Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WiP: introspection - replicate TPM PCRs measurements directly from measured content (TCPA/TPM Event log) #1568

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

WiP: introspection - replicate TPM PCRs measurements directly from measured content (TCPA/TPM Event log) #1568

wants to merge 7 commits into from

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Dec 31, 2023
edited

Documented in commits as of now, particularly 8701d14. Will progress after reviewing coreboot codebase and maybe even open issues since there is already discrepencies for FMAP extraction/measurements as of now. See commit for details.

This is to give practical context (vs theoritical content as comment+ linuxboot/heads-wiki#107 (comment)) on what is attempted to be done to address current RFC comments:

At term

  • tpmr helper script will have functional tpmr calc_pcr, useable externall through introspect functions to be able to replicate measured content outside of coreboot measured boot code:
    • Take cbmem accessible memory to extract FMAP and properly measure it the same way coreboot measures it in measured boot code
    • Use cbfs to access mapped CBFS filesystem to validate (instrospect) sealed TOTP/HOTP/TPM DUK parts, by being able to validate files integrity
  • Finaly attain Implement forward sealing of firmware upgrades #523. If we can validate current state, we will be able to eventually seal content of future calculated PCRs content from those introspection helpers, applied to ROM to be flashed instead of validating runtime accessible content.

Let's go back to the basics.

Coreboot measured boot does its thing, leading to TPM PCRs being extended by:

~ # cbmem -L
coreboot TPM log:

 PCR-2 5622416ea417186aa1ac32b32c527ac09009fb5e SHA1 [FMAP: FMAP]
 PCR-2 8bbaeca78eb7e169df69d3687258318b58c8671e SHA1 [CBFS: bootblock]
 PCR-2 73ccefadc0a1be8184be89800e69186a260ebe40 SHA1 [CBFS: fallback/romstage]
 PCR-2 d697f8c98ef6f1b4aca397821e176bb48a227212 SHA1 [CBFS: fallback/postcar]
 PCR-2 b88302e3a46fb7fb11b92730d05c41b5f1f11bcf SHA1 [CBFS: fallback/ramstage]
 PCR-2 b688d567b0dfe1e1c6e4584289619a525b85cbd6 SHA1 [CBFS: bootsplash.jpg]
 PCR-2 9130eeb4cfe031edeabc56e6b84812d49a5a6bda SHA1 [CBFS: fallback/payload]

Current code is coreboot+heads extend operations of PCRs, leading to sealing/unsealing of secrets.

NOTE: THIS IS NON-HOTP UNDER QEMU (qemu-coreboot-whiptail-tpm1 board) which has DEBUG/TRACE activated in board config by default

On boot in debug mode, one can see:

[    6.367615] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)
[    6.397918] TRACE: Under init
[    6.568554] TRACE: Under /bin/tpmr
[    6.713454] TRACE: Under /bin/cbfs-init
[    6.871008] DEBUG: Extending TPM PCR 7 with /.gnupg/pubring.kbx
[    6.993091] TRACE: Under /bin/tpmr
[    7.068339] DEBUG: Direct translation from tpmr to tpm1 call
[    7.117974] DEBUG: exec tpm extend -ix 7 -if /tmp/cbfs.106
[    7.308879] DEBUG: Extending TPM PCR 7 with /.gnupg/trustdb.gpg
[    7.425651] TRACE: Under /bin/tpmr
[    7.508279] DEBUG: Direct translation from tpmr to tpm1 call
[    7.557995] DEBUG: exec tpm extend -ix 7 -if /tmp/cbfs.106

when sealing/resealing TOTP/HOTP:

