving me 80 bytes of result. Please help. Thanks and Regards, Yeshpal Jain. |
|
From: Yash J. <yas...@gm...> - 2011-06-17 13:09:02
|
Hello All, I want to ingrate the trusted grub to my x86 based embedded platform. i request you to let me know how the integrity measurement between the Bios and kernel can be done. Also on which version is the latest trusted grub developed. Thanks in Advance. Thanks and Regards, Yeshpal Jain. |
|
From: Andy Y. <kia...@gm...> - 2011-05-18 05:01:34
|
Dear All, How could we achieve bootloader (tGRUB) PCR checking whereby if the checked PCRs are not as expected, the boot up process will fail and abort? I need this to prevent DUPLICATION of the hard drive in a USABLE condition ONTO another motherboard/TPM-chipset. I've used "checkfile" syntax in menu.lst successfully, however, when the TPM is unplugged from mainboard (my TPM chip is not build-in) and booting it, the boot process can still continue. I wish to see boot failure if the TPM/PCR verification failed. Any help plssss..... Regards, Andy Yew |
|
From: meng <qs...@12...> - 2011-04-07 03:09:45
|
hi everyone, i reinstalled my hp6515b computer with ubuntu 10.4. when i run tpm_takwownership contained in toolsuite tpm_tools, it reported " Tspi_TPM_TakeOwnership failed: 0x00001087 - layer=tddl, code=0087 (135), I/O error" . the second time i run tpm_takeownership, it reported "Tspi_TPM_TakeOwnership failed: 0x00000008 - layer=tpm, code=0008 (8), The TPM target command has been disabled". after google, first i run tpm_clear to disable, inactive, and unownered the tpm, and power off. then power on , in bios i enable, active the tpm. i run tpm_takeownership, it still have the same report. in short how can i successfully run takeownership“ your help will be greatly appreciated. qsmeng |
|
From: Marcel S. <m.s...@si...> - 2011-03-22 09:26:34
|
Hi Justin, > However, it was mentioned that support for logical partitions will be > integrated as a part of porting Trusted GRUB to GRUB 2. > Do you have any idea when you will have Trusted GRUB ported to GRUB 2. We don't have a release date for TrustedGRUB2, yet. I'm afraid that it might be more a matter of months than of weeks. But I'll see what I can do to speed up things ;) Thanks, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Justin G. <jge...@sb...> - 2011-03-21 15:49:21
|
Hello All, I have been using Trusted GRUB to verify the integrity of my Linux system. But recently I have been partitioning my drive with a logical partition that I would like to place and use check.file to access files on that partition. I was having difficult in getting check.file to work on my logical partition. While trying to find my problem, I saw in the email archive that Trusted GRUB check.file does not work in logical partitions. However, it was mentioned that support for logical partitions will be integrated as a part of porting Trusted GRUB to GRUB 2. Do you have any idea when you will have Trusted GRUB ported to GRUB 2. Thanks, Justin Gesquiere |
|
From: Marcel S. <m.s...@si...> - 2011-03-11 14:29:06
|
Hi Sunny, Am 07.03.2011 17:40, schrieb Sansar Choinyambuu: > Hello When the Integrity measurement on Checkfile fails and if the > Booting is still continued regardless of that (by pressing any other > button than Esc when prompted) the PCR 13 is not extended and is filled > with zeros. TrustedGRUB extends each file, if the verification was correct. As soon as it detects a modified file, it will stop with an integrity error and not extend the file into PCR-13. If for instance file 3 is corrupt, file 1 and 2 are extended into PCR-13, file 3 is not. > I was expecting that the PCR 13 will be extended with the > new SHA1 hash of the altered CheckFile on this event. So that the > booting would not be disturbed and by looking at the PCR 13 value after > the boot, I can discover if the CheckFile was altered. This depends on your security requirements. Our intention was to stop booting when an integrity error occurs, extend only the valid files and then inform the user. Nevertheless, it is also possible to change this behaviour with only minor modifications in the source code. > Which was not the > case to my surprise. Also, I was wondering whether there is a > configuration or an option not to show the warning for the Integrity > Measurement Error while booting, so that the booting goes on no matter > of the Integrity Measurements. I would very much appreciate if someone > could give me insight on this. Nope, there is not. However, the attached patch should extend each file, regardless of its verification state. Please note, that I didn't test this code, but it should work ;-) HTH, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Sansar C. <sun...@ya...> - 2011-03-07 16:40:56
|
Hello
When the Integrity measurement on Checkfile fails and if the Booting is still continued regardless of that (by pressing any other button than Esc when prompted) the PCR 13 is not extended and is filled with zeros.
I was expecting that the PCR 13 will be extended with the new SHA1 hash of the altered CheckFile on this event. So that the booting would not be disturbed and by looking at the PCR 13 value after the boot, I can discover if the CheckFile was altered. Which was not the case to my surprise.
