[TrouSerS-users] tpm-tool 1.3.9's tpm_nvdefine's parseNVPermsFile: Where are existing PCR readings verified prior to making the PCR composite?

[Bill Martin]

I posted a message to the users list yesterday regarding tpm-luks-init.

I am using the latest tpm-tools 1.3.9, trousers 0.3.10, cryptsetup 1.6.2 and 
TrustedGRUB 1.1.5

I have a related question. This morning I used tpm_nvrelease to get rid of my 
tpm NVRAM index 9 key, changed my /etc/tpm-luks.conf to use index 2 instead of 
9. Then redid my /dev/sda2 - randomized it. I started everything from scratch, 
starting with cryptsetup to luksFormat my /dev/sda2

My menu.lst has a checkfile command. This of course should affect PCR 13. My 
tpm-luks script left out the checkfile command line measurement 
(inadvertently). I know this is a TrustedGRUB stage2 built-in command, so 
TrustedGrub would extend the checkfile command into the hash.

The problem is that tpm_nvdefine allowed the NV Permsfile (with the -f flag) to 
be used in the composite object regardless. Here is a block of code in the 
function parseNVPermsFile:

                if (rw == 'r') {
                        if (*hPcrsRead == NULL_HPCRS)
                                if (contextCreateObject(*hContext, 
TSS_OBJECT_TYPE_PCRS,
                                                        
TSS_PCRS_STRUCT_INFO_SHORT,
                                                        hPcrsRead) != 
TSS_SUCCESS)
                                        goto out;

                        if (pcrcompositeSetPcrValue(*hPcrsRead, pcr, pcrSize, 
(BYTE *)hash_bin)
                                        != TSS_SUCCESS)
                                goto out;
                } else {
                        if (*hPcrsWrite == NULL_HPCRS)
                                if (contextCreateObject(*hContext, 
TSS_OBJECT_TYPE_PCRS,
                                                        
TSS_PCRS_STRUCT_INFO_SHORT,
                                                        hPcrsWrite) != 
TSS_SUCCESS)
                                        goto out;

                        if (pcrcompositeSetPcrValue(*hPcrsWrite, pcr, pcrSize, 
(BYTE *)hash_bin)
                                        != TSS_SUCCESS)
                                goto out;
                }
        }

Before the block of code above I expect a call to a function that will a) get 
the existing PCR for the current index read out of the pcr variable by calling 
tpmPcrRead() and b) verify the hash from the per list matches the hash read out 
of the PCR before allowing this if…else to continue and return an error in case 
no matching.


Am I right or wrong? 
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-users mailing list
TrouSerS-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/trousers-users