Hi Jimmy,
Thanks for your quick response. I double checked the data lengths and they
seem to be correct. I'm copying the Python code I'm using below.
I was able to use a slightly modified version of the function below to
validate the PCR 17 computed by Jonathan McCune's Perl script
(http://sourceforge.net/mailarchive/message.php?msg_id=23257129), so I'm
reasonably confident the basic code (unhexlify, update, etc.) is correct.
Thanks,
Sahil
def computePcr17():
# all_zeroes_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00"
bios_acm_id_ascii = "80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff
ff ff ff"
# edx_senter_flags_ascii = "00 00 00 00"
mseg_valid_ascii = "00 00 00 00 00 00 00 00"
sinit_hash_ascii = "7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2
84 3d 04"
mle_hash_ascii = "d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8
33 34"
stm_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00"
lcp_policy_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00"
lcp_policy_control_ascii = "00 00 00 00"
os_sinit_capabilities_ascii = "00 00 00 00"
scrtm_status_ascii = "00 00 00 01"
# all_zeroes_hex = binascii.unhexlify(all_zeroes_ascii.replace(' ', ''))
sinit_hash_hex = binascii.unhexlify(sinit_hash_ascii.replace(' ', ''))
# edx_senter_flags_hex =
binascii.unhexlify(edx_senter_flags_ascii.replace(' ', ''))
bios_acm_id_hex = binascii.unhexlify(bios_acm_id_ascii.replace(' ', ''))
mseg_valid_hex = binascii.unhexlify(mseg_valid_ascii.replace(' ', ''))
stm_hash_hex = binascii.unhexlify(stm_hash_ascii.replace(' ', ''))
lcp_policy_control_hex =
binascii.unhexlify(lcp_policy_control_ascii.replace(' ', ''))
lcp_policy_hash_hex =
binascii.unhexlify(lcp_policy_hash_ascii.replace(' ', ''))
os_sinit_capabilities_hex =
binascii.unhexlify(os_sinit_capabilities_ascii.replace(' ', ''))
scrtm_status_hex = binascii.unhexlify(scrtm_status_ascii.replace(' ',
''))
sha1_pcr17_second = hashlib.sha1()
sha1_pcr17_second.update(bios_acm_id_hex)
sha1_pcr17_second.update(mseg_valid_hex)
sha1_pcr17_second.update(stm_hash_hex)
sha1_pcr17_second.update(lcp_policy_control_hex)
sha1_pcr17_second.update(lcp_policy_hash_hex)
sha1_pcr17_second.update(os_sinit_capabilities_hex)
sha1_pcr17_second.update(scrtm_status_hex)
pcr17 = hashlib.sha1()
pcr17.update(sinit_hash_hex)
pcr17.update(sha1_pcr17_second.digest())
print "sha1_pcr17_second: " + sha1_pcr17_second.hexdigest()
print "final pcr17: " + pcr17.hexdigest()
This is the output from tboot that I'm using to initialize the variables in
the function:
TBOOT: sinit_mle_data (@0xcf7311b8, 0x224):
TBOOT: version: 8
TBOOT: bios_acm_id: 80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff ff
ff ff
TBOOT: edx_senter_flags: 0x00000000
TBOOT: mseg_valid: 0x0
TBOOT: sinit_hash: 7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2 84
3d 04
TBOOT: mle_hash: d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8 33
34
TBOOT: stm_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
TBOOT: lcp_policy_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
TBOOT: lcp_policy_control: 0x00000000
TBOOT: rlp_wakeup_addr: 0xcf701220
TBOOT: num_mdrs: 7
TBOOT: mdrs_off: 0x9c
TBOOT: num_vtd_dmars: 224
TBOOT: vtd_dmars_off: 0x144
TBOOT: sinit_mdrs:
TBOOT: 0000000000000000 - 00000000000a0000 (GOOD)
TBOOT: 0000000000100000 - 0000000001000000 (GOOD)
TBOOT: 0000000001000000 - 00000000cf800000 (GOOD)
TBOOT: 0000000100000000 - 0000000430000000 (GOOD)
TBOOT: 0000000000000000 - 0000000000000000 (GOOD)
TBOOT: 00000000cf800000 - 00000000d0000000 (SMRAM NON-OVERLAY)
TBOOT: 00000000e0000000 - 00000000e4000000 (PCIE EXTENDED CONFIG)
TBOOT: proc_scrtm_status: 0x00000001
I expect that it should match the value of PCR 17 after SENTER (and before
it is extended by tboot):
TBOOT: PCRs before extending:
TBOOT: PCR 17: a9 6f c9 dd 99 f7 5d 07 18 eb e5 3d 38 c7 eb 8f 14 9e 76
95
TBOOT: PCR 18: a4 1b b3 ef 12 f6 d6 65 58 60 b9 05 4d 72 6f f0 ca 78 21
54
TBOOT: PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
On Wed, Jan 30, 2013 at 5:54 PM, Wei, Gang <gang....@intel.com> wrote:
> Sahil Rihan wrote on 2013-01-31:
> > Hi list,
> >
> > Like a few before me, I'm trying to calculate in software the value of
> PCR17
> > after SENTER. I'm taking the value of the first extend as a given (from
> > SinitMleData.SinitHash) and am trying to reconstruct the value at the end
> of
> > the second extend.
> >
> > I took Jonathan McCune's Perl script as a starting point and was able to
> > reproduce his result (which I'm assuming is for SinitMleData.Version 6,
> given
> > his computation of the first PCR17 extend in his Perl script) using a
> Python
> > script I wrote. I then modified my script to use the value from
> > SinitMleData.SinitHash directly, since my understanding is that it
> contains the
> > value of PCR17 after the first extend for SinitMleData.Version 8).
> >
> > So my computation is now identical to the one in the MLE Developer's
> Guide.
> >
> > SHA-1 ( SinitMleData.SinitHash | SHA-1 ( SinitMleData.BiosAcm.ID |
> > SinitMleData.MsegValid | SinitMleData.StmHash |
> > SinitMleData.PolicyControl | SinitMleData.LcpPolicyHash |
> > (OsSinitData.Capabilities, 0) | SinitMleData.ProcessorSCRTMStatus) )
> >
> > Unfortunately, I'm not able to get to the value for PCR 17 that tboot
> dumps,
> > before it performs its own extend to PCR17.
> >
> > If anyone has successfully computed PCR 17 or has thoughts on what I
> might
> be
> > doing wrong, I'd appreciate your input.
>
> Please make sure the data length you used for PCR17 value calculation is
> right:
>
> SinitMleData.MsegValid 8bytes
> SinitMleData.PolicyControl 4bytes
> (OsSinitData.Capabilities, 0) 4bytes
> SinitMleData.ProcessorSCRTMStatus 4bytes
>
> And (OsSinitData.Capabilities,0) means:
>
> if SinitMleData.PolicyControl.bit2 is 1, use value of
> OsSinitData.Capabilities
> if SinitMleData.PolicyControl.bit2 is 0, use a 4-byte 0s.
>
> Wish those will help.
>
> Jimmy
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
