On Mon, Feb 17, 2020 at 04:09:57PM +0100, Julius Zint wrote:
I'm not really in a position to reflash my machine but I would still be
curious for details.
There is no need to reflash your firmware if the system has a integrated
and supported TPM 1.2 chip.
The prototype uses a Static Root of Trust for Measurment (SRTM) approach
where the Chain of Trust is extended from a small immutable firmware part
up to boot(8). Every component in the boot chain is responsible for measuring
the components, that it hands control over the system. Measuring just means
calculating the hash and sending it to the TPM. The following example is the
Chain of Trust from my test system Lenovo Thinkpad X240 with OpenBSD.
1: Core Static Root of Trust for Measurment (C-SRTM) (immutable part of the
2: Firmware (including OptionROMS)
3: MBR (mbr(8))
4: PBR (biosboot(8))
5: boot(8) (residing in the softraid(4) metadata when FDE is enabled)
I changed the mbr(8) and biosboot(8) to support measuring their next component.
Because there is very little available space left in the 440 byte of the mbr(8)
startprogram, you have to choose between CHS and measurement support at compile
boot(8) got support via a machine specific command to seal and unseal a secret
your choosing to any drive. Sealing and unsealing means encrypting/decrypting
data depending on the state of the Platform Control Registers (PCR). PCRs are in
the TPM NVRAM and store the measurements.
With the laptop being in a trusted state, you can seal a secret and store it on
usb drive. When you want to verify, that the software components are unchanged,
plug in the usb drive and unseal the secret. If the output shows the correct
and you were the only person knowing it, than there is a very high chance that
early boot components are unchanged.
Some feedback from the OpenBSD community on this would also be appreciated. Are
enought people interessted in a Trusted Boot with OpenBSD?
That's amazing if you can get it to work without reflashing. Are you
then sealing the disk encryption key?
Unfortunately I have to be a bit conservative with my laptop, but I
would be quite interested in testing this once it's