[   20.436488]  !!! ERROR: Unable to unseal TOTP secret !!!
[   22.492932] DEBUG: CONFIG_TPM: y
[   22.543257] DEBUG: CONFIG_TPM2_TOOLS:
[   22.608812] DEBUG: Show PCRs
[   22.803776] DEBUG: PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   22.840741] PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   22.881815] PCR-02: 29 5B FA C8 71 8E DC 56 38 FF 41 AC 24 42 1B 05 71 15 E9 9A
[   22.918112] PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   22.954170] PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   22.992496] PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.026032] PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   23.059503] PCR-07: B8 85 CF DE 4E B8 CA 55 B4 05 2D 02 C2 F4 74 D4 21 00 3C 4C
[   36.867188] TRACE: Under /bin/gui-init:generate_totp_hotp
[   36.967579] TRACE: Under /bin/seal-totp
[   37.052311] DEBUG: Sealing TOTP with actual state of PCR0-3
[   37.171910] TRACE: Under /bin/tpmr
[   37.253669] TRACE: Under /bin/tpmr:tpm1_pcrread
[   37.305168] DEBUG: tpm pcrread -ix 0
[   37.443424] TRACE: Under /bin/tpmr
[   37.517793] TRACE: Under /bin/tpmr:tpm1_pcrread
[   37.566605] DEBUG: tpm pcrread -ix 1
[   37.693229] TRACE: Under /bin/tpmr
[   37.753872] TRACE: Under /bin/tpmr:tpm1_pcrread
[   37.810666] DEBUG: tpm pcrread -ix 2
[   37.952421] TRACE: Under /bin/tpmr
[   38.028588] TRACE: Under /bin/tpmr:tpm1_pcrread
[   38.077889] DEBUG: tpm pcrread -ix 3
[   38.168742] DEBUG: Sealing TOTP with boot state of PCR4 (Going to recovery shell extends PCR4)
[   38.269630] TRACE: Under /bin/tpmr
[   38.351576] TRACE: Under /bin/tpmr:replay_pcr
[   38.504755] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha1 : 0000000000000000000000000000000000000000
[   38.570688] DEBUG: Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)
[   38.618129] DEBUG: Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)
[   38.752815] TRACE: Under /bin/tpmr
[   38.829422] TRACE: Under /bin/tpmr:tpm1_pcrread
[   38.880416] DEBUG: tpm pcrread -ix 7
[   39.025969] TRACE: Under /bin/tpmr
[   39.091944] TRACE: Under /bin/tpmr:tpm1_seal
[   39.171009] DEBUG: tpm1_seal arguments: file=/tmp/secret/totp.key index=4d47 pcrl=0,1,2,3,4,7 pcrf=/tmp/secret/pcrf.bin sealed_size=312 pass=<empty> tpm_password=<empty>
[   39.467437] DEBUG: Running at_exit handlers
[   39.518427] TRACE: Under /bin/tpmr:cleanup_shred
[   40.948091] TRACE: Under /bin/gui-init:update_totp
[   41.071700] TRACE: Under /bin/unseal-totp
[   41.160445] TRACE: Under /bin/tpmr
[   41.233640] TRACE: Under /bin/tpmr:tpm1_unseal
[   41.339872] DEBUG: Running at_exit handlers
[   41.366528] TRACE: Under /bin/tpmr:cleanup_shred

When sealing/resealing TPM DUK:

[   41.445377] TRACE: Under /etc/functions:reseal_tpm_disk_decryption_key
[   41.475321] DEBUG: TPM Disk Unlock Key is allowed in board configs. Continuing
[   41.540213]  *** WARNING: TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret ***
[   42.688732] TRACE: Under kexec-seal-key
[   42.759000] DEBUG: Devices defined for disk encryption: /dev/vda4
[   42.805561] DEBUG: No LVM volume group defined for activation
[   42.985001] DEBUG: PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.008100] PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.036384] PCR-02: 29 5B FA C8 71 8E DC 56 38 FF 41 AC 24 42 1B 05 71 15 E9 9A
[   43.072981] PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.100711] PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.129680] PCR-05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.158979] PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   43.196712] PCR-07: B8 85 CF DE 4E B8 CA 55 B4 05 2D 02 C2 F4 74 D4 21 00 3C 4C
[  143.067899] DEBUG: Checking number of slots used on /dev/vda4 LUKS header
[  143.251583] DEBUG: Number of slots used on /dev/vda4 LUKS header: 2
[  143.288628] DEBUG: Slot 1 is not the only existing slot on /dev/vda4 LUKS header.
[  143.318917] DEBUG: /dev/vda4 LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase
[  172.592929] TRACE: Under /bin/qubes-measure-luks
[  172.632252] DEBUG: Arguments passed to qubes-measure-luks: /dev/vda4
[  172.692086] DEBUG: Storing LUKS header for /dev/vda4 into /tmp/lukshdr-_dev_vda4
[  173.341529] DEBUG: Hashing LUKS headers into /tmp/luksDump.txt
[  174.149694] DEBUG: Removing /tmp/lukshdr-*
[  174.245129] DEBUG: Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt
[  174.353329] TRACE: Under /bin/tpmr
[  174.426883] DEBUG: Direct translation from tpmr to tpm1 call
[  174.473913] DEBUG: exec tpm extend -ix 6 -if /tmp/luksDump.txt
[  174.616760] TRACE: Under /bin/tpmr
[  174.678668] TRACE: Under /bin/tpmr:tpm1_pcrread
[  174.747086] DEBUG: tpm pcrread -ix 0
[  174.905885] TRACE: Under /bin/tpmr
[  174.967405] TRACE: Under /bin/tpmr:tpm1_pcrread
[  175.030457] DEBUG: tpm pcrread -ix 1
[  175.177769] TRACE: Under /bin/tpmr
[  175.259749] TRACE: Under /bin/tpmr:tpm1_pcrread
[  175.310981] DEBUG: tpm pcrread -ix 2
[  175.481466] TRACE: Under /bin/tpmr
[  175.561849] TRACE: Under /bin/tpmr:tpm1_pcrread
[  175.614064] DEBUG: tpm pcrread -ix 3
[  175.792765] TRACE: Under /bin/tpmr
[  175.882876] TRACE: Under /bin/tpmr:replay_pcr
[  176.040742] DEBUG: Replayed cbmem -L clean boot state of PCR=4 ALG=sha1 : 0000000000000000000000000000000000000000
[  176.103851] DEBUG: Sealing TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)...
[  176.211233] TRACE: Under /bin/tpmr
[  176.292151] TRACE: Under /bin/tpmr:replay_pcr
[  176.440122] DEBUG: Replayed cbmem -L clean boot state of PCR=5 ALG=sha1 : 0000000000000000000000000000000000000000
[  176.523055] DEBUG: Precomputing TPM future value for PCR6 sealing/unsealing of TPM Disk Unlock Key...
[  176.659425] TRACE: Under /bin/tpmr
[  176.744122] TRACE: Under /bin/tpmr:replay_pcr
[  177.031080] DEBUG: Replayed cbmem -L clean boot state of PCR=6 ALG=sha1 : 01520898d3570c05f0d568c703ced659a86d07d0
[  177.154090] TRACE: Under /bin/tpmr
[  177.241526] TRACE: Under /bin/tpmr:tpm1_pcrread
[  177.299186] DEBUG: tpm pcrread -ix 7
[  177.413648] DEBUG: tpmr seal /tmp/secret/secret.key 3 0,1,2,3,4,5,6,7 /tmp/secret/pcrf.bin 312 <hidden>
[  177.556579] TRACE: Under /bin/tpmr
[  177.629027] TRACE: Under /bin/tpmr:tpm1_seal
[  177.708219] DEBUG: tpm1_seal arguments: file=/tmp/secret/secret.key index=3 pcrl=0,1,2,3,4,5,6,7 pcrf=/tmp/secret/pcrf.bin sealed_size=312 pass=<hidden> tpm_password=<empty>
[  178.059784] DEBUG: Running at_exit handlers
[  178.098162] TRACE: Under /bin/tpmr:cleanup_shred
[  178.205557] EXT4-fs (vda3): re-mounted. Opts: (null)
[  178.383950] EXT4-fs (vda3): re-mounted. Opts: (null)
[  178.457170]  *** WARNING: LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt ***
[  179.534337] TRACE: Under /etc/functions:update_checksums
[  179.598859] EXT4-fs (vda3): re-mounted. Opts: (null)
[  179.697408] TRACE: Under /bin/kexec-sign-config
[  179.758587] TRACE: Under /etc/functions:assert_signable
[  179.945770] TRACE: Under /etc/ash_functions:confirm_gpg_card
[  190.293216] TRACE: Under /etc/ash_functions:enable_usb
[...]

