openp****@bohme*****
openp****@bohme*****
Fri Oct 2 08:44:25 JST 2009
Seiji Munetoh wrote: > On Thu, Oct 1, 2009 at 9:51 PM, <openp****@bohme*****> wrote: > (snip) >> My question: What is measured at each stage of the boot? The >> documentation says 'measures MBR' but what it really does is measures an >> 8-byte header plus the first 446 bytes of the MBR - not just the 512 >> bytes of the actual MBR. >> > > TCG spec said 446-Bytes of MBR.(except partition table) > But the real world is depend on BIOS implementation. > The real world is like that. ;-) I am still reading the specs - there is a lot to read. Since I am not building drivers most of it is not useful, but I am finding information like this that I can use. > >> The goal is to be able to figure out what each PCR value should be, so I >> can use those values to seal data while installing software, or while >> upgrading an existing system with new software. To do that, I need to >> be able to hash the same set of values that the boot sequence is going >> to measure, so I generate the same set of resulting PCR values. I can >> do this during the software installation or upgrade, so I can measure >> files on the disk just like GRUB will on the next reboot. >> > > So you can successfully update the sealed data prior to the next boot. > Exactly. What good is sealed data if you can't get to it again? Then again, you could say it is the most *secure* data possible.. ;-) >> Here's what I see being measured into PCR-4: >> >> 1. BIOS measures hash first 446 bytes of the MBR >> 2. GRUB stage1 measures 496 bytes of sector 1 of HDD (stage1.5) >> 3. GRUB measures rest of stage1.5 >> 4. GRUB measures all of stage2 >> >> >> I know exactly what values are used for steps 1, 2 and 4. The question >> is, what exact offsets and byte counts are being measured for step 3? >> I'm guessing that it is being done in stage2/start.S but have no easy >> way to see what values it is using. >> > > "grub-install" process modifies the stage files and copy them to > your HDD from sector 0 to the size of stage1(MBR) + stage1.5. > > I had used "dd" command to get the installed stage image. > then validate the measured digest. Probably you needs raw hdd access > to calculate the next PCR value after grub-install. > I have been doing the same thing. I took a copy of the TPM log (/sys/kernel/security/tpm0/ascii_bios_measurements) and am finding a way to create each hash value using dd and sha1sum. This way I know I can create a script later that will rebuild the entire sequence so I can get the right PCR values to use to seal data. So far I have the following: 1. Checking the BIOS value of the MBR: dd if=/dev/hda bs=446 count=1 | sha1sum - 2. Checking the first GRUB-generated value: dd if=/dev/hda bs=1 skip=512 count=496 | sha1sum - 3. How to use dd to check the second GRUB-generated value? ima.h lists this as 'measurement of stage15fs' - how? 4. Checking the third GRUB-generated value: sha1sum /boot/grub/stage2 5. Checking GRUB-generated 'checking MBR': (echo 21 00 00 00 be 01 00 00 | xxd -r -p ; dd if=/dev/hda bs=1 count=446) | sha1sum - You can see the values that I know how to generate, and which one I don't know. Do you know how to use dd to generate #3 above? (It is probably easy and I am missing something obvious...) > >> Can anyone offer any information, or a pointer to where this is documented? >> > > I wrote paper about this. hope this help. > > http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh-Paper.pdf > http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh.pdf > Thank you - I have downloaded them and will read them tonight or tomorrow. > The problem is we can't predict the measured value of new BIOS image. > MS BitLocker support several recovery/re-seal ways for this. > Yes, if the BIOS changes everything will be ruined. I will have to manage BIOS upgrades carefully. -P
Fork