Menu
▾
▴
trustedgrub-users — Topics interesting for TrustedGRUB users
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(7) |
Mar
(2) |
Apr
(4) |
May
(2) |
Jun
|
Jul
|
Aug
(3) |
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(12) |
| 2008 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(14) |
Dec
|
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(5) |
Aug
(14) |
Sep
(20) |
Oct
|
Nov
(6) |
Dec
|
| 2010 |
Jan
(2) |
Feb
(6) |
Mar
(2) |
Apr
(7) |
May
(1) |
Jun
(1) |
Jul
(11) |
Aug
(9) |
Sep
(4) |
Oct
(2) |
Nov
(3) |
Dec
(10) |
| 2011 |
Jan
|
Feb
|
Mar
(4) |
Apr
(1) |
May
(1) |
Jun
(1) |
Jul
(5) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(3) |
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
(4) |
Oct
|
Nov
(11) |
Dec
(2) |
| 2014 |
Jan
(3) |
Feb
|
Mar
|
Apr
(8) |
May
(2) |
Jun
(5) |
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
|
From: Marcel S. <m.s...@si...> - 2010-07-07 13:21:38
|
Hi Chloé, > My BIOS is a Dell version A02, does somebody has the same problem as me ? in the past, we had some issues with Dell Bioses, however I don't have a Dell machine here, so I cannot check that. Can you send me the measurement log? I'd be interested to see what they hash in their PCRs. > I can see my measurement log but is there a function that verifies > automatically that the integrity measure of the log is the same value as the > PCR 10 ? (a function that will extend a pcr with all the measures in the > measurement log) none that I know of ;) But since the measurement log should provide the hash information of all steps, you can re-calculate the values yourself. The next release of TrustedGRUB will also write its values into the measurement log. Best regards, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: chloé F. <fou...@gm...> - 2010-07-07 12:45:32
|
My BIOS is a Dell version A02, does somebody has the same problem as me ? I can see my measurement log but is there a function that verifies automatically that the integrity measure of the log is the same value as the PCR 10 ? (a function that will extend a pcr with all the measures in the measurement log) Cheers, Chloe Yes 2010/7/7 Marcel Selhorst <m.s...@si...> > Hi Chloé, > > > Is it normal that I have the same value for PCR 1,2,3,6 and 7 ? Is it not > > actually, no. I have a Lenovo laptop and all PCR values are different. > > > suppose to be the Option Rom code in PCR 2 and the Option ROM > configuration > > in PCR 3 for example ? > > correct. > > > Does it depend on the policy of the BIOS ? > > The BIOS implementation is responsible for hashing and extending all the > option ROMs etc., so you might have to inform the BIOS vendor, that they > are not compliant to the specification. Can you read out the TPM > measurement log? Maybe, they added some info into that: > > # mount -n -t securityfs -o nodev,noexec,nosuid \ > securityfs /sys/kernel/security > > # cat /sys/kernel/security/tpm0/ascii_bios_measurements > > > My PCR values with trusted grub are : > > Looks good, PCRs 4,5,8,9,12,13,14 are different ;) > Now you can verify the values via "verify_pcr". > > Cheers, > Marcel > > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > |
|
From: Marcel S. <m.s...@si...> - 2010-07-07 11:07:25
|
Hi Chloé,
> Is it normal that I have the same value for PCR 1,2,3,6 and 7 ? Is it not
actually, no. I have a Lenovo laptop and all PCR values are different.
> suppose to be the Option Rom code in PCR 2 and the Option ROM configuration
> in PCR 3 for example ?
correct.
> Does it depend on the policy of the BIOS ?
The BIOS implementation is responsible for hashing and extending all the
option ROMs etc., so you might have to inform the BIOS vendor, that they
are not compliant to the specification. Can you read out the TPM
measurement log? Maybe, they added some info into that:
# mount -n -t securityfs -o nodev,noexec,nosuid \
securityfs /sys/kernel/security
# cat /sys/kernel/security/tpm0/ascii_bios_measurements
> My PCR values with trusted grub are :
Looks good, PCRs 4,5,8,9,12,13,14 are different ;)
Now you can verify the values via "verify_pcr".
Cheers,
Marcel
--
Sirrix AG security technologies -- http://www.sirrix.com
Dipl.-Ing. Marcel Selhorst eMail: m.s...@si...
Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526
Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526
Get my public key from keyserver, KeyId: 0x7C9821CC
Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC
Vorstand: Ammar Alkassar (Vors.), Christian Stueble
Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken
This message may contain confidential and/or privileged information.
If you are not the addressee, you must not use, copy, disclose or
take any action based on this message or any information herein.
If you have received this message in error, please advise the sender
immediately by reply e-mail and delete this message.
|
|
From: chloé F. <fou...@gm...> - 2010-07-07 10:37:06
|
Hi, Is it normal that I have the same value for PCR 1,2,3,6 and 7 ? Is it not suppose to be the Option Rom code in PCR 2 and the Option ROM configuration in PCR 3 for example ? Does it depend on the policy of the BIOS ? My PCR values with trusted grub are : PCR-00: 19 20 C6 AF 11 78 A9 01 77 3F AE A8 3F 33 0D D5 A4 0C DA AF PCR-01: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B PCR-02: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B PCR-03: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B PCR-04: E8 C0 53 73 B4 66 BD A8 42 59 1E EE 46 8F 14 E3 C4 92 E0 B8 PCR-05: AA 7F F3 A1 21 7A D9 74 05 94 11 51 6A EE 1B B0 0A 8C 1D 8D PCR-06: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B PCR-07: 5B 93 BB A0 A6 64 A7 10 52 59 4A 70 95 B2 07 75 77 03 45 0B PCR-08: 25 24 F5 2A D3 F8 AC 73 14 25 11 85 A9 AF 88 7F D0 FE 2F 80 PCR-09: CA A4 47 E1 CD FD 90 A3 3A 12 41 3C E9 16 33 D4 0E 92 B6 A4 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 65 C9 1D 67 C8 37 FE A1 45 7C 9A A6 64 A1 F2 4E A1 FF 76 71 PCR-13: 0F DC 13 85 D6 CA 0E 7A CD 25 62 45 2F A9 68 97 65 3F 58 EA PCR-14: C6 77 C3 B4 3D F0 0B 26 26 8C A5 D0 05 8F 35 89 54 D3 BD 83 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Thanks Chloé |
|
From: Marcel S. <m.s...@si...> - 2010-07-06 13:04:10
|
Hi Joern, > Great new release, with ext3 support! thanks! > I remember that stage 1.5 used to be usable with Trusted Grub. actually, no, the stage 1.5 should always been removed, since there is no measurement extension added into that. > NOTE: Please make sure, that no *1_5-files are in your > /boot/grub-directory. The only valid files in there are stage1, stage2, > default, menu.lst / grub.conf. correct. > Why is that? I could not find any announcement or note about this, but > from the source code it look's like it has been specially disabled: This was done on purpose. Once you install TrustedGRUB, it will store the address of stage2 into stage1. If you use stage1.5, stage2 will be loaded by its filename from the filesystem instead of the fixed address, which could ease to replace stage2. > In start.S: > #ifdef STAGE1_5 ljmp $0, $0x2200 #else /* ! STAGE1_5 */ > But IF they worked, they would break the > asserted boot because stage1.5 would specifically not measure stage2 (it > is commented out). exactly, that is why we explicitly state to delete all stage1.5-files, such that they are not even used at all. Best regards, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Marcel S. <m.s...@si...> - 2010-07-06 12:38:03
|
Hi Chloé, it seems you are mixing up the two different Trusted Computing extensions for GRUB, one is TrustedGRUB and one is GRUB-IMA. The measure-command you want to use is from GRUB-IMA, but since this one is not available within TrustedGRUB, the according PCRs will not be modified. However, the checkfile-command is indeed from TrustedGRUB, but the resulting PCR-value is not equal to the hash value. The value you see in the PCR register is the SHA1-value of the concatenation of the old value with the hash to be added: PCR_New = SHA1( PCR_Old | new_hash_to_be_added ) In your case, PCR-13 will be the only file hashed into PCR-13. The hash-chain therefore is: PCR_13_step0 = 0000000000000000000000000000000000000000 PCR_13_step1 = SHA1 ( 0000000000000000000000000000000000000000d26efadb318ce4dbad4314746834adb37519a0f8 ) which should result in the value 0x0fdc1385..... as seen in your PCR-13. I have written a small utility helping you to calculate, that your PCR value is correct. It is called "verify_pcr" and should be installed on your machine in /usr/local/bin or so. Simply execute: verify_pcr NULL /boot/chloe (NULL means the initial value of the PCR followed by the files, that are hashed into PCR-13). Best regards, Marcel Am 28.06.2010 15:15, schrieb chloé Fouquet: > Hi, > I have install TrustedGrub on my computer and I'm not sure it does it job. > My menu.lst is the following : > > title Linux test checkfile + measure > root (hd0,1) > kernel /boot/vmlinuz-2.6.28-15-generic root=/dev/mapper/systemvg-root > initrd /boot/initrd.img-2.6.28-15-generic > checkfile /boot/grub/checkfiles > measure (hd0,1)/boot/chloe 8 > measure (hd0,1)/boot/vmlinuz-2.6.28-15-generic 17 > > the file checkfiles is : > d26efadb318ce4dbad4314746834adb37519a0f8 (hd0,1)/boot/chloe > > dans after I have rebooted my machine, my PCR-13 value is > PCR-13: 0F DC 13 85 D6 CA 0E 7A CD 25 62 45 2F A9 68 97 65 3F 58 EA > > Shouldn't it be the hash value contains in the file checkfiles ? > > Is the syntax correct for the function measure ? Because I have nothing in > PCR 17 after rebooting... > > Thanks for looking > > Chloe > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: chloé F. <fou...@gm...> - 2010-06-28 13:15:28
|
Hi, I have install TrustedGrub on my computer and I'm not sure it does it job. My menu.lst is the following : title Linux test checkfile + measure root (hd0,1) kernel /boot/vmlinuz-2.6.28-15-generic root=/dev/mapper/systemvg-root initrd /boot/initrd.img-2.6.28-15-generic checkfile /boot/grub/checkfiles measure (hd0,1)/boot/chloe 8 measure (hd0,1)/boot/vmlinuz-2.6.28-15-generic 17 the file checkfiles is : d26efadb318ce4dbad4314746834adb37519a0f8 (hd0,1)/boot/chloe dans after I have rebooted my machine, my PCR-13 value is PCR-13: 0F DC 13 85 D6 CA 0E 7A CD 25 62 45 2F A9 68 97 65 3F 58 EA Shouldn't it be the hash value contains in the file checkfiles ? Is the syntax correct for the function measure ? Because I have nothing in PCR 17 after rebooting... Thanks for looking Chloe |
|
From: <joe...@gm...> - 2010-05-15 19:12:54
|
Hi! Great new release, with ext3 support! I remember that stage 1.5 used to be usable with Trusted Grub. Now in the README I find this: ... rm /boot/grub/*1_5 ... NOTE: Please make sure, that no *1_5-files are in your /boot/grub-directory. The only valid files in there are stage1, stage2, default, menu.lst / grub.conf. ... Why is that? I could not find any announcement or note about this, but from the source code it look's like it has been specially disabled: In start.S: #ifdef STAGE1_5 ljmp $0, $0x2200 #else /* ! STAGE1_5 */ /* Begin TCG extension */ /* Hashes the rest of stage2 and writes the result into PCR9. For details see README file. */ So it looks to me that the different stage1.5 are compiled, but there are warnings about using them. But IF they worked, they would break the asserted boot because stage1.5 would specifically not measure stage2 (it is commented out). It would be great to know the reason for this change or what problems existed with stage 1.5 that lead to these warnings in the README! Thanks Jörn -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 |
|
From: Marcel S. <m.s...@si...> - 2010-04-28 13:55:18
|
Hi Zach > Now I get what u were tryin to say. When I modified menu.lst, I just > removed the 'default = 0' line in the file; which wasn't what u told > me. Sorry for the misunderstanding. ;) no problem > PCR-12 now changes when I fiddled > with the kernel-line. great! > I also succeed changing PCRs by replacing the 'stage1' and 'stage2' from > /boot/grub. When I changed stage1, PCR-4 changes and when stage2 was > replaced; PCR-8 and PCR-4 change. Is this the way it's supposed to > behave? yep! > Thanks so much. You're Welcome! Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: boddah <amu...@gm...> - 2010-04-28 13:52:44