On master, logic present trusts TCPA/TPM event log to be the "replay" base.

Current PR will try to add introspection required bases so that TCPA/TPM event log alone is not trusted, but validated. As explained in RFC under heeads-wiki, Heads packs other tools, including cbfs to read/write from/to cbfs (osresearch/flashtools built cbfs binary) and packs cbmem (coreboot) as of now which if used, would require more then FMAP+bootblock+++ compromise of coreboot base to be able to bypass Heads introspection.

I will point discussion to this so that we can now understand where we want to go instead of requestionning the base and goals of this attempt or focus more directly on what is missing, what we have and where we want to go for next steps.

@tlaurion tlaurion mentioned this pull request Dec 31, 2023
Open
@tlaurion tlaurion changed the title WiP: introspection - replicate pcr content from runtime WiP: introspection - replicate TPM PCRs measurements directly from measured content (TCPA/TPM Event log) Dec 31, 2023
@tlaurion
Copy link
Collaborator Author

Asked input of coreboot devels

DemiMarie
DemiMarie reviewed Dec 31, 2023
View reviewed changes
initrd/bin/tpmr
TRACE "Under /bin/tpmr:calc_pcr"
if [ -z "$2" ]; then
echo >&2 "No PCR number passed"
return
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will return a successful status to the caller. Should this be return 1 or even exit 1?

initrd/bin/tpmr
fi
if [ "$2" -ge 8 ]; then
echo >&2 "Illegal PCR number ($2)"
return
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

initrd/bin/tpmr
Comment on lines +249 to +300
# SHA-1 hashes are 40 chars
if [ "$alg" = "sha1" ]; then alg_digits=40; fi
# SHA-256 hashes are 64 chars
if [ "$alg" = "sha256" ]; then alg_digits=64; fi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# SHA-1 hashes are 40 chars
if [ "$alg" = "sha1" ]; then alg_digits=40; fi
# SHA-256 hashes are 64 chars
if [ "$alg" = "sha256" ]; then alg_digits=64; fi
case $alg in
(sha1)
# SHA-1 hashes are 40 chars
alg_digits=40;;
(sha256)
# SHA-256 hashes are 64 chars
alg_digits=64;;
(*)
# Invalid
printf 'Invalid hash algorithm %s\n' "$alg" >&2
exit 1;;
esac

initrd/bin/tpmr Outdated
if [ "$alg" = "sha256" ]; then alg_digits=64; fi
shift 2
replayed_pcr=$(extend_pcr_state $alg $(printf "%.${alg_digits}d" 0) $@)
echo $replayed_pcr | hex2bin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
echo $replayed_pcr | hex2bin
printf %s\\n "$replayed_pcr" | hex2bin

@tlaurion
Copy link
Collaborator Author

tlaurion commented Jan 3, 2024
edited

Edit: finally working PoC:

