I'm using the value from SinitMleData.SinitHash directly. I'm assuming that
this is the value of PCR 17 after the first extend based on the following:
"If the SINIT To MLE Data Table (section C.4) version is 7 or greater, the
hash of the SINIT ACM is performed using SHA-256, otherwise it uses
SHA-1. If a SHA-256 hash was used, the SinitMleData.SinitHash field will
contain the value of PCR 17 after the initial extend operation (see below
for more details)."
Also, just to be clarify, the SHA-256 is only used for hashing SINIT, the
rest of the hashes are performed using SHA-1. Is that correct?
On Thu, Jan 31, 2013 at 10:49 AM, Jonathan McCune <jonmcc...@gmail.com>wrote:
> In MLE dev guide sec 1.9.1: "If the SINIT To MLE Data Table (section
> C.4) version is 7 or greater, the hash of the SINIT ACM is performed
> using SHA-256, otherwise it uses SHA-1."
>
> Are you using SHA-2 where appropriate?
>
> -Jon
>
>
> On Thu, Jan 31, 2013 at 10:41 AM, Sahil Rihan <sa...@privatecore.com>
> wrote:
> > Hi Jimmy,
> >
> > Thanks for your quick response. I double checked the data lengths and
> they
> > seem to be correct. I'm copying the Python code I'm using below.
> >
> > I was able to use a slightly modified version of the function below to
> > validate the PCR 17 computed by Jonathan McCune's Perl script
> > (http://sourceforge.net/mailarchive/message.php?msg_id=23257129), so I'm
> > reasonably confident the basic code (unhexlify, update, etc.) is correct.
> >
> > Thanks,
> > Sahil
> >
> >
> > def computePcr17():
> > # all_zeroes_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> > 00 00 00"
> >
> > bios_acm_id_ascii = "80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff
> ff
> > ff ff ff"
> > # edx_senter_flags_ascii = "00 00 00 00"
> > mseg_valid_ascii = "00 00 00 00 00 00 00 00"
> >
> > sinit_hash_ascii = "7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e
> e2
> > 84 3d 04"
> > mle_hash_ascii = "d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13
> d8
> > 33 34"
> > stm_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> > 00 00"
> > lcp_policy_hash_ascii = "00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00
> > 00 00 00 00"
> >
> > lcp_policy_control_ascii = "00 00 00 00"
> > os_sinit_capabilities_ascii = "00 00 00 00"
> > scrtm_status_ascii = "00 00 00 01"
> >
> > # all_zeroes_hex = binascii.unhexlify(all_zeroes_ascii.replace(' ',
> ''))
> > sinit_hash_hex = binascii.unhexlify(sinit_hash_ascii.replace(' ',
> ''))
> > # edx_senter_flags_hex =
> > binascii.unhexlify(edx_senter_flags_ascii.replace(' ', ''))
> >
> > bios_acm_id_hex = binascii.unhexlify(bios_acm_id_ascii.replace(' ',
> ''))
> > mseg_valid_hex = binascii.unhexlify(mseg_valid_ascii.replace(' ',
> ''))
> > stm_hash_hex = binascii.unhexlify(stm_hash_ascii.replace(' ', ''))
> > lcp_policy_control_hex =
> > binascii.unhexlify(lcp_policy_control_ascii.replace(' ', ''))
> > lcp_policy_hash_hex =
> binascii.unhexlify(lcp_policy_hash_ascii.replace('
> > ', ''))
> > os_sinit_capabilities_hex =
> > binascii.unhexlify(os_sinit_capabilities_ascii.replace(' ', ''))
> > scrtm_status_hex = binascii.unhexlify(scrtm_status_ascii.replace(' ',
> > ''))
> >
> > sha1_pcr17_second = hashlib.sha1()
> > sha1_pcr17_second.update(bios_acm_id_hex)
> > sha1_pcr17_second.update(mseg_valid_hex)
> > sha1_pcr17_second.update(stm_hash_hex)
> > sha1_pcr17_second.update(lcp_policy_control_hex)
> > sha1_pcr17_second.update(lcp_policy_hash_hex)
> > sha1_pcr17_second.update(os_sinit_capabilities_hex)
> > sha1_pcr17_second.update(scrtm_status_hex)
> >
> > pcr17 = hashlib.sha1()
> > pcr17.update(sinit_hash_hex)
> > pcr17.update(sha1_pcr17_second.digest())
> >
> > print "sha1_pcr17_second: " + sha1_pcr17_second.hexdigest()
> > print "final pcr17: " + pcr17.hexdigest()
> >
> >
> > This is the output from tboot that I'm using to initialize the variables
> in
> > the function:
> >
> > TBOOT: sinit_mle_data (@0xcf7311b8, 0x224):
> > TBOOT: version: 8
