Hi Paul Great news, I will check in the next week how it works and come back with feedback.
Thanks, Lukasz On Wed, 2019-11-20 at 23:05 +0000, Paul Moore (pmoore2) via tboot-devel wrote: > On Fri, 2019-10-18 at 13:27 +0000, Paul Moore (pmoore2) via tboot-devel > wrote: > > On Thu, 2019-09-19 at 15:39 +0000, Paul Moore (pmoore2) via > > tboot-devel wrote: > > > Hello, > > > > > > I've been working on adding PECOFF/kernel signature verification to > > > tboot ... > > Hello everyone, > > I just pushed another update to my git repository under the working- > txtsig branch: > > * > https://github.com/pcmoore/misc-tboot/tree/working-txtsig > > > This update is notable in that it adds the missing policy support; no > longer is the Fedora CA built into the tboot binary, verification > certificates should be included in the LCP and the tboot VLP specifies > which modules are subject to signature verification. While there is > still work to be done, I believe the code is now feature complete (or > very close to it). I would appreciate sanity checks on my approach, > especially when it comes to the policy changes. > > The commit descriptions have additional information, but in order to > include certificates in the LCP, you would do the following: > > # lcp2_crtpolelt --create \ > --type custom --uuid certificates test.der \ > --out test.elt > > ... in this case test.der is a DER encoded X509 certificate; multiple > certificates may be concatenated together into the file, tboot will load > each certificate. Once the policy ELT has been created, it can be > included in the LCP just as you would any other ELT module. > > Once you have created a certificate ELT, you need to tell the tboot VLP > to perform PECOFF signature verification on the kernel module; you can > do that with the following command(s): > > # tb_polgen --create --type nonfatal test.vlp > # tb_polgen --add --num 0 --pcr 20 --hash pecoff test.vlp > # tb_polgen --show test.vlp > policy: > version: 2 > policy_type: TB_POLTYPE_CONT_NON_FATAL > hash_alg: TB_HALG_SHA1 > policy_control: 00000001 (EXTEND_PCR17) > num_entries: 1 > policy entry[0]: > mod_num: 0 > pcr: 20 > hash_type: TB_HTYPE_PECOFF > num_hashes: 0 > > ... the pecoff/TB_HTYPE_PECOFF hash type instructs tboot to perform > PECOFF signature verification on the given module. When selected, the > digest of the trusted root for the signing authority will be extended > into the given PCR, which happens to be PCR 20 in the example above. As > a point of clarification, the "trusted root" is not necessarily the root > CA of the signature chain, but rather the "nearest" certificate that was > loaded from the LCP which is part of the signature chain. This should > provide for the most flexibility while preserving a signature root of > trust in the LCP/TPM. > > Comments and feedback on this approach are encouraged! > > -Paul > > > _______________________________________________ > tboot-devel mailing list > tboot-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel