Re: Add TPM measured boot support
Hi Matthew, On Sat, Apr 07, 2018 at 01:36:28AM +0100, Matthew Garrett wrote: > On Tue, Jan 23, 2018 at 12:45:14PM +0100, Daniel Kiper wrote: > > > Sadly yes. Sorry about that. However, this is still on my radar. I hope that > > I come back to work on this in a few weeks. > > Hi Daniel, > > Any news on this front? Thanks! Good news is that my plans has not changed. Bad news is that everything moves much slower than I expected. However, this task is the second one on my TODO list. Right now I have to post some Xen secure boot patches (this is also delayed a few months) which depend on this work to some extent too. So, I expect that I will take a stab at it in May or June. Anyway, sorry for delays. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
On Tue, Jan 23, 2018 at 12:45:14PM +0100, Daniel Kiper wrote: > Sadly yes. Sorry about that. However, this is still on my radar. I hope that > I come back to work on this in a few weeks. Hi Daniel, Any news on this front? Thanks! -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
On Fri, Jan 19, 2018 at 10:32:49AM +0100, Javier Martinez Canillas wrote: > On 07/21/2017 04:32 PM, Daniel Kiper wrote: > > On Thu, Jul 20, 2017 at 11:41:11PM +0100, Matthew Garrett wrote: > >> On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: > >>> This patchset extends the verifier framework to support verifying commands > >>> executed by Grub, and makes use of this to add support for measuring files > >>> and commands executed by grub into the TPM on UEFI-based systems. > >> > >> Any feedback on this? Vladimir, are you planning on merging your > > > > Will take a look next week (well, I was going to do some review this > > week but still recovering after Xen conference). Sorry for delays. > > > >> verifier branch? > > > > Yes, we are going to merge this. Though we are still discussing some > > details. > > Please be patient... > > Any update on this series? I see that even the verifier framework hasn't > been merged yet. Sadly yes. Sorry about that. However, this is still on my radar. I hope that I come back to work on this in a few weeks. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
On 07/21/2017 04:32 PM, Daniel Kiper wrote: > On Thu, Jul 20, 2017 at 11:41:11PM +0100, Matthew Garrett wrote: >> On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: >>> This patchset extends the verifier framework to support verifying commands >>> executed by Grub, and makes use of this to add support for measuring files >>> and commands executed by grub into the TPM on UEFI-based systems. >> >> Any feedback on this? Vladimir, are you planning on merging your > > Will take a look next week (well, I was going to do some review this > week but still recovering after Xen conference). Sorry for delays. > >> verifier branch? > > Yes, we are going to merge this. Though we are still discussing some details. > Please be patient... > Any update on this series? I see that even the verifier framework hasn't been merged yet. > Daniel > Best regards, -- Javier Martinez Canillas Software Engineer - Desktop Hardware Enablement Red Hat ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
On Thu, Jul 20, 2017 at 11:41:11PM +0100, Matthew Garrett wrote: > On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: > > This patchset extends the verifier framework to support verifying commands > > executed by Grub, and makes use of this to add support for measuring files > > and commands executed by grub into the TPM on UEFI-based systems. > > Any feedback on this? Vladimir, are you planning on merging your Will take a look next week (well, I was going to do some review this week but still recovering after Xen conference). Sorry for delays. > verifier branch? Yes, we are going to merge this. Though we are still discussing some details. Please be patient... Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
Hello Matthew, On 07/21/2017 12:41 AM, Matthew Garrett wrote: > On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: >> This patchset extends the verifier framework to support verifying commands >> executed by Grub, and makes use of this to add support for measuring files >> and commands executed by grub into the TPM on UEFI-based systems. > > Any feedback on this? Vladimir, are you planning on merging your > verifier branch? > I've given a try to this new version of your patches and it worked correctly: $ tpm2_listpcrs -L 0x4:8,9 Bank/Algorithm: TPM_ALG_SHA1(0x0004) PCR_08: fb 91 4b bb 62 48 00 7f 5f 32 d0 58 24 23 92 a6 a8 39 7a c4 PCR_09: 78 cc c7 b8 4c 95 dc 21 8e bd a2 07 d9 94 0a 4c 95 e6 44 d2 Without your patches: $ tpm2_listpcrs -L 0x4:8,9 PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR_09: aa 40 46 af 96 b1 62 d0 8e 9c 10 b2 1a 2f a8 5e ac 84 cd e4 I've also tested changing the linux image, modifying the kernel command line parameters, inserting other grub modules and changing the grub commands. In all cases I see that the PCR hashes changed. Best regards, -- Javier Martinez Canillas Software Engineer - Desktop Hardware Enablement Red Hat ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Add TPM measured boot support
On Wed, Jul 05, 2017 at 02:19:55PM -0700, Matthew Garrett wrote: > This patchset extends the verifier framework to support verifying commands > executed by Grub, and makes use of this to add support for measuring files > and commands executed by grub into the TPM on UEFI-based systems. Any feedback on this? Vladimir, are you planning on merging your verifier branch? -- Matthew Garrett | mj...@srcf.ucam.org ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