Execution of PoC:

sha1sum of cbmem filled up to next 512 boundary with ff:
5622416ea417186aa1ac32b32c527ac09009fb5e
TPM Event log for FMAP:
5622416ea417186aa1ac32b32c527ac09009fb5e

Content of PoC

# Create the directory for temporary files
mkdir -p /tmp/secret/

# Fetch the address of the FMAP in memory and write the raw FMAP data to a file
cbmem --rawdump $(cbmem -l | grep FMAP | awk -F " " {'print $3'}) > /tmp/secret/fmap.raw

# Fetch the size of the FMAP from the raw data (4 bytes at offset 8) and store it as a hexadecimal string
fmap_size_hex=$(hexdump -v -e '/1 "%02x"' -s 8 -n 4 /tmp/secret/fmap.raw)

# Rearrange the bytes in the size to little-endian format
fmap_size_le=${fmap_size_hex:6:2}${fmap_size_hex:4:2}${fmap_size_hex:2:2}${fmap_size_hex:0:2}

# Convert the size from hexadecimal to decimal
fmap_size=$((16#$fmap_size_le))

# Calculate the next multiple of 512 that is greater than or equal to the size of the FMAP
next_multiple=$(( ($fmap_size + 511) / 512 * 512 ))

# Calculate the number of bytes needed to fill the fmap.raw file to the next multiple of 512
#fill_size=$(( $next_multiple - $fmap_size ))
fill_size=$(( $next_multiple - $(stat -c%s /tmp/secret/fmap.raw) ))

# Create a file named fill.ff filled with 'ff' of the required size
dd if=/dev/zero bs=1 count=$fill_size 2>/dev/null | tr '\0' '\377' > /tmp/secret/fill.ff

# Append the fill.ff file to the fmap.raw file, resulting in a file named fmap_filled.raw
cat /tmp/secret/fmap.raw /tmp/secret/fill.ff > /tmp/secret/fmap_filled.raw

# Calculate and print the sha1sum of the filled FMAP
echo "sha1sum of cbmem filled up to next 512 boundary with ff:"
sha1sum /tmp/secret/fmap_filled.raw | awk -F " " {'print $1'}

# Remove the /tmp/secret/ directory and all its contents
rm -rf /tmp/secret/

echo "TPM Event log for FMAP:"
cbmem -L | grep FMAP | awk -F " " {'print $2'}

@tlaurion tlaurion force-pushed the WiP_introspection-replicate_PCR_content_from_runtime branch from 8701d14 to 51231f3 Compare January 3, 2024 07:07
@tlaurion
Copy link
Collaborator Author

tlaurion commented Jan 3, 2024
edited

With 5574fb4 we can use dbmem to extract FMAP and pad it up to next 512 byte boundary with ff, and then use cbfs to extract all measured boot correboot stages.

PoC output looks like this from recovery shell on qemu-coreboot-whiptail-tpm1 (debug+trace activated):

