From openpts at bohme.org Thu Oct 1 21:51:16 2009 From: openpts at bohme.org (openpts at bohme.org) Date: Thu, 01 Oct 2009 08:51:16 -0400 Subject: [Openpts-users] Question about stage measures in grub-ima Message-ID: <4AC4A5C4.2010701@bohme.org> Hi, I am working through setting up a Linux system using the TPM chip to ensure integrity of the installed software. Have used the instructions to build a grub 0.97 with the grub-ima-1.1.0 patch, and it is booting and running. This is really difficult stuff, and I am very impressed at the work done so far. My question: What is measured at each stage of the boot? The documentation says 'measures MBR' but what it really does is measures an 8-byte header plus the first 446 bytes of the MBR - not just the 512 bytes of the actual MBR. The goal is to be able to figure out what each PCR value should be, so I can use those values to seal data while installing software, or while upgrading an existing system with new software. To do that, I need to be able to hash the same set of values that the boot sequence is going to measure, so I generate the same set of resulting PCR values. I can do this during the software installation or upgrade, so I can measure files on the disk just like GRUB will on the next reboot. Here's what I see being measured into PCR-4: 1. BIOS measures hash first 446 bytes of the MBR 2. GRUB stage1 measures 496 bytes of sector 1 of HDD (stage1.5) 3. GRUB measures rest of stage1.5 4. GRUB measures all of stage2 I know exactly what values are used for steps 1, 2 and 4. The question is, what exact offsets and byte counts are being measured for step 3? I'm guessing that it is being done in stage2/start.S but have no easy way to see what values it is using. Can anyone offer any information, or a pointer to where this is documented? Much thanks! From seiji.munetoh at gmail.com Fri Oct 2 07:53:29 2009 From: seiji.munetoh at gmail.com (Seiji Munetoh) Date: Fri, 2 Oct 2009 07:53:29 +0900 Subject: [Openpts-users] Question about stage measures in grub-ima In-Reply-To: <4AC4A5C4.2010701@bohme.org> References: <4AC4A5C4.2010701@bohme.org> Message-ID: On Thu, Oct 1, 2009 at 9:51 PM, wrote: > Hi, I am working through setting up a Linux system using the TPM chip to > ensure integrity of the installed software. ?Have used the instructions > to build a grub 0.97 with the grub-ima-1.1.0 patch, and it is booting > and running. ?This is really difficult stuff, and I am very impressed at > the work done so far. I agree. > My question: What is measured at each stage of the boot? ?The > documentation says 'measures MBR' but what it really does is measures an > 8-byte header plus the first 446 bytes of the MBR - not just the 512 > bytes of the actual MBR. TCG spec said 446-Bytes of MBR.(except partition table) But the real world is depend on BIOS implementation. > The goal is to be able to figure out what each PCR value should be, so I > can use those values to seal data while installing software, or while > upgrading an existing system with new software. ?To do that, I need to > be able to hash the same set of values that the boot sequence is going > to measure, so I generate the same set of resulting PCR values. ?I can > do this during the software installation or upgrade, so I can measure > files on the disk just like GRUB will on the next reboot. So you can successfully update the sealed data prior to the next boot. > Here's what I see being measured into PCR-4: > > ? 1. BIOS measures hash first 446 bytes of the MBR > ? 2. GRUB stage1 measures 496 bytes of sector 1 of HDD (stage1.5) > ? 3. GRUB measures rest of stage1.5 > ? 4. GRUB measures all of stage2 > > > I know exactly what values are used for steps 1, 2 and 4. ?The question > is, what exact offsets and byte counts are being measured for step 3? > I'm guessing that it is being done in stage2/start.S but have no easy > way to see what values it is using. "grub-install" process modifies the stage files and copy them to your HDD from sector 0 to the size of stage1(MBR) + stage1.5. I had used "dd" command to get the installed stage image. then validate the measured digest. Probably you needs raw hdd access to calculate the next PCR value after grub-install. > Can anyone offer any information, or a pointer to where this is documented? I wrote paper about this. hope this help. http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh-Paper.pdf http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh.pdf The problem is we can't predict the measured value of new BIOS image. MS BitLocker support several recovery/re-seal ways for this. regards, -- Seiji Munetoh From openpts at bohme.org Fri Oct 2 08:44:25 2009 From: openpts at bohme.org (openpts at bohme.org) Date: Thu, 01 Oct 2009 19:44:25 -0400 Subject: [Openpts-users] Question about stage measures in grub-ima In-Reply-To: References: <4AC4A5C4.2010701@bohme.org> Message-ID: <4AC53ED9.8050806@bohme.org> Seiji Munetoh wrote: > On Thu, Oct 1, 2009 at 9:51 PM, wrote: > (snip) >> My question: What is measured at each stage of the boot? The >> documentation says 'measures MBR' but what it really does is measures an >> 8-byte header plus the first 446 bytes of the MBR - not just the 512 >> bytes of the actual MBR. >> > > TCG spec said 446-Bytes of MBR.