Jonathan McCune <jonmccune <at> cmu.edu> writes:
>
> Hi list,
>
> I'm having a tough time recomputing the values that I find in PCR 17
> following SENTER. I'm using i5_i7_DUAL_SINIT_18.BIN (I believe this
> to be the latest available), which produces a version 7
> sinit_to_mle_data.
>
> Looking at Section 1.9.1 in the spec, it's quite unclear to me exactly
> what it's trying to tell me will be in PCR 17.
>
> >From the spec:
>
> If SinitMleData.Version = 7, PCR 17’s final value will be:
>
> SHA-1 ( SinitMleData.SinitHash | SHA-1 ( SinitMleData.BiosAcm.ID |
> SinitMleData.MsegValid | SinitMleData.StmHash | SinitMleData.PolicyControl |
> SinitMleData.LcpPolicyHash | (OsSinitData.Capabilities, 0) ) )
>
> There are at least three problems with this. (1) There is no mention
> of a PCR Extend (contrast with the clear explanation for version 6
> sinit_to_mle_data which I have used successfully in the past), and (2)
> This expression is inconsistent with the paragraph at the start of
> Section 1.9.1 which mentions the use of SHA-256 to hash the "SINIT
> ACM". I don't see SHA-256 in that expression anywhere. (3) It is not
> mentioned whether the 4-byte EdxSenterFlags is also input to SHA-256
> or not.
>
> I'd rather not try to map out all the different possibilities and
> figure this out experimentally.
>
> Things don't look much better for version 8 but I don't have the
> hardware to test that.
>
> Thanks!
> -Jon
>
> ------------------------------------------------------------------------------
> Doing More with Less: The Next Generation Virtual Desktop
> What are the key obstacles that have prevented many mid-market businesses
> from deploying virtual desktops? How do next-generation virtual desktops
> provide companies an easier-to-deploy, easier-to-manage and more affordable
> virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
>
These are the steps I took to repro PCR-17. Hope it helps.
###############################################################################
#PCR17 Calculation (SinitMleData_Version=7)
###############################################################################
SinitMleData_SinitHash=$( txt-stat | grep sinit_hash -A1 | tail -n1 | awk
'{gsub(/ /,"");print $1}')
SinitMleData_BiosAcmID==$( txt-stat | grep bios_acm_id -A1 | tail -n1 | awk
'{gsub(/ /,"");print $1}')
SinitMleData_MsegValid="0000000000000000"
SinitMleData_StmHash="0000000000000000000000000000000000000000"
SinitMleData_PolicyControl="00000000"
# will be non-zero if an LCP is defined
SinitMleData_LcpPolicyHash=$( txt-stat | grep lcp_policy_hash -A1 | tail -n1 |
awk '{gsub(/ /,"");print $1}')
OsSinitData_Capabilities="00000000"
#as defined in Sec 1.9.1 (pp.14) of "Intel TXT Software Dev Guide, MLE Dev
Guide, March 2011"
PCR17_PARTB1="$SinitMleData_BiosAcmID$SinitMleData_MsegValid$SinitMleData_StmHa
sh$SinitMleData_PolicyControl$SinitMleData_LcpPolicyHash$OsSinitData_Capabiliti
es"
PCR17_STEP1=$(echo -n "$PCR17_PARTB1" | ./binaryfi | sha1sum | awk '{ print
$1 }')
echo "value extending PCR17 (i.e. sinit_hash) = $(fmt_bytestr $PCR17_STEP1)"
PCR17_PRE_VL=$(echo -n "$SinitMleData_SinitHash$PCR17_STEP1" | ./binaryfi |
sha1sum | awk '{ print $1 }' )
POLICY_HASH=$( txt-stat | grep " pol_hash:" | awk -F 'pol_hash:' '{ gsub(/
/,""); print $2}')
# Using policy_control from `txt-stat | grep " policy_control:" | head -n 1`
# Remember endianess!
POLICY_CONTROL="01000000"
PCR17_VL_MEAS=$(echo -n "$POLICY_CONTROL$POLICY_HASH" | ./binaryfi | sha1sum |
awk '{ print $1 }')
echo "PENULTIMATE_PCR17= $(fmt_bytestr $PCR17_PRE_VL)"
echo "PCR17_VL_MEAS= $(fmt_bytestr $PCR17_VL_MEAS)"
# -o is old value, -n is new value
PCR17_FINAL=$(./mimic_extend.sh -o "$PCR17_PRE_VL" -n "$PCR17_VL_MEAS")
-JP
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
