mjg59 | Filling in the holes in Linux boot chain measurement, and the TPM measurement log

When I wrote about TPM attestation via 2FA, I mentioned that you needed a bootloader that actually performed measurement. I've now written some patches for Shim and Grub that do so.

The Shim code does a couple of things. The obvious one is to measure the second-stage bootloader into PCR 9. The perhaps less expected one is to measure the contents of the MokList and MokSBState UEFI variables into PCR 14. This means that if you're happy simply running a system with your own set of signing keys and just want to ensure that your secure boot configuration hasn't been compromised, you can simply seal to PCR 7 (which will contain the UEFI Secure Boot state as defined by the UEFI spec) and PCR 14 (which will contain the additional state used by Shim) and ignore all the others.

The grub code is a little more complicated because there's more ways to get it to execute code. Right now I've gone for a fairly extreme implementation. On BIOS systems, the grub stage 1 and 2 will be measured into PCR 9[1]. That's the only BIOS-specific part of things. From then on, any grub modules that are loaded will also be measured into PCR 9. The full kernel image will be measured into PCR10, and the full initramfs will be measured into PCR11. The command line passed to the kernel is in PCR12. Finally, each command executed by grub (including those in the config file) is measured into PCR 13.

That's quite a lot of measurement, and there are probably fairly reasonable circumstances under which you won't want to pay attention to all of those PCRs. But you've probably also noticed that several different things may be measured into the same PCR, and that makes it more difficult to figure out what's going on. Thankfully, the spec designers have a solution to this in the form of the TPM measurement log.

Rather than merely extending a PCR with a new hash, software can extend the measurement log at the same time. This is stored outside the TPM and so isn't directly cryptographically protected. In the simplest form, it contains a hash and some form of description of the event associated with that hash. If you replay those hashes you should end up with the same value that's in the TPM, so for attestation purposes you can perform that verification and then merely check that specific log values you care about are correct. This makes it possible to have a system perform an attestation to a remote server that contains a full list of the grub commands that it ran and for that server to make its attestation decision based on a subset of those.

No promises as yet about PCR allocation being final or these patches ever going anywhere in their current form, but it seems reasonable to get them out there so people can play. Let me know if you end up using them!

[1] The code for this is derived from the old Trusted Grub patchset, by way of Sirrix AG's Trusted Grub 2 tree.

Flat | Top-Level Comments Only

From: (Anonymous)

i would be nice if it's available in the debian repo,
also when installing a fresh debian

Given the measurement log, why measure into so many different PCRs? For instance, why measure the kernel and the kernel command line into different PCRs?

From:

mjg59

The TPM itself can't parse the measurement log, so if you wanted some information that was sealed in such a way that changing the kernel would prevent access to it but changing the command line was fine, you need to use different PCRs.

That's part of what I meant. Under what circumstances would you want that? In particular, I would expect the kernel command line to form an essential part of the trust chain; if you can change the kernel command line, even if you can't change the kernel, that seems like enough to break security.

That's going to depend - the command line is also a way of passing various bits of metadata to userspace (such as the default keyboard layout or locale), and you might have a kernel that's sufficiently restricted such that the kernel options passed can't alter your security model.

root= and init= seem like obvious issues there.

If you're using IMA and measuring the executed commands you'd still be fine there.

Would it ever make sense to measure up to grub and its config, then have it verify kernel and initrd, as opposed to measure? (signing being simpler than resealing secrets, is the assumption)

Unfortunately signing initrds is difficult - they tend to be generated as machine-specific objects and regenerated if software updates alter the packages that they contain. You could ship static initrd images to avoid this, but measuring doesn't cause any harm. If you don't want kernel updates to break sealing state, you can just seal the secret against a set of PCRs that doesn't include the kernel or initrd.

flihp

Tested your patches on a 1.2 and a 2.0 system. 1.2 works as expected and verifying that it works is pretty easy, on the 1.2 platform at least: cat /sys/class/tpm/tpm0/device/pcrs after boot.

Some interesting bits on the TPM2 systems I tested: The NUC HSW exhibits the same capability struct packing behavior you encountered. The MSFT TrEE and TCG EFI protocol seem to disagree on this bit but the both use the same GUID which is a bit ugly.

Verifying measurements on a TPM2 system are a pain since AFAIK the kernel module doesn't have a PCR sysfs node to dump the PCRs yet. For the short term I hacked up a grub command to dump the event log.

I had hoped to be able to dump the event log after boot but the TCG ACPI spec for 2.0 doesn't include the event log like it did in 1.2 so the preboot events aren't visible to the Linux. I guess this leaves the bootloader and the kernel to sort things out for themselves?

The only work around thing I've been able to come up with requires a lot of coordination between the kernel and grub: basically passing the event log through a kernel setup_data structure. I haven't looked into more complicated scenarios like multiboot though. Have you given any thought to the "right way" to do this?

@flihp

Thanks! From talking to upstream, it seems that both TrEE and TCG should have an unpacked version of the capabilities structure even though the TCG spec claims it wants a packed one. The next version of the spec should clarify that and indicate that the caps structure is unpacked. It wouldn't entirely surprise me if some implementations are differently broken though, so in the worst case we have some awful heuristics involving the structure length field.

I haven't looked at the event log for TPM 2.0 devices yet. setup_data isn't the worst plan, but it's annoyingly x86 specific. We could always install a UEFI table with a pointer to it…

Thanks for the data w/r to the event log. I've not poked at UEFI till now so I've got some homework to do there.

Do you know if there is any solution for the boot measurement log for TPM 2.0 (on Ubuntu 16.10 it still doesn't have a PCR sysfs node like for TPM 1.2, so how could you verify (replay) the boot time measurements?

Patches should be turning up for that soon.

The patches are now part of CoreOS which I think makes it the very first complete Linux-based solution with measured boot for UEFI platforms, great job!

Any plan for pushing them upstream to Grub2?

Matthew Garrett

Filling in the holes in Linux boot chain measurement, and the TPM measurement log

Filling in the holes in Linux boot chain measurement, and the TPM measurement log

deb package

no subject

no subject

no subject

no subject

no subject

no subject

no subject

no subject

testing

Re: testing

Re: testing

Re: testing

Re: testing

Integration in mainline Grub2?

Profile

About Matthew

Page Summary

Expand Cut Tags