Hi,
I'd like to calculate PCR 18 before first reboot.
I am using tboot with "pcr_map=da", signed policy and TB_POLCTL_EXTEND_PCR17
disabled
docs say:
PCR 18 (Authorities):
It will be extended with the following values (in this order):
- The values as documented in the MLE Developers Manual
- SHA-1 hash of: tboot policy control value (4 bytes) |
SHA-1 hash of tboot policy (20 bytes)
: where the hash of the tboot policy will be 0s if
TB_POLCTL_EXTEND_PCR17 is clear
There seems to be something missing here - is PCR 18 supposed to also contain
hash of the signing key?
I thought TB_POLCTL_EXTEND_PCR17 only affects the policy itself (hash of data),
not the "Authority" (i.e. what's in NVRAM, key fingerprint...)
In txt-stat I see PCR 18 being extended several times(?):
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x410
TBOOT: Digest: fe 48 79 5c e3 18 12 ff a8 14 99 7f 46
3e a0 ca 19 eb 33 2c
TBOOT: Data: 0 bytes
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x40b
TBOOT: Digest: 90 69 ca 78 e7 45 0a 28 51 73 43 1b 3e
52 c5 c2 52 99 e4 73
TBOOT: Data: 4 bytes
00 00 00 00
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x40f
TBOOT: Digest: b8 cb 6b 3d e8 66 f2 fd 1f 17 99 6f ee
01 ce c4 74 8a 03 e8
TBOOT: Data: 4 bytes
32 00 00 00
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x40c
TBOOT: Digest: 90 69 ca 78 e7 45 0a 28 51 73 43 1b 3e
52 c5 c2 52 99 e4 73
TBOOT: Data: 4 bytes
00 00 00 00
(note ^^ - did this revert back to previous value??)
TBOOT: Event:
TBOOT: PCRIndex: 18
TBOOT: Type: 0x411
TBOOT: Digest: 35 f5 d3 8d 36 18 f1 26 6f 36 46 8b 5f
9f 31 ed 30 51 29 29
TBOOT: Data: 20 bytes
83 f0 f3 8f 97 7e 0d 49 6b ac f3 8e b3 29 4f
1d
8a db e0 13
TBOOT: VL measurements:
TBOOT: PCR 18 (alg count 1):
TBOOT: alg 0004: d3 39 9b 72 62 fb 56 cb 9e d0 53 d6 8d b9 29 1c 41
08 39 c4
TBOOT: PCRIndex: 18
TBOOT: Type: 0x501
TBOOT: Digest: d3 39 9b 72 62 fb 56 cb 9e d0 53 d6 8d
b9 29 1c 41 08 39 c4
TBOOT: Data: 0 bytes
But the resulting value is different (not sure if that's expected)
PCR-18: 05 C5 A7 47 22 19 71 90 2B 5D 17 29 C4 B8 F3 8E 8B EC C6 B0
Can someone help me interpret this?
Thanks
Jan
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
