On Wed, 2022-04-20 at 10:16 +0200, Gerd Hoffmann wrote: > Hi, > > > > Yes for validation (aka sanity-checking the fields, etc). > > > But for measurement I don't see why the ordering matters. > > > Whenever you do that before or after consuming the TdHob > > > should not make a difference. > > > > [Jiewen] I disagree. The order matters from security perspective. > > If you use it, there is risk that the buggy code will compromise > > the system before you have chance to measure it. > > Measurement will only record hashes for verification later on. > It will not prevent running possibly buggy/compromised code.
This is true, but this is also the design of measured boot: it's for proof of correctness (or not) after the fact. Secure boot is more the technology that can prevent boot. > So, no matter what the order is, you'll figure the system got > compromised after the fact, when checking the hashes later, and in > turn take actions like refusing to hand out secrets to the > compromised system. Not if the code falsifies the measurement both in the log and to the TPM. That's why the requirement of measured boot is you start with a small rom based root of trust, which can't be updated because it's in rom. It measures the next stage (usually PEI) before executing it so that the measurement in the TPM would change if the next stage (which is often in flash) got compromised, so any tampering is certain to be detected and if the compromised code tries to falsify the log, the log now wouldn't match the TPM, so it can't evade detection. The requirement from the TCG is that the trusted code measures the untrusted code through the TPM before executing it to get this proveable detection of tampering. The TCG allows you to be elastic about when you record the measurements in the log as long as you measure through the TPM at the correct points. The above applies equally to TPM substitutes like the TDX msrs. James -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89139): https://edk2.groups.io/g/devel/message/89139 Mute This Topic: https://groups.io/mt/90531017/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