(except partition table) > But the real world is depend on BIOS implementation. > The real world is like that. ;-) I am still reading the specs - there is a lot to read. Since I am not building drivers most of it is not useful, but I am finding information like this that I can use. > >> The goal is to be able to figure out what each PCR value should be, so I >> can use those values to seal data while installing software, or while >> upgrading an existing system with new software. To do that, I need to >> be able to hash the same set of values that the boot sequence is going >> to measure, so I generate the same set of resulting PCR values. I can >> do this during the software installation or upgrade, so I can measure >> files on the disk just like GRUB will on the next reboot. >> > > So you can successfully update the sealed data prior to the next boot. > Exactly. What good is sealed data if you can't get to it again? Then again, you could say it is the most *secure* data possible.. ;-) >> Here's what I see being measured into PCR-4: >> >> 1. BIOS measures hash first 446 bytes of the MBR >> 2. GRUB stage1 measures 496 bytes of sector 1 of HDD (stage1.5) >> 3. GRUB measures rest of stage1.5 >> 4. GRUB measures all of stage2 >> >> >> I know exactly what values are used for steps 1, 2 and 4. The question >> is, what exact offsets and byte counts are being measured for step 3? >> I'm guessing that it is being done in stage2/start.S but have no easy >> way to see what values it is using. >> > > "grub-install" process modifies the stage files and copy them to > your HDD from sector 0 to the size of stage1(MBR) + stage1.5. > > I had used "dd" command to get the installed stage image. > then validate the measured digest. Probably you needs raw hdd access > to calculate the next PCR value after grub-install. > I have been doing the same thing. I took a copy of the TPM log (/sys/kernel/security/tpm0/ascii_bios_measurements) and am finding a way to create each hash value using dd and sha1sum. This way I know I can create a script later that will rebuild the entire sequence so I can get the right PCR values to use to seal data. So far I have the following: 1. Checking the BIOS value of the MBR: dd if=/dev/hda bs=446 count=1 | sha1sum - 2. Checking the first GRUB-generated value: dd if=/dev/hda bs=1 skip=512 count=496 | sha1sum - 3. How to use dd to check the second GRUB-generated value? ima.h lists this as 'measurement of stage15fs' - how? 4. Checking the third GRUB-generated value: sha1sum /boot/grub/stage2 5. Checking GRUB-generated 'checking MBR': (echo 21 00 00 00 be 01 00 00 | xxd -r -p ; dd if=/dev/hda bs=1 count=446) | sha1sum - You can see the values that I know how to generate, and which one I don't know. Do you know how to use dd to generate #3 above? (It is probably easy and I am missing something obvious...) > >> Can anyone offer any information, or a pointer to where this is documented? >> > > I wrote paper about this. hope this help. > > http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh-Paper.pdf > http://www.trl.ibm.com/projects/watc/20061130d-WATC-Munetoh.pdf > Thank you - I have downloaded them and will read them tonight or tomorrow. > The problem is we can't predict the measured value of new BIOS image. > MS BitLocker support several recovery/re-seal ways for this. > Yes, if the BIOS changes everything will be ruined. I will have to manage BIOS upgrades carefully. -P From seiji.munetoh at gmail.com Fri Oct 2 21:00:57 2009 From: seiji.munetoh at gmail.com (Seiji Munetoh) Date: Fri, 2 Oct 2009 21:00:57 +0900 Subject: [Openpts-users] Question about stage measures in grub-ima In-Reply-To: <4AC53ED9.8050806@bohme.org> References: <4AC4A5C4.2010701@bohme.org> <4AC53ED9.8050806@bohme.org> Message-ID: On Fri, Oct 2, 2009 at 8:44 AM, wrote: > You can see the values that I know how to generate, and which one I don't > know. ?Do you know how to use dd to generate #3 above? ?(It is probably easy > and I am missing something obvious...) not easy, so i made simple Perl script to verify the BIOS and GRUB measurement. Pull our openpts's "tools" package from git repo and try test/grub-verify.pl script. or you can browse the script here: http://git.sourceforge.jp/view?p=openpts/tools.git;a=blob;f=test/grub-verify.pl Enjoy:-) -- Seiji Munetoh From openpts at bohme.org Fri Oct 2 21:17:05 2009 From: openpts at bohme.org (openpts at bohme.org) Date: Fri, 02 Oct 2009 08:17:05 -0400 Subject: [Openpts-users] Question about stage measures in grub-ima In-Reply-To: References: <4AC4A5C4.2010701@bohme.org> <4AC53ED9.8050806@bohme.org> Message-ID: <4AC5EF41.6020307@bohme.org> Seiji Munetoh wrote: > On Fri, Oct 2, 2009 at 8:44 AM, wrote: > >> You can see the values that I know how to generate, and which one I don't >> know. Do you know how to use dd to generate #3 above? (It is probably easy >> and I am missing something obvious...) >> > > not easy, so i made simple Perl script to verify the BIOS and GRUB > measurement. Pull our openpts's "tools" package from git repo > and try test/grub-verify.pl script. or you can browse the script here: > http://git.sourceforge.jp/view?p=openpts/tools.git;a=blob;f=test/grub-verify.pl > > Enjoy:-) > To boil it down to a 1-line script for the rest of stage 1.5 (for 25 blocks of stage1.5): dd if=/dev/hda bs=1 count=$((25*512-624)) skip=$((512+624)) | sha1sum - That's exactly what I need, thank you very much! -P