Hi Paul I went through all steps and I was able to create LCP with certificated, VLP with TB_HTYPE_PECOFF and finally got platform booted with PCR 20 extended by certificate hash (to be honest I didn't check if it is correct). So everything works, however I have few notes :)
If VLP is present under its own index (for TPM 2.0 it is 0x01C10131), tboot will not read LCP at all, so certificate will not be available. I think that we should modify program flow, so even if VLP is present, LCP should be read to check if LCP_CUSTOM_ELEMENT_CERTS_UUID element is there. Still I can't verify signature of custom build kernel signed by my own key, I am trying to figure out what is wrong, but without luck. One thing that I found is a problem in pkcs1_search_signer function (pkcs1.c:101), it is comparing certificate subject, but not from the root of certificate. I know that this is working fine with Fedora's certificate, but I don't know if this is valid for every case. With my simple certificate this was a first problem that I found. At least, you should check if pointer to next element in chain is not NULL. Thanks, Lukasz On Wed, 2019-11-20 at 23:05 +0000, Paul Moore (pmoore2) via tboot-devel wrote: > On Fri, 2019-10-18 at 13:27 +0000, Paul Moore (pmoore2) via tboot-devel > wrote: > > On Thu, 2019-09-19 at 15:39 +0000, Paul Moore (pmoore2) via > > tboot-devel wrote: > > > Hello, > > > > > > I've been working on adding PECOFF/kernel signature verification to > > > tboot ... > > Hello everyone, > > I just pushed another update to my git repository under the working- > txtsig branch: > > * > https://github.com/pcmoore/misc-tboot/tree/working-txtsig > > > This update is notable in that it adds the missing policy support; no > longer is the Fedora CA built into the tboot binary, verification > certificates should be included in the LCP and the tboot VLP specifies > which modules are subject to signature verification. While there is > still work to be done, I believe the code is now feature complete (or > very close to it). I would appreciate sanity checks on my approach, > especially when it comes to the policy changes. > > The commit descriptions have additional information, but in order to > include certificates in the LCP, you would do the following: > > # lcp2_crtpolelt --create \ > --type custom --uuid certificates test.der \ > --out test.elt > > ... in this case test.der is a DER encoded X509 certificate; multiple > certificates may be concatenated together into the file, tboot will load > each certificate. Once the policy ELT has been created, it can be > included in the LCP just as you would any other ELT module. > > Once you have created a certificate ELT, you need to tell the tboot VLP > to perform PECOFF signature verification on the kernel module; you can > do that with the following command(s): > > # tb_polgen --create --type nonfatal test.vlp > # tb_polgen --add --num 0 --pcr 20 --hash pecoff test.vlp > # tb_polgen --show test.vlp > policy: > version: 2 > policy_type: TB_POLTYPE_CONT_NON_FATAL > hash_alg: TB_HALG_SHA1 > policy_control: 00000001 (EXTEND_PCR17) > num_entries: 1 > policy entry[0]: > mod_num: 0 > pcr: 20 > hash_type: TB_HTYPE_PECOFF > num_hashes: 0 > > ... the pecoff/TB_HTYPE_PECOFF hash type instructs tboot to perform > PECOFF signature verification on the given module. When selected, the > digest of the trusted root for the signing authority will be extended > into the given PCR, which happens to be PCR 20 in the example above. As > a point of clarification, the "trusted root" is not necessarily the root > CA of the signature chain, but rather the "nearest" certificate that was > loaded from the LCP which is part of the signature chain. This should > provide for the most flexibility while preserving a signature root of > trust in the LCP/TPM. > > Comments and feedback on this approach are encouraged! > > -Paul > > > _______________________________________________ > tboot-devel mailing list > tboot-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/tboot-devel > > _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
