dev...@ar... wrote:
>> PCRs content -> provides evidence of system state
>
> Is it correct that PCRs content checking can be used to detect if a system is corrupted (e.g. hijacked, bot ...)?
If the chain of trust is not broken, the stored measurement log (SML) plus
signed quote of current PCRs is evidence what software chain was run.
However, that alone does not give you any information whether one of the
packages in the chain contains e.g. a buffer overflow, which is/was used
to silently take complete control of the system.
If you know that a certain software is vulnerable, you can examine the chain
from the start onwards and, if the specific version is in there, you must
assume all later measurements are not the truth. (Because malicious software
can only manipulate measurements done after taking control, due to the one-way
nature of hashes).
> Further is it correct that this check can only be used if the systems already know each other?
If you want to check for certain software hashes in the SML, of course
you would have to know the "good" (and probably "bad") values for
comparison.
Martin
|