|
Thank you Marcel. Now I get what u were tryin to say. When I modified menu.lst, I just removed the 'default = 0' line in the file; which wasn't what u told me. Sorry for the misunderstanding. PCR-12 now changes when I fiddled with the kernel-line. I also succeed changing PCRs by replacing the 'stage1' and 'stage2' from /boot/grub. When I changed stage1, PCR-4 changes and when stage2 was replaced; PCR-8 and PCR-4 change. Is this the way it's supposed to behave? Thanks so much. Best, zach On Wed, Apr 28, 2010 at 9:11 PM, Marcel Selhorst <m.s...@si...>wrote: > Hi, > > >> So in case you modify e.g., your kernel-line by adding or removing an > >> option, PCR-12 will be different.* > > I can't seem to point out what's not right. PCR-12 still doesnt show any > > changes. Can u elaborate on ways to really simulate this? > > That's odd, how does the output of your PCR's look like? Can you paste > > # cat /sys/class/misc/tpm0/device/pcrs > > In my case, my PCRs look as follows: > > PCR-00: 6D D1 0D BB 4E F9 C0 8D 3D DD CC 16 19 B0 39 37 73 47 69 99 > PCR-01: 58 4F C0 5A 1A 07 C3 15 56 A3 08 36 94 E4 09 F5 33 20 3E E1 > PCR-02: 53 DE 58 4D CE F0 3F 6A 7D AC 1A 24 0A 83 58 93 89 6F 21 8D > PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 > PCR-04: 26 C1 AE 4B 8E 3F 5A EC 62 BF E9 46 F9 7C 14 CD EB 78 1F 54 > PCR-05: 50 12 43 8E 34 D5 C3 86 24 4C 3D 73 18 5B CA B7 0F DC 02 5E > PCR-06: 58 5E 57 9E 48 99 7F EE 8E FD 20 83 0C 6A 84 1E B3 53 C6 28 > PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 > PCR-08: 4F 9C 38 86 51 79 78 92 F7 4D EC 10 5E AC 85 53 49 3F 4F FF > PCR-09: B5 A4 EE 0A E4 75 DD 4B B2 C4 B8 92 D8 BC E5 38 A9 8B A8 37 > PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-12: 01 07 62 AE E6 E0 2D 96 B8 47 EC 2E 15 1C 07 A9 B0 7D A4 CB > PCR-13: 44 43 C4 A7 5A 82 82 AA 5D DF 8C DB 29 FF B1 A8 21 38 F6 F1 > PCR-14: 44 43 C4 A7 5A 82 82 AA 5D DF 8C DB 29 FF B1 A8 21 38 F6 F1 > PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > My menu.lst looks like this: > > title=Gentoo Linux 64-Bit 2.6.33 > > checkfile=(hd0,0)/checkfile-2.6.33 > > kernel=(hd0,0)/vmlinuz-2.6.33 acpi_sleep=s3_bios > thinkpad_acpi.experimental=1 thinkpad_acpi.fan_control=1 memtest=1 > > initrd=(hd0,0)/keyrona-2.6.33.initrd > > > Now, as soon as I switch the flag memtest=1 to memtest=0, PCR-12 changes as > follows: > > PCR-12: A7 93 68 2D D1 FC 87 8B 21 26 57 A1 52 B6 63 45 D2 F3 80 89 > > If you send me our menu.lst and your PCR-output, maybe we can figure > something out. > > Thanks! > Marcel > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > -- Forever indebt to your priceless advice... |
|
From: Marcel S. <m.s...@si...> - 2010-04-28 13:11:05
|
Hi, >> So in case you modify e.g., your kernel-line by adding or removing an >> option, PCR-12 will be different.* > I can't seem to point out what's not right. PCR-12 still doesnt show any > changes. Can u elaborate on ways to really simulate this? That's odd, how does the output of your PCR's look like? Can you paste # cat /sys/class/misc/tpm0/device/pcrs In my case, my PCRs look as follows: PCR-00: 6D D1 0D BB 4E F9 C0 8D 3D DD CC 16 19 B0 39 37 73 47 69 99 PCR-01: 58 4F C0 5A 1A 07 C3 15 56 A3 08 36 94 E4 09 F5 33 20 3E E1 PCR-02: 53 DE 58 4D CE F0 3F 6A 7D AC 1A 24 0A 83 58 93 89 6F 21 8D PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-04: 26 C1 AE 4B 8E 3F 5A EC 62 BF E9 46 F9 7C 14 CD EB 78 1F 54 PCR-05: 50 12 43 8E 34 D5 C3 86 24 4C 3D 73 18 5B CA B7 0F DC 02 5E PCR-06: 58 5E 57 9E 48 99 7F EE 8E FD 20 83 0C 6A 84 1E B3 53 C6 28 PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 PCR-08: 4F 9C 38 86 51 79 78 92 F7 4D EC 10 5E AC 85 53 49 3F 4F FF PCR-09: B5 A4 EE 0A E4 75 DD 4B B2 C4 B8 92 D8 BC E5 38 A9 8B A8 37 PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-12: 01 07 62 AE E6 E0 2D 96 B8 47 EC 2E 15 1C 07 A9 B0 7D A4 CB PCR-13: 44 43 C4 A7 5A 82 82 AA 5D DF 8C DB 29 FF B1 A8 21 38 F6 F1 PCR-14: 44 43 C4 A7 5A 82 82 AA 5D DF 8C DB 29 FF B1 A8 21 38 F6 F1 PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 My menu.lst looks like this: title=Gentoo Linux 64-Bit 2.6.33 checkfile=(hd0,0)/checkfile-2.6.33 kernel=(hd0,0)/vmlinuz-2.6.33 acpi_sleep=s3_bios thinkpad_acpi.experimental=1 thinkpad_acpi.fan_control=1 memtest=1 initrd=(hd0,0)/keyrona-2.6.33.initrd Now, as soon as I switch the flag memtest=1 to memtest=0, PCR-12 changes as follows: PCR-12: A7 93 68 2D D1 FC 87 8B 21 26 57 A1 52 B6 63 45 D2 F3 80 89 If you send me our menu.lst and your PCR-output, maybe we can figure something out. Thanks! Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: boddah <amu...@gm...> - 2010-04-28 11:44:54
|
---------- Forwarded message ---------- From: boddah <amu...@gm...> Date: Wed, Apr 28, 2010 at 3:06 PM Subject: Re: [Trustedgrub-users] how to simulate tampering of grub config so that PCR values display change To: Marcel Selhorst <m.s...@si...> Marcel, As you suggested: *There are several ways how to do this. The easiest way is to modify PCR-12, since this one contains all hashes from the executed commandlines from grub.conf. So in case you modify e.g., your kernel-line by adding or removing an option, PCR-12 will be different.* I can't seem to point out what's not right. PCR-12 still doesnt show any changes. Can u elaborate on ways to really simulate this? On Tue, Mar 16, 2010 at 6:31 PM, Marcel Selhorst <m.s...@si...>wrote: > Hi Zach, > > > I'm running tGRUB on Fedora 10 and have installed everything > successfully. > > good :) > > > I'm trying to find ways to simulate a tampering that will display changes > in > > the PCR. I've tried modifying 'grub.conf' but the PCR displays no > changes. > > Can somebody share somethin on this? > > There are several ways how to do this. The easiest way is to modify PCR-12, > since this one contains all hashes from the executed commandlines from > grub.conf. > So in case you modify e.g., your kernel-line by adding or removing an > option, PCR-12 will be different. > > If you use a checkfile and add or remove an entry, PCR-13 will change. > > PCR-14 will only change, if you modify / load a different kernel or initrd. > > HTH, > Marcel > -- > Sirrix AG security technologies -- http://www.sirrix.com > Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... > Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 > Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 > Get my public key from keyserver, KeyId: 0x7C9821CC > Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC > > Vorstand: Ammar Alkassar (Vors.), Christian Stueble > Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg > Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken > > This message may contain confidential and/or privileged information. > If you are not the addressee, you must not use, copy, disclose or > take any action based on this message or any information herein. > If you have received this message in error, please advise the sender > immediately by reply e-mail and delete this message. > -- Forever indebt to your priceless advice... -- Forever indebt to your priceless advice... |
|
From: bob.zhang2004 <bob...@gm...> - 2010-04-20 09:39:07
|
Hi all, My hardware is HP's dl360G6 installed RHEL x86_64 5.4 version. I installed TrustedGrub as guide. after rebooting , it will displays that like this: Trusted Grub now booting Redhat Enterprise Linux Server (2.6.18-164.e15)' Progress: Error 28: Selected item cannot fit into memory tRUB: ******************************************" tGRUB: * An error occured which might result in * tGRUB: * an unverifiable or insecure system * tGRUB: * state. !!! BOOTING WILL BE STOPPED !!! * tGRUB: ****************************************** thanks very much! any idea is welcome! =============== My installing grub step is like this: #rm -rf /boot/grub/stage* #rm -rf /boot/grub/*1_5 [root@localhost TrustedGRUB-1.1.4]# util/grub-install /dev/cciss/c0d0 --no-floppy Installation finished. No error reported. This is the contents of the device map /boot/grub/device.map. Check if this is correct or not. If any of the lines is incorrect, fix it and re-run the script `grub-install'. # this device map was generated by anaconda (hd0) /dev/cciss/c0d0 2010-04-20 bob.zhang2004 |