~ # tpmr recalculate_firmware_pcr_from_cbfs #Replay coreboot TPM event log from 
CBFS
[   92.166420] TRACE: Under /bin/tpmr
[   92.231076] TRACE: Under /bin/tpmr:recalculate_firmware_pcr_from_cbfs
[   93.048080] DEBUG: calc_pcr sha1 2 5622416ea417186aa1ac32b32c527ac09009fb5e 4f2447281786fe209dbe350a07f31c579f7059c7 1f39b9bdf52c678785c885aaee2a9e6a6ee81381 5e70311bbbff493a813682a12174d3482acfb7ec f527597d31308054375f13329ee1f12d29a3f279 b688d567b0dfe1e1c6e4584289619a525b85cbd6 69d82307aafc1f9eefeac373aa21cdf2123d5c41
[   93.083696] TRACE: Under /bin/tpmr:calc_pcr
[   93.131434] TRACE: Under /bin/tpmr:extend_pcr_state
[   93.162074] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000
[   93.197414] DEBUG: Extending PCR state with argument #1: 5622416ea417186aa1ac32b32c527ac09009fb5e
[   93.264496] DEBUG: Extending PCR state with passed argument #1 hash: 5622416ea417186aa1ac32b32c527ac09009fb5e
[   93.368362] DEBUG: Extending PCR state with argument #2: 4f2447281786fe209dbe350a07f31c579f7059c7
[   93.447132] DEBUG: Extending PCR state with passed argument #2 hash: 4f2447281786fe209dbe350a07f31c579f7059c7
[   93.537201] DEBUG: Extending PCR state with argument #3: 1f39b9bdf52c678785c885aaee2a9e6a6ee81381
[   93.604202] DEBUG: Extending PCR state with passed argument #3 hash: 1f39b9bdf52c678785c885aaee2a9e6a6ee81381
[   93.688703] DEBUG: Extending PCR state with argument #4: 5e70311bbbff493a813682a12174d3482acfb7ec
[   93.752334] DEBUG: Extending PCR state with passed argument #4 hash: 5e70311bbbff493a813682a12174d3482acfb7ec
[   93.846594] DEBUG: Extending PCR state with argument #5: f527597d31308054375f13329ee1f12d29a3f279
[   93.918457] DEBUG: Extending PCR state with passed argument #5 hash: f527597d31308054375f13329ee1f12d29a3f279
[   94.026392] DEBUG: Extending PCR state with argument #6: b688d567b0dfe1e1c6e4584289619a525b85cbd6
[   94.099127] DEBUG: Extending PCR state with passed argument #6 hash: b688d567b0dfe1e1c6e4584289619a525b85cbd6
[   94.204186] DEBUG: Extending PCR state with argument #7: 69d82307aafc1f9eefeac373aa21cdf2123d5c41
[   94.283342] DEBUG: Extending PCR state with passed argument #7 hash: 69d82307aafc1f9eefeac373aa21cdf2123d5c41
[   94.388297] DEBUG: Extended final PCR state: 9eab5af574049405f221292585b01c85cc53872a
[   94.443378] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha1 : 9eab5af574049405f221292585b01c85cc53872a
9eab5af574049405f221292585b01c85cc53872a
[   94.640554] DEBUG: Actual TPM PCR-02: 9E AB 5A F5 74 04 94 05 F2 21 29 25 85 B0 1C 85 CC 53 87 2A
[   94.708640] DEBUG: TPM event log reported by cbmem -L: coreboot TPM log:
[   94.748215] 
[   94.819908] PCR-2 5622416ea417186aa1ac32b32c527ac09009fb5e SHA1 [FMAP: FMAP]
[   94.861644] PCR-2 4f2447281786fe209dbe350a07f31c579f7059c7 SHA1 [CBFS: bootblock]
[   94.885169] PCR-2 1f39b9bdf52c678785c885aaee2a9e6a6ee81381 SHA1 [CBFS: fallback/romstage]
[   94.961600] PCR-2 5e70311bbbff493a813682a12174d3482acfb7ec SHA1 [CBFS: fallback/postcar]
[   94.994400] PCR-2 f527597d31308054375f13329ee1f12d29a3f279 SHA1 [CBFS: fallback/ramstage]
[   95.044307] PCR-2 b688d567b0dfe1e1c6e4584289619a525b85cbd6 SHA1 [CBFS: bootsplash.jpg]
[   95.082265] PCR-2 69d82307aafc1f9eefeac373aa21cdf2123d5c41 SHA1 [CBFS: fallback/payload]

It looks like we could add helpers in Makefile to manipulate, post rom assembly per coreboot, an additional forward sealing file containing the expected PCR value for PCR2 for next steps.

Here, the question is what we would want to do with that

  • Validate sealed PCR2 values of firmware prior of calling totp unseal?
  • Flash new firmware and then do the forward resealing of TPM DUK?

DemiMarie
DemiMarie suggested changes Jan 3, 2024
View reviewed changes
initrd/bin/tpmr Outdated
# Create the directory for temporary files
mkdir -p /tmp/secret/
# Fetch the address of the FMAP in memory and write the raw FMAP data to a file
cbmem --rawdump $(cbmem -l | grep FMAP | awk -F " " {'print $3'}) >/tmp/secret/fmap.raw
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
cbmem --rawdump $(cbmem -l | grep FMAP | awk -F " " {'print $3'}) >/tmp/secret/fmap.raw
arg=$(cbmem -l | grep FMAP | awk -F " " {'print $3'})
cbmem --rawdump "$arg" >/tmp/secret/fmap.raw

Hopefully shellcheck catches this.

initrd/bin/tpmr Outdated
Comment on lines 330 to 336
$(read_and_pad_FMAP_from_cbmem) \
$(cbfs --read bootblock | sha1sum | awk -F " " {'print $1'}) \
$(cbfs --read fallback/romstage | sha1sum | awk -F " " {'print $1'}) \
$(cbfs --read fallback/postcar | sha1sum | awk -F " " {'print $1'}) \
$(cbfs --read fallback/ramstage | sha1sum | awk -F " " {'print $1'}) \
$(cbfs --read bootsplash.jpg | sha1sum | awk -F " " {'print $1'}) \
$(cbfs --read fallback/payload | sha1sum | awk -F " " {'print $1'})
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Command substitutions should not be used in command arguments, as failure of the command is ignored. Instead, they should be assigned to a temporary variable.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Jan 3, 2024

With 5bd19f4 on qemu-coreboot-whiptail-tpm2 (with DEBUG/TRACE activated per board config):

