Hi Tadd,
Actually I wanted to use TPM for secure boot feature.
I'm not able to understand how the lower PCRs can be used for the same if
they are not getting reset to their default values.
Here's what I have understood about how to use the PCRs for secure boot.
Please correct me if I'm wrong.
For example at the bootloader stage, I want to allow only trusted kernel
image to boot the system. These are the steps that can be followed (
Reference :
https://www.sec.in.tum.de/assets/Backup/Studentenworks/finished/lorenz2012.pdf
page 41-44) :-
*Initialization step :*
1. The hash of the kernel image is stored in memory - *hash(kernel_old)*.
2. A 20 byte random number - a *secret* is generated by the TPM and it's
stored in the NVRAM which is write and password protected.
3. *X = hash(hash(kernel_old) || secret) *is calculated
*.*
4. PCR 1 is extended with
* X.*
5. Now *X* is sealed with PCR1 and the sealed blob is stored in memory
*.*
*Verification step *(after system reboot at bootloader stage)
*:*
1. The *secret* is read from the NVRAM location by giving the password.
2. The hash of the kernel image to be loaded is generated -
*hash(kernel_new)* and as in step 3 of the initialization step, *X' =*
*hash(hash(kernel_new)||
secret)* is calculated
*.*
3. PCR 1 is extended with
* X'.*
3. If the PCR configurations match then only the sealed blob obtained in
step 5 of initialization step i.e *X* can be unsealed.
4. If unsealing is possible, then *X *is obtained.
5. If* X == X'*, then only the *kernel image is allowed to load*
*and boot else the boot process halts.*
Now my query is, if I've already extended PCR 1 during initialization step
and it fails to reset to it's default value on reboot, how can I use PCR1
for unseal operation in the verification stage?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
