Please keep in mind that tpm_sealdata() may need to take values of some PCRs from the actual registers and supply SHA1 codes for others.
----- Original Message ----- > From: "Kent Yoder" <[email protected]> > To: "Dmitri Toubelis" <[email protected]> > Cc: [email protected] > Sent: Friday, February 1, 2013 6:06:57 PM > Subject: Re: [TrouSerS-users] tpm_sealdata use case > > On Fri, Feb 1, 2013 at 3:45 PM, Dmitri Toubelis > <[email protected]> wrote: > > Hi, > > > > I'm designing a trusted platform for an embedded device and I hit a > > roadblock with trusted OS updates. Here is an example: > > > > - our system consists of two components that may need upgrade - > > operating system and system software. > > - the system software is stored as an encrypted archive and > > decryption key is sealed with values of several PCR registers. > > - the system software is responsible for upgrading itself and > > operating system. > > - when new OS image downloaded and verified by system software the > > encryption key need to be re-sealed with "EXPECTED" PCR values > > after system reboots. Essentially the encryption key needs to be > > "unsealed" in the currently running environment and "sealed" with > > expected values of PCR registers that can be easy calculated at > > that time. > > > > So, would it be possible to add an option to tpm_sealdata in order > > to seal data with arbitrary values of PCR registers? I think the > > command line syntax may be extended to something like "{-p|--pcr} > > NUMBER:SHA1_HEX_STRING", so if no ":SHA1_HEX_STRING" is provided > > then value of the register is used, otherwise use the provided > > value. > > > > What do you guys think? Is this possible? > > Its possible. I'm not crazy about passing all that info on the > command line though. The way I implemented this for tpm_nvdefine was > to allow passing a file used to configure the PCRs. The format is: > > [r/w][PCR#][SHA1] > > so something like... > > r 12 aabbccddeeff001122... > w 14 aabbccddeeff001122... > > would specify the area could be read when PCR 12 or written when PCR > 14 had the set values. We could reuse the same format, ignoring the > r/w, or leaving it out entirely. > > Kent > > > Regards, > > -Dmitri > > > > > > > > ------------------------------------------------------------------------------ > > Everyone hates slow websites. So do we. > > Make your web apps faster with AppDynamics > > Download AppDynamics Lite for free today: > > http://p.sf.net/sfu/appdyn_d2d_jan > > _______________________________________________ > > TrouSerS-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/trousers-users > ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