~ # tpmr recalculate_firmware_pcr_from_cbfs #Replay coreboot TPM event log from 
CBFS
[   30.736989] TRACE: Under /bin/tpmr
[   30.800904] TRACE: Under /bin/tpmr:recalculate_firmware_pcr_from_cbfs
[   31.497773] DEBUG: calc_pcr sha256 2 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198 f42df98aeda999e2d9e5e5208668a78e1b7bdda5d02600cf4947591f35c67121 3e371b3ffe51f7ee1d483026ca004f0e0d4432de8103c4c1de31011a94fb1612 1b4f09549008ae961072514b397f2e391aa4d9e6c48a673e87c8a12c17be113a 284e7103b372e7ab1ccf3077ba49a754c06d976f33ad74da1bdb7467fa319c19 bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b 829573af425b78fa1bb7cb9cfcb61f520d5063f3c3ba2f93d806dedb3af79ac5
[   31.535528] TRACE: Under /bin/tpmr:calc_pcr
[   31.584183] TRACE: Under /bin/tpmr:extend_pcr_state
[   31.622667] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000000000000000000000000000
[   31.693083] DEBUG: Extending PCR state with passed argument #1 hash: 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198
[   31.806253] DEBUG: Extending PCR state with passed argument #2 hash: f42df98aeda999e2d9e5e5208668a78e1b7bdda5d02600cf4947591f35c67121
[   31.911070] DEBUG: Extending PCR state with passed argument #3 hash: 3e371b3ffe51f7ee1d483026ca004f0e0d4432de8103c4c1de31011a94fb1612
[   32.017774] DEBUG: Extending PCR state with passed argument #4 hash: 1b4f09549008ae961072514b397f2e391aa4d9e6c48a673e87c8a12c17be113a
[   32.151362] DEBUG: Extending PCR state with passed argument #5 hash: 284e7103b372e7ab1ccf3077ba49a754c06d976f33ad74da1bdb7467fa319c19
[   32.281688] DEBUG: Extending PCR state with passed argument #6 hash: bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b
[   32.416306] DEBUG: Extending PCR state with passed argument #7 hash: 829573af425b78fa1bb7cb9cfcb61f520d5063f3c3ba2f93d806dedb3af79ac5
[   32.522296] DEBUG: Extended final PCR state: ed1bbd19fceca6f7028e4eb97e6854e6ec24bc084e501b049cec0d19e0de82cd
[   32.580794] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha256 : ed1bbd19fceca6f7028e4eb97e6854e6ec24bc084e501b049cec0d19e0de82cd
ed1bbd19fceca6f7028e4eb97e6854e6ec24bc084e501b049cec0d19e0de82cd
[   32.754666] DEBUG: Actual TPM     2 : 0xED1BBD19FCECA6F7028E4EB97E6854E6EC24BC084E501B049CEC0D19E0DE82CD
[   32.846124] DEBUG: TPM event log reported by cbmem -L: coreboot TPM log:
[   32.902556] 
[   32.950721] PCR-2 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198 SHA256 [FMAP: FMAP]
[   32.976485] PCR-2 f42df98aeda999e2d9e5e5208668a78e1b7bdda5d02600cf4947591f35c67121 SHA256 [CBFS: bootblock]
[   33.048439] PCR-2 3e371b3ffe51f7ee1d483026ca004f0e0d4432de8103c4c1de31011a94fb1612 SHA256 [CBFS: fallback/romstage]
[   33.093232] PCR-2 1b4f09549008ae961072514b397f2e391aa4d9e6c48a673e87c8a12c17be113a SHA256 [CBFS: fallback/postcar]
[   33.140986] PCR-2 284e7103b372e7ab1ccf3077ba49a754c06d976f33ad74da1bdb7467fa319c19 SHA256 [CBFS: fallback/ramstage]
[   33.178227] PCR-2 bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b SHA256 [CBFS: bootsplash.jpg]
[   33.240108] PCR-2 829573af425b78fa1bb7cb9cfcb61f520d5063f3c3ba2f93d806dedb3af79ac5 SHA256 [CBFS: fallback/payload]

@tlaurion tlaurion force-pushed the WiP_introspection-replicate_PCR_content_from_runtime branch from 5bd19f4 to ad79a93 Compare January 3, 2024 18:40
@tlaurion
- Addition of nvmutil (nvm) from osboot project to play with gbe (Tha…
7007d18 
…nks @githubisnonfree!)

- Addition of ifdtool from coreboot project to extract gbe
  - As of now, its implemented in a hacky way:
    - ifdtool dir is copied over ifdtool_cross at coreboot's module configure step
    - then initrd packing step checks for CONFIG_NVMUTIL and builds and pack ifdtool_cross/ifdtool
    - As a result, what is build under build/coreboot/$BOARD is coreboot's real, where build/coreboot/ content follows Makefile rules
- CONFIG_NVMUTIL in board config adds both ifdtool_cross/ifdtool and nvmutil into initrd
- Added CONFIG_NVMUTIL to all hotp-maximized boards (to test for
 size changes)

Manually tested (working!):
- backup rom from: `flashrom -p internal -r /tmp/backup.rom`
- go to that dir: `cd /tmp`
- extract gbe from ifdtool on backup.rom: `ifdtool -x backup.rom`
- source shell functions: `. /etc/functions`
- show current PHY mac address: `nvm showmac flashregion_3_gbe.bin`
- generate mac address from sourced shell functions: `newmac=$(generate_random_mac_address)`
- show new mac: `echo $newmac`
- change mac from nvmtool on extracted gbe: `nvm flashregion_3_gbe.bin setmac $newmac`
- insert modified gbe into backup.rom.new with ifdtool: `ifdtool -i gbe:flashregion_3_gbe.bin backup.rom`
- flash back modified gbe only through flashrom: `flashrom -p internal --ifd -i gbe -w backup.rom.new`