> > TBOOT: bios_acm_id: 80 00 00 00 20 12 05 09 00 00 1d 00 ff ff ff ff ff
> ff
> > ff ff
> > TBOOT: edx_senter_flags: 0x00000000
> > TBOOT: mseg_valid: 0x0
> > TBOOT: sinit_hash: 7e e6 40 51 b4 2b 49 18 4f fe 41 6d 60 09 46 3e e2
> 84 3d
> > 04
> > TBOOT: mle_hash: d0 29 d7 7e 2f 4f 32 4b a2 d4 23 53 db 06 79 b5 13 d8
> 33
> > 34
> > TBOOT: stm_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> > 00
> > TBOOT: lcp_policy_hash: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00
> > 00 00 00
> > TBOOT: lcp_policy_control: 0x00000000
> > TBOOT: rlp_wakeup_addr: 0xcf701220
> > TBOOT: num_mdrs: 7
> > TBOOT: mdrs_off: 0x9c
> > TBOOT: num_vtd_dmars: 224
> > TBOOT: vtd_dmars_off: 0x144
> > TBOOT: sinit_mdrs:
> > TBOOT: 0000000000000000 - 00000000000a0000 (GOOD)
> > TBOOT: 0000000000100000 - 0000000001000000 (GOOD)
> > TBOOT: 0000000001000000 - 00000000cf800000 (GOOD)
> > TBOOT: 0000000100000000 - 0000000430000000 (GOOD)
> > TBOOT: 0000000000000000 - 0000000000000000 (GOOD)
> > TBOOT: 00000000cf800000 - 00000000d0000000 (SMRAM NON-OVERLAY)
> > TBOOT: 00000000e0000000 - 00000000e4000000 (PCIE EXTENDED CONFIG)
> > TBOOT: proc_scrtm_status: 0x00000001
> >
> >
> > I expect that it should match the value of PCR 17 after SENTER (and
> before
> > it is extended by tboot):
> >
> > TBOOT: PCRs before extending:
> > TBOOT: PCR 17: a9 6f c9 dd 99 f7 5d 07 18 eb e5 3d 38 c7 eb 8f 14 9e
> 76 95
> > TBOOT: PCR 18: a4 1b b3 ef 12 f6 d6 65 58 60 b9 05 4d 72 6f f0 ca 78
> 21 54
> > TBOOT: PCR 19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00
> >
> >
> > On Wed, Jan 30, 2013 at 5:54 PM, Wei, Gang <gang....@intel.com> wrote:
> >>
> >> Sahil Rihan wrote on 2013-01-31:
> >> > Hi list,
> >> >
> >> > Like a few before me, I'm trying to calculate in software the value of
> >> PCR17
> >> > after SENTER. I'm taking the value of the first extend as a given
> (from
> >> > SinitMleData.SinitHash) and am trying to reconstruct the value at the
> >> > end
> >> of
> >> > the second extend.
> >> >
> >> > I took Jonathan McCune's Perl script as a starting point and was able
> to
> >> > reproduce his result (which I'm assuming is for SinitMleData.Version
> 6,
> >> given
> >> > his computation of the first PCR17 extend in his Perl script) using a
> >> Python
> >> > script I wrote. I then modified my script to use the value from
> >> > SinitMleData.SinitHash directly, since my understanding is that it
> >> contains the
> >> > value of PCR17 after the first extend for SinitMleData.Version 8).
> >> >
> >> > So my computation is now identical to the one in the MLE Developer's
> >> Guide.
> >> >
> >> > SHA-1 ( SinitMleData.SinitHash | SHA-1 ( SinitMleData.BiosAcm.ID |
> >> > SinitMleData.MsegValid | SinitMleData.StmHash |
> >> > SinitMleData.PolicyControl | SinitMleData.LcpPolicyHash |
> >> > (OsSinitData.Capabilities, 0) | SinitMleData.ProcessorSCRTMStatus) )
> >> >
> >> > Unfortunately, I'm not able to get to the value for PCR 17 that tboot
> >> dumps,
> >> > before it performs its own extend to PCR17.
> >> >
> >> > If anyone has successfully computed PCR 17 or has thoughts on what I
> >> > might
> >> be
> >> > doing wrong, I'd appreciate your input.
> >>
> >> Please make sure the data length you used for PCR17 value calculation is
> >> right:
> >>
> >> SinitMleData.MsegValid 8bytes
> >> SinitMleData.PolicyControl 4bytes
> >> (OsSinitData.Capabilities, 0) 4bytes
> >> SinitMleData.ProcessorSCRTMStatus 4bytes
> >>
> >> And (OsSinitData.Capabilities,0) means:
> >>
> >> if SinitMleData.PolicyControl.bit2 is 1, use value of
> >> OsSinitData.Capabilities
> >> if SinitMleData.PolicyControl.bit2 is 0, use a 4-byte 0s.
> >>
> >> Wish those will help.
> >>
> >> Jimmy
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_jan
> > _______________________________________________
> > tboot-devel mailing list
> > tboot-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/tboot-devel
> >
>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