|
From: Marcel S. <m.s...@si...> - 2010-04-07 21:53:56
|
Hi Thomas, first of all sorry for the delay in getting back to you. Thanks for the bug report and the workaround. I will take a look at the counter variable and your patch (however, it might take a couple of days until I get to it). Since I have some more patches to apply to TrustedGRUB, this will be included into version 1.1.5. Thanks, Marcel Am 07.04.2010 20:42, schrieb Thomas Brinker: > Hi, > > I did wonder how to precalculate the value of PCR9. Finally I am pretty sure > that usage of variable "counter" in stage2/start.S is not correct and results > in measuring 0 Bytes. > > See attached patch for a quick and dirty fix that works for me. > > Kind regards > Thomas -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Thomas B. <tho...@em...> - 2010-04-07 18:42:17
|
Hi, I did wonder how to precalculate the value of PCR9. Finally I am pretty sure that usage of variable "counter" in stage2/start.S is not correct and results in measuring 0 Bytes. See attached patch for a quick and dirty fix that works for me. Kind regards Thomas -- Dipl.-Ing. Thomas Brinker, emlix GmbH, http://www.emlix.com Fon +49 30 275911-00, Fax -33, Schützenstr. 18, 10117 Berlin, Germany Sitz der Gesellschaft: Göttingen, Amtsgericht Göttingen HR B 3160 Geschäftsführung: Dr. Uwe Kracke, Ust.-IdNr.: DE 205 198 055 emlix - your embedded linux partner |
|
From: Marcel S. <m.s...@si...> - 2010-03-16 10:45:54
|
Hi Zach, > I'm running tGRUB on Fedora 10 and have installed everything successfully. good :) > I'm trying to find ways to simulate a tampering that will display changes in > the PCR. I've tried modifying 'grub.conf' but the PCR displays no changes. > Can somebody share somethin on this? There are several ways how to do this. The easiest way is to modify PCR-12, since this one contains all hashes from the executed commandlines from grub.conf. So in case you modify e.g., your kernel-line by adding or removing an option, PCR-12 will be different. If you use a checkfile and add or remove an entry, PCR-13 will change. PCR-14 will only change, if you modify / load a different kernel or initrd. HTH, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: boddah <amu...@gm...> - 2010-03-15 17:47:56
|
Hi, I'm running tGRUB on Fedora 10 and have installed everything successfully. I'm trying to find ways to simulate a tampering that will display changes in the PCR. I've tried modifying 'grub.conf' but the PCR displays no changes. Can somebody share somethin on this? Regards, zach -- Forever indebt to your priceless advice... |
|
From: Marcel S. <m.s...@si...> - 2010-02-23 08:18:28
|
Hi Hardeep, yes, TrustedGRUB treats Xen as a modified Linux, thus it is possible to boot and measure Xen (At least the kernel for Dom-0). All other domains are then booted via the xen management tools from inside Dom-0. HTH, Marcel Am 22.02.2010 21:19, schrieb Hardeep Uppal: > Hi, > > I am using TPM to build a trusted software stack and my current > implementation has TrustedGrub measuring the OS (Linux). I am trying install > Xen on my machine and I am not sure if TrustedGrub will be able to measure > Xen instead of OS. Has anyone used Xen in their architecture to measure the > software stack. Will TrustedGrub see Xen as a modified linux and measure it > or do i need to modify code in TrustedGrub? > > Thanks for any help. > > --Hardeep Uppal > > > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > > > > _______________________________________________ > Trustedgrub-users mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedgrub-users -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Hardeep U. <har...@gm...> - 2010-02-22 20:20:03
|