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
WiP : Add ifdtool and cbfstool to experiment from Heads with cbmem/cb…
5bcd6cd 
…fstool/ifdtool to get same cbmem -L/TPM eventlog/introspection of PRC content equivalence

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
WiP tpmr: add calc_pcr to simulate PCR content from reset state, meas…
07e3bf7 
…uring files/strings to arrive to same cbmem -L (TCPA/Event log content from real measured stuff)

Traces:

When looking at TCPA log/TPM Event log:

~ # cbmem -L
coreboot TPM log:

 PCR-2 5622416ea417186aa1ac32b32c527ac09009fb5e SHA1 [FMAP: FMAP]
 PCR-2 8bbaeca78eb7e169df69d3687258318b58c8671e SHA1 [CBFS: bootblock]
 PCR-2 73ccefadc0a1be8184be89800e69186a260ebe40 SHA1 [CBFS: fallback/romstage]
 PCR-2 d697f8c98ef6f1b4aca397821e176bb48a227212 SHA1 [CBFS: fallback/postcar]
 PCR-2 b88302e3a46fb7fb11b92730d05c41b5f1f11bcf SHA1 [CBFS: fallback/ramstage]
 PCR-2 b688d567b0dfe1e1c6e4584289619a525b85cbd6 SHA1 [CBFS: bootsplash.jpg]
 PCR-2 9130eeb4cfe031edeabc56e6b84812d49a5a6bda SHA1 [CBFS: fallback/payload]

We see that PCR2 is extended from reset state (40*0) with:
FMAP (only one not under cbfs), bootblock, fallback/romstage, fallback/postcar, fallback/ramstage, bootsplash.jpg, fallback/payload

cbmem permits to extract FMAP from cbmem:
~ # cbmem --rawdump $(cbmem -l | grep FMAP | awk -F " " {'print $3'}) | xxd
00000000: 5f5f 464d 4150 5f5f 0101 0000 60ff 0000  __FMAP__....`...
00000010: 0000 0000 a000 464c 4153 4800 0000 0000  ......FLASH.....
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0300 0000 0800 0000 9800  ................
00000040: 4249 4f53 0000 0000 0000 0000 0000 0000  BIOS............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0800 0002 0000 464d 4150 0000  ..........FMAP..
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0002 0800  ................
00000090: 00fe 9700 434f 5245 424f 4f54 0000 0000  ....COREBOOT....
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000                           ......

~ # xxd -r cbmem.txt  | sha1sum
6ecd73787c001bbc1215bd8787361e1a63b580cb  -

This sha1sum doesn't match reported TCPA/Event log for FMAP entry:
6ecd73787c001bbc1215bd8787361e1a63b580cb != 5622416ea417186aa1ac32b32c527ac09009fb5e

FMAP extracted from cbfsutil externally from ROM image is padded with ff up to 512 bytes (this is dynamic and cannot be hardcoded magic):

user@heads-tests-deb12:~/heads$ sudo cbfstool ~/heads/build/x86/qemu-coreboot-whiptail-tpm1/heads-qemu-coreboot-whiptail-tpm1-v0.2.0-1955-gfff99df-dirty.rom read -r FMAP -f xxx.bin
user@heads-tests-deb12:~/heads$ xxd xxx.bin > hex.txt
user@heads-tests-deb12:~/heads$ cat hex.txt
00000000: 5f5f 464d 4150 5f5f 0101 0000 60ff 0000  __FMAP__....`...
00000010: 0000 0000 a000 464c 4153 4800 0000 0000  ......FLASH.....
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0300 0000 0800 0000 9800  ................
00000040: 4249 4f53 0000 0000 0000 0000 0000 0000  BIOS............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0800 0002 0000 464d 4150 0000  ..........FMAP..
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0002 0800  ................
00000090: 00fe 9700 434f 5245 424f 4f54 0000 0000  ....COREBOOT....
000000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000b0: 0000 0000 0000 ffff ffff ffff ffff ffff  ................
000000c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000e0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000000f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000100: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000110: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000120: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000130: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000140: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000150: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000160: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000170: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000180: ffff ffff ffff ffff ffff ffff ffff ffff  ................
00000190: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001a0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001b0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001c0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001d0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001e0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
000001f0: ffff ffff ffff ffff ffff ffff ffff ffff  ................
user@heads-tests-deb12:~/heads$ xxd -r hex.txt | sha1sum
5622416ea417186aa1ac32b32c527ac09009fb5e  -

This matches FMAP region measured in TCPA/TPM event log for FMAP trace above:
6ecd73787c001bbc1215bd8787361e1a63b580cb = 6ecd73787c001bbc1215bd8787361e1a63b580cb

It seems that coreboot measured boot code does the same as cbfstool (padding prior of measuring) instead of taking only the raw output we could replicate with cbfs....