Also, I was wondering whether there is a configuration or an option not to show the warning for the Integrity Measurement Error while booting, so that the booting goes on no matter of the Integrity Measurements.
I would very much appreciate if someone could give me insight on this.
CheersSunny
|
|
From: Olga G. <ol...@gm...> - 2010-12-09 14:20:57
|
Great! Glad to hear that there is GRUB2 support in TrustedGRUB's future! On Thu, Dec 9, 2010 at 4:28 AM, Marcel Selhorst <m.s...@si...>wrote: > Hi, > > > Oh, I see! Are there any plans for logical volume support in the future? > > No, but afaik, GRUB2 has LVM support, so once we ported TrustedGRUB to > GRUB2, we'll have that out of the box. > > > I guess for now, I will try installing at least the root partition as a > > physical volume. > > yes, that's the best way. > > Thanks! > Marcel > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > |
|
From: Marcel S. <m.s...@si...> - 2010-12-09 10:40:51
|
Hi, > i have a question. If i install the Trusted Grub with Debian Live on > flash drive and boot from it with the following configuration of the > menu.lst and a checkfile to check the "filesystem.squashfs". Is it > possible to inject another "filesystem.squashfs" after the verification > and before the file system is loaded through the kernel in RAM, for > example through an manipulated flash drive with a switch. the scenario you describe for the checkfile-case might be possible, since TrustedGRUB does not keep the files im RAM, which have been loaded during the checkfile-function. Therefore, you need to add additional measures (e.g., organisatorical) to prevent an on-the-fly-exchange of files. However, imho the USB-stick / flash drive is a very challenging example. Easier would be a scenario, where you want to remotely verify a file on e.g., a network server. The verification of the kernel and the Initrd however is different. These are both first loaded, checked and then kept in RAM. When control is passed to the kernel, nothing (ie. kernel and initrd) needs to be reloaded from the media, so one can be sure, that the measured components are the ones stored in memory (unless an attacker has physical access to the memory chips and can tamper them). What you can do is to add an additional verification round inside the initrd to re-check the validity of filesystem.squashfs (even by re-using the reference values from within the checkfile, itself). Best regards, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Marcel S. <m.s...@si...> - 2010-12-09 09:26:20
|
Hi, > Oh, I see! Are there any plans for logical volume support in the future? No, but afaik, GRUB2 has LVM support, so once we ported TrustedGRUB to GRUB2, we'll have that out of the box. > I guess for now, I will try installing at least the root partition as a > physical volume. yes, that's the best way. Thanks! Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Dennis L. <d....@fh...> - 2010-12-08 11:04:19
|
Hi together, i have a question. If i install the Trusted Grub with Debian Live on flash drive and boot from it with the following configuration of the menu.lst and a checkfile to check the "filesystem.squashfs". Is it possible to inject another "filesystem.squashfs" after the verification and before the file system is loaded through the kernel in RAM, for example through an manipulated flash drive with a switch. thx and greetings Dennis Löhr, M.Sc. menu.lst--- timeout 10 title DaPriM USB root (hd0,0) kernel /live/vmlinuz boot=live vga=791 persistent union=aufs live-media-path=live keyb=de locale=de_DE.UTF-8 toram initrd /live/initrd.img checkfile (hd0,0)/boot/grub/check.file boot --- -- Fachbereich Elektrotechnik und Informatik DaPriM / Labor für IT-Sicherheit Stegerwaldstrasse 39 48565 Steinfurt Germany Tel.: +49 2551 962 702 Fax.: +49 2551 962 170 Mail: d....@fh... Web : www.daprim.de |
|
From: Olga G. <ol...@gm...> - 2010-12-06 14:37:20
|
Oh, I see! Are there any plans for logical volume support in the future? I guess for now, I will try installing at least the root partition as a physical volume. Sincerely, Olga On Mon, Dec 6, 2010 at 9:32 AM, Marcel Selhorst <m.s...@si...>wrote: > Hi, > > > I just tried it with Xen 4.0.1 and it looks like it's booting fine. the > > great! > > > /dev/sda1, then (hd0,1) would be /dev/sda2, but I can't figure out how > > to access anything in the logical partitions above. Is that even > > possible? > > Thats not possible at all, right now. > > Cheers, > Marcel > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > |
|
From: Marcel S. <m.s...@si...> - 2010-12-06 14:29:34
|
Hi, > I just tried it with Xen 4.0.1 and it looks like it's booting fine. the great! > /dev/sda1, then (hd0,1) would be /dev/sda2, but I can't figure out how > to access anything in the logical partitions above. Is that even > possible? Thats not possible at all, right now. Cheers, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
5 messages has been excluded from this view by a project administrator.
