Sherry Moore wrote:
>
> Scott Rotondo will be posting summary with regard to interaction
> between this project and PSARC 2008/195 "Validated Execution".
We need to worry about interactions with Validated Execution and with
the state of the Trusted Platform Module (TPM), even in the absence of
validation.
A hardware reset is the only way to set the TPM's Platform Configuration
Registers (PCR's) back to their initial value of 0. Because Fast Reboot
is a "warm start," the PCR's will continue to contain values that
reflect the sequence of code that was executed during the original
system boot.
Since the PCR's will not be reset to their starting value, it is
important for the reboot code *not* to extend code measurements into the
PCR's as it would during a normal boot. [1] If it did, the PCR's would
contain a different set of values every time the system was rebooted
without a hardware reset.
As others have suggested, it makes sense to treat the reboot as an
extension of the original boot and require the kernel to perform the
validation that would normally be done by the boot loader. The kernel
will still need to validate the initial manifest, and we want to
maintain the property that successful validation of the initial manifest
requires administrative action using the TPM Owner password.
Therefore, we probably want to seal the new initial manifest using the
current PCR contents (and the TPM Owner password) at the time that the
reboot is requested. Upon reboot, the kernel must recognize that it
should not extend PCR values for bootstrapping code, and it needs to
validate the code it loads using the appropriate new initial manifest.
The two project teams will need to work together on some details, but we
are convinced that Validated Execution and Fast Reboot are not incompatible.
Scott
[1] PCR values are never overwritten. They are "extended" by
concatenating the existing value and the new measurement and then
hashing the concatenation to produce the new value. This allows a single
fixed-size register to contain a value that is uniquely determined by an
arbitrarily long sequence of measurements.