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
Makefile modules/coreboot modules/nvmutil: remove unneeded ifdutil/cb…
6f69f89 
…fsutil/nvmutil for this task.

cbmem+cbfs is enough

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
bin/tpmr .ash_history: add needed functions to be able to call tpmr r…
2e29463 
…ecalculate_firmware_pcr_from_cbfs

.ash_history: add tpmr recalculate_firmware_pcr_from_cbfs but remove unneeded deprecated ways of doing things

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
bin/tpmr:recalculate_firmware_pcr_from_cbfs Add basic TPM2 suppport
223b545 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion
WiP tpmr: unify simulated PCR output with raw/TPM event log output fo…
bf7677c 
…r comparison

Buggy as of now, will reverify next week

~ # tpmr verify_coreboot_measured_boot_tpm_event_log_vs_content_measured #Valida
te coreboot TPM event log against cbmem FMAP+cbfs content
[  293.267413] TRACE: Under /bin/tpmr
[  293.390454] TRACE: Under /bin/tpmr
[  293.441752] TRACE: Under /bin/tpmr:replay_pcr
[  293.551759] TRACE: Under /bin/tpmr:extend_pcr_state
[  293.574966] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000000000000000000000000000
[  293.639890] DEBUG: Extending PCR state with passed argument #1 hash: 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198
[  293.761500] DEBUG: Extending PCR state with passed argument #2 hash: 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb
[  293.899682] DEBUG: Extending PCR state with passed argument #3 hash: 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090
[  294.028814] DEBUG: Extending PCR state with passed argument #4 hash: cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a
[  294.137824] DEBUG: Extending PCR state with passed argument #5 hash: bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7
[  294.259655] DEBUG: Extending PCR state with passed argument #6 hash: bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b
[  294.400277] DEBUG: Extending PCR state with passed argument linuxboot#7 hash: bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8
[  294.514983] DEBUG: Extended final PCR state: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  294.561181] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha256 : ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  294.699187] TRACE: Under /bin/tpmr
[  294.765450] TRACE: Under /bin/tpmr:recalculate_firmware_pcr_from_cbfs
[  294.812153] TRACE: Under /bin/tpmr:read_and_pad_FMAP_from_cbmem
[  295.853558] TRACE: Under /bin/tpmr:calc_pcr
[  295.909978] TRACE: Under /bin/tpmr:extend_pcr_state
[  295.955343] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000000000000000000000000000
[  296.036572] DEBUG: Extending PCR state with passed argument #1 hash: 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198
[  296.196037] DEBUG: Extending PCR state with passed argument #2 hash: 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb
[  296.364665] DEBUG: Extending PCR state with passed argument #3 hash: 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090
[  296.528953] DEBUG: Extending PCR state with passed argument #4 hash: cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a
[  296.683826] DEBUG: Extending PCR state with passed argument #5 hash: bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7
[  296.843403] DEBUG: Extending PCR state with passed argument #6 hash: bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b
[  297.011405] DEBUG: Extending PCR state with passed argument linuxboot#7 hash: bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8
[  297.142107] DEBUG: Extended final PCR state: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.200198] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha256 : ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.375755] DEBUG: Original TPM PCR2 value:     2 : 0xAB50D5ACD93870448844392A2582099650614E0C75F3B6C3F3A5F7A811AB3BCA
[  297.438635] DEBUG: TPM event log reported by cbmem -L: coreboot TPM log:
[  297.472275]
[  297.514744] PCR-2 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198 SHA256 [FMAP: FMAP]
[  297.559260] PCR-2 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb SHA256 [CBFS: bootblock]
[  297.594767] PCR-2 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090 SHA256 [CBFS: fallback/romstage]
[  297.632653] PCR-2 cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a SHA256 [CBFS: fallback/postcar]
[  297.688218] PCR-2 bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7 SHA256 [CBFS: fallback/ramstage]
[  297.723743] PCR-2 bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b SHA256 [CBFS: bootsplash.jpg]
[  297.760327] PCR-2 bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8 SHA256 [CBFS: fallback/payload]
[  297.823487] DEBUG: Calculated TPM PCR2 value from files: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.872171] DEBUG: Measured boot from TPM event log: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab
[  297.905953] 3bca
[  297.955757] DEBUG: Measured boot from content measured by coreboot: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
Failed: TPM event log does not match content measured by coreboot
[  298.008151]  !!! ERROR: TPM event log does not match content measured by coreboot !!!

the 3cba on second line is weird. Close but not good enough

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion tlaurion force-pushed the WiP_introspection-replicate_PCR_content_from_runtime branch from ad79a93 to bf7677c Compare January 5, 2024 17:50
@tlaurion tlaurion marked this pull request as draft January 25, 2024 20:07
@tlaurion tlaurion mentioned this pull request Feb 22, 2024
Open
@tlaurion
Copy link
Collaborator Author

Interesting helpers at TrenchBoot/qubes-antievilmaid#11

@tlaurion tlaurion mentioned this pull request May 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DemiMarie DemiMarie DemiMarie requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tlaurion @DemiMarie