On Wed, Jun 15, 2016 at 11:29:53AM +0200, Jan Schermer wrote: > Hi, > can someone please tell me from experience whether PCR-18 can be treated as > non-changing between different servers or platforms when pcr_map=da is used > and I use the same signing key? > > Can I safely assume that PCR-18 will be the same on different servers or > different brands of servers even? Docs say the following and I'm not sure - > especially the last point would be troubling but I don't think it changes > when I use a different tboot binary (that should produce a different hash, > right?). > > The following hashes are extended to PCR18 in the order given: > > - DIGEST of public key modulus used to verify SINIT signature. I have no idea how to find this value. I don't see it in the tboot logs. Should it always be the same for all SINITs? I think if you use the same SINIT on all machines this will be constant tho. TBOOT: Event: TBOOT: PCRIndex: 18 TBOOT: Type: 0x410 TBOOT: Digest: fe 48 79 5c e3 18 12 ff a8 14 99 7f 46 3e a0 ca 19 eb 33 2c TBOOT: Data: 0 bytes
> - DIGEST of Processor S-CRTM status coded as DWORD – same value as extended > to PCR17. In my logs im pretty sure this is the one, is it always 0x00000001? TBOOT: Event: TBOOT: PCRIndex: 18 TBOOT: Type: 0x40b TBOOT: Digest: 3c 58 56 04 e8 7f 85 59 73 73 1f ea 83 e2 1f ab 93 92 d2 fc TBOOT: Data: 4 bytes 01 00 00 00 Is there any relation to the values in /sys/kernel/security/tpm0/ascii_bios_measurements? On my machine I the following but they dont seem related? 0 f7a80ec4d7794263e82b989d278c2fca84843f5e 07 [S-CRTM Contents] 0 16b06bd9b738835e2d134fe8d596e9ab0086a985 08 [S-CRTM Version] > - DIGEST of Capability field of OsSinitData table, coded as DWORD – same > value as extended to PCR17. This I found in the tboot logs, for me it is TBOOT: capabilities: 0x00000032 My value is the same as yours from your previous email so might be universal? TBOOT: Event: TBOOT: PCRIndex: 18 TBOOT: Type: 0x40f TBOOT: Digest: b8 cb 6b 3d e8 66 f2 fd 1f 17 99 6f ee 01 ce c4 74 8a 03 e8 TBOOT: Data: 4 bytes 32 00 00 00 > - DIGEST of PolicyControl field of used policy (platform supplier (PS) or > platform owner (PO)) coded as DWORD – same value as extended to PCR17. This and the one below are pretty trivially controlled by the policy. > > - DIGEST of LCP – DIGEST of concatenation of hashes of lists containing > matching elements. If no policy, for 1.2 family, this digest is zero; for 2.0 > family, it is DIGEST(0x0) Also it took me ages to find that the Type: 0x40x values are defined in Appendix G TPM Event Log of the software dev guide. As with the other mail tho, I cannot figure out how to get the final pcr18 value either. Are there other events that I'm missing? -- Jason
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel