On Wed, Jun 15, 2016 at 11:29:53AM +0200, Jan Schermer wrote: > Hi, > can someone please tell me from experience whether PCR-18 can be treated as > non-changing between different servers or platforms when pcr_map=da is used > and I use the same signing key? > > Can I safely assume that PCR-18 will be the same on different servers or > different brands of servers even? Docs say the following and I'm not sure - > especially the last point would be troubling but I don't think it changes > when I use a different tboot binary (that should produce a different hash, > right?). > > The following hashes are extended to PCR18 in the order given: > > - DIGEST of public key modulus used to verify SINIT signature. I have no idea how to find this value. I don't see it in the tboot logs. Should it always be the same for all SINITs? I think if you use the same SINIT on all machines this will be constant tho. TBOOT: Event: TBOOT: PCRIndex: 18 TBOOT: Type: 0x410 TBOOT: Digest: fe 48 79 5c e3 18 12 ff a8 14 99 7f 46 3e a0 ca 19 eb 33 2c TBOOT: Data: 0 bytes
> - DIGEST of Processor S-CRTM status coded as DWORD – same value as extended
> to PCR17.
In my logs im pretty sure this is the one, is it always 0x00000001?
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x40b
TBOOT: Digest: 3c 58 56 04 e8 7f 85 59 73 73 1f ea 83
e2 1f ab 93 92 d2 fc
TBOOT: Data: 4 bytes
01 00 00 00
Is there any relation to the values in
/sys/kernel/security/tpm0/ascii_bios_measurements?
On my machine I the following but they dont seem related?
0 f7a80ec4d7794263e82b989d278c2fca84843f5e 07 [S-CRTM Contents]
0 16b06bd9b738835e2d134fe8d596e9ab0086a985 08 [S-CRTM Version]
> - DIGEST of Capability field of OsSinitData table, coded as DWORD – same
> value as extended to PCR17.
This I found in the tboot logs, for me it is TBOOT: capabilities: 0x00000032
My value is the same as yours from your previous email so might be universal?
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x40f
TBOOT: Digest: b8 cb 6b 3d e8 66 f2 fd 1f 17 99 6f ee
01 ce c4 74 8a 03 e8
TBOOT: Data: 4 bytes
32 00 00 00
> - DIGEST of PolicyControl field of used policy (platform supplier (PS) or
> platform owner (PO)) coded as DWORD – same value as extended to PCR17.
This and the one below are pretty trivially controlled by the policy.
>
> - DIGEST of LCP – DIGEST of concatenation of hashes of lists containing
> matching elements. If no policy, for 1.2 family, this digest is zero; for 2.0
> family, it is DIGEST(0x0)
Also it took me ages to find that the Type: 0x40x values are defined in
Appendix G TPM Event Log of the software dev guide.
As with the other mail tho, I cannot figure out how to get the final pcr18
value either. Are there other events that I'm missing?
-- Jason
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohomanageengine
_______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
