Hi Luigi, Thanks for the link. It's very interesting.
My case might be different from Chromium. I don't have control over the firmware (uEFI + option ROMs + bootloader) on the board. The vendor did all the hashes using CRTM as root of trust and stored them in the TPM PCRs. So that's my starting point assuming you trust all the hashes inside. I don't have a requirement to do any verification post-firmware yet. So my problem is how to securely verify those hash values against the "known good ones". The know good ones are those that are provided by the board vendor before product shipping and I have to trust. I am trying to detect any tampering of those in the field by using TPM. Since I don't control the firmware, I have no way to store the know good hashes (e.g for boot loader) inside a verified firmware. I can certainly store them off board in a secure location. But I also heard you can store them inside the TPM too. David On Tue, Oct 21, 2014 at 10:51 AM, Luigi Semenzato <[email protected]> wrote: > If you haven't done it, take a look at how secure boot is done in > Chrome OS. I think it addresses all the right issues. > > http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot > > It turns out the TPM isn't really used (other than peripherally as NV > storage to protect against OS version rollback). The important thing > is to establish a "chain of trust" so that at any stage you can trust > the software that's verifying the next stage. > > Luigi > (Chrome OS Kernel Team) > > > > On Tue, Oct 21, 2014 at 10:36 AM, David Li <[email protected]> wrote: > > My goal is to use TPM to perform system boot integrity checks. My > server's > > UEFI > > firmware can extend PCRs with hash values on the firmware modules along > the > > boot chain. > > So this is what I have to base upon. > > > > As I am researching how to do this securely, I came upon some questions: > > > > 1. I understand that I will need to create an AIK (a RSA pair) to sign > the > > PCRs. Can I create an Privacy CA to issue certificate on the AIK I > created? > > Do I also need the TPM manufacturer's EK certificate in this process? > > Another question is how this signing process accomplished? Is it > > automatically done by the TPM or an external piece software does it upon > > bootup is done? > > > > 2. In order to compare the real-time measured PCR values to "known good > > ones", where do I store the "known good values" to start with? I can > think > > of two places: one is inside the TPM somewhere and the other is outside > the > > TPM in a remote secure location. What's the recommendation? > > > > 3. Can this check be accomplished by using commands in tpm_tools? Or > will I > > have to use Trousers C APIs to program? > > > > > > > > > > Thanks. > > > > > > > > > ------------------------------------------------------------------------------ > > Comprehensive Server Monitoring with Site24x7. > > Monitor 10 servers for $9/Month. > > Get alerted through email, SMS, voice calls or mobile push notifications. > > Take corrective actions from your mobile device. > > http://p.sf.net/sfu/Zoho > > _______________________________________________ > > TrouSerS-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/trousers-users > > >
------------------------------------------------------------------------------
_______________________________________________ TrouSerS-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/trousers-users