Hi, I am using TPM to build a trusted software stack and my current implementation has TrustedGrub measuring the OS (Linux). I am trying install Xen on my machine and I am not sure if TrustedGrub will be able to measure Xen instead of OS. Has anyone used Xen in their architecture to measure the software stack. Will TrustedGrub see Xen as a modified linux and measure it or do i need to modify code in TrustedGrub? Thanks for any help. --Hardeep Uppal |
|
From: Marcel S. <m.s...@si...> - 2010-02-11 09:56:30
|
Hi Witold, > Is there any effort to port TPM functionality > of trusted grub to the grub-pc in the Grub 2? Cautious yes... When the first version of GRUB2 was published, I took a glance at the code and due to the modular design, it was not easily possible to adapt the measurement functionality in all of the file system modules. However, I think it's possible, but we need to check the assembly part to verify how much space we have left in the MBR code. But currently I can't estimate when we will start with our work on TrustedGRUB2. Best regards, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Witold B. <ba...@sm...> - 2010-02-05 00:47:31
|
Hi, Is there any effort to port TPM functionality of trusted grub to the grub-pc in the Grub 2? grub-pc is going to be default bootloaded in the next release of the Debian (squeuzee) regards. -- Witold Baryluk JID: witold.baryluk // jabster.pl |
|
From: Marcel S. <m.s...@si...> - 2010-02-02 11:16:05
|
Hi Achim, > I build and installed the latest version of the trusted grub and it > works. great :) > The only problem is that it does not show the splashimage > I configured in the menu.lst file. Does anyone knows this problem. TrustedGRUB does not have splashimage support. I have a couple of patches here, that may work, I'll test them and in case of success, I'll integrate them in the next version of TrustedGRUB. Best regards, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: Kanert, A. <ac...@ms...> - 2010-02-02 10:46:52
|
Hi everybody, I build and installed the latest version of the trusted grub and it works. The only problem is that it does not show the splashimage I configured in the menu.lst file. Does anyone knows this problem. Regards, Achim Kanert MSC Vertriebs GmbH Design Center Aachen Pascalstrasse 21 D-52076 Aachen Tel.: +49 2408-709-233 Fax.: +49 2408-709-299 E-Mail: <<mailto:ac...@ms...>> Internet: <<http://www.msc-ge.com>> |
|
From: Marcel S. <m.s...@si...> - 2010-01-11 09:09:13
|
Hello Dieter, > I have a problem with the measurements of TrustedGRUB. The PCRs are extended, > but the measurements don't appear in the event log of the TPM in > /sys/kernel/security/tpm0. TrustedGRUB currently doesn't add the measurements in the measurement log. The main reason for this is that at the time when TrustedGRUB was developed, many BIOS didn't implement the necessary "TPM_HashLogExtendEvent" correctly or not even at all. This should in the meantime been fixed. Thanks for the reminder, I have now created a ticket for this: https://projects.sirrix.com/trac/trustedgrub/ticket/7 So the next release of TrustedGRUB will be enhanced and changed to support this BIOS call. Thanks, Marcel -- Sirrix AG security technologies -- http://www.sirrix.com Dipl.-Ing. Marcel Selhorst eMail: m.s...@si... Tel: +49 (234) 610071-126 Fax: +49 (234) 610071-526 Tel: +49 (681) 95986-126 Fax: +49 (681) 95986-526 Get my public key from keyserver, KeyId: 0x7C9821CC Fingerprint 4138 E617 E62E 79D3 E663 BE5A 14E7 1CD8 7C98 21CC Vorstand: Ammar Alkassar (Vors.), Christian Stueble Vorsitzender des Aufsichtsrates: Prof. Dr. Kai Rannenberg Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbruecken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. |
|
From: <Die...@gm...> - 2010-01-10 13:18:05
|
Hello, I have a problem with the measurements of TrustedGRUB. The PCRs are extended, but the measurements don't appear in the event log of the TPM in /sys/kernel/security/tpm0. Thanks, Dieter -- Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.! http://portal.gmx.net/de/go/dsl02 |
5 messages has been excluded from this view by a project administrator.
