New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mitigations against event type manipulation in UEFI eventlog #816
Conversation
@kkaarreell the Fedora rawhide tests are currently failing. Is there something that we can fix them or can we just disable them until the issue in rawhide itself is solved? |
According to @sergio-correia same patches as in Re tests, do you mean disable them all or just on Rawhide? |
@kkaarreell: there was a bug open for it already [1], so I just added a comment there some days ago. The maintainer of |
@THS-on Would you mind adding a commit that replaces |
@kkaarreell done. The tests now pass. |
EvSeperatorTest and EvEfiActionTest are test for common constant values in the event log. OnceTest is a test that can be only run once successfully. This is useful for events that we only expect once in the log. It prohibits that this test can be reused to validate other entries by changing the event type. Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
Signed-off-by: Thore Sommer <mail@thson.de>
b3de10e
to
83c13ce
Compare
This looks good to me, but probably needs someone from @maugustosilva 's team to look it over since they did the initial implementation. |
@maugustosilva any chance you could take a look at these changes? |
Passes all my tests, let's merge |
This provides the initial hardening of the example policy against event type manipulation.
This not directly an issue with Keylime, because the UEFI eventlog