On 10/22/21 10:17 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
On 10/22/21 8:40 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
On 10/22/21 7:49 AM, James Bottomley wrote:
On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
[...]
I see this also but when I get into Linux and run
tpm2_pcrread I see the SHA1 bank active but not having
received any PCR extensions from the firmware, which is not
supposed to happen.
That's not entirely correct: the TCG firmware profile just
requires us to log through at least one bank; it doesn't
require that all active banks be logged. I've got several
physical systems with three active banks but only one or two
measured through.
The problem with this is that you can then fake measured boot on
that system using it's unused SHA1 bank and extend into it
whatever you want and create a fake log along with it and the
quote is going to look alright.
I don't think you can. The measured boot PCRs in unused banks
should always be their default values and the measurement software
should check for this. So on a system that only uses the sha256
bank, the sha1 bank PCR0-7 should be all zeros ... if they aren't
this should be a measurement failure.
That means that if you try to replace the sha256 agile log with one
containing fake sha1 entries, the attestation still fails because
the sha256 bank doesn't have default entries.
You can still pretend that your system only has an active SHA1 bank
and serve the fake log.
Which "You" can fake a TPM quote? The whole design of the TPM system
is supposed to be that what goes into the TPM can't be erased, only
updated and we can get definitive proof of the values using a quote.
What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the unused
sha1 bank and extends it with known good values and has a log that goes
with it and presents these to a validator along with the quote on the
sha1 bank.
You can fake the log to be sha1 only but you can't make it match the
quote that includes the sha256 banks.
Yes, that's right. The client must insist that the sha256 bank, and any
other possible bank, is quoted so that the system cannot just pretend
that it only has a XYZ [sha1] bank (unlikely for TPM 2), and ABC banks
[sha256] doesn't exist there, even though the SHA256 matches the true
log. A quote by itself doesn't quote all the banks. You have to select
which banks to quote and the client needs to have some control over that
it seems to for sure see what the true firmware did.
Stefan
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#82527): https://edk2.groups.io/g/devel/message/82527
Mute This Topic: https://groups.io/mt/86487987/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
