On Wed, May 18, 2016 at 01:00:10PM +0200, Jan Schermer wrote: > Hi, > I'd like to calculate PCR 18 before first reboot. > > I am using tboot with "pcr_map=da", signed policy and TB_POLCTL_EXTEND_PCR17 > disabled > > docs say: > PCR 18 (Authorities): > It will be extended with the following values (in this order): > - The values as documented in the MLE Developers Manual > - SHA-1 hash of: tboot policy control value (4 bytes) | > SHA-1 hash of tboot policy (20 bytes) > : where the hash of the tboot policy will be 0s if > TB_POLCTL_EXTEND_PCR17 is clear > > > There seems to be something missing here - is PCR 18 supposed to also contain > hash of the signing key? > I thought TB_POLCTL_EXTEND_PCR17 only affects the policy itself (hash of > data), not the "Authority" (i.e. what's in NVRAM, key fingerprint...)
Did you manage to figure this out? I tried a whole ton of combinations for the values in my logs but cannot reproduce PCR18 either. > In txt-stat I see PCR 18 being extended several times(?): > > TBOOT: Event: > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x410 > TBOOT: Digest: fe 48 79 5c e3 18 12 ff a8 14 99 7f 46 > 3e a0 ca 19 eb 33 2c > TBOOT: Data: 0 bytes > TBOOT: Event: > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x40b > TBOOT: Digest: 90 69 ca 78 e7 45 0a 28 51 73 43 1b 3e > 52 c5 c2 52 99 e4 73 > TBOOT: Data: 4 bytes > 00 00 00 00 > TBOOT: Event: > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x40f > TBOOT: Digest: b8 cb 6b 3d e8 66 f2 fd 1f 17 99 6f ee > 01 ce c4 74 8a 03 e8 > TBOOT: Data: 4 bytes > 32 00 00 00 > TBOOT: Event: > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x40c > TBOOT: Digest: 90 69 ca 78 e7 45 0a 28 51 73 43 1b 3e > 52 c5 c2 52 99 e4 73 > TBOOT: Data: 4 bytes > 00 00 00 00 > (note ^^ - did this revert back to previous value??) No, 9069ca... is just the sha1 of "00000000", the digest there is the value that is being extended into pcr18, not the value that is actually in pcr18. -- Jason > TBOOT: Event: > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x411 > TBOOT: Digest: 35 f5 d3 8d 36 18 f1 26 6f 36 46 8b 5f > 9f 31 ed 30 51 29 29 > TBOOT: Data: 20 bytes > 83 f0 f3 8f 97 7e 0d 49 6b ac f3 8e b3 29 4f > 1d > 8a db e0 13 > > TBOOT: VL measurements: > TBOOT: PCR 18 (alg count 1): > TBOOT: alg 0004: d3 39 9b 72 62 fb 56 cb 9e d0 53 d6 8d b9 29 1c > 41 08 39 c4 > > TBOOT: PCRIndex: 18 > TBOOT: Type: 0x501 > TBOOT: Digest: d3 39 9b 72 62 fb 56 cb 9e d0 53 d6 8d > b9 29 1c 41 08 39 c4 > TBOOT: Data: 0 bytes > > > But the resulting value is different (not sure if that's expected) > PCR-18: 05 C5 A7 47 22 19 71 90 2B 5D 17 29 C4 B8 F3 8E 8B EC C6 B0 > > Can someone help me interpret this? > > Thanks > > Jan
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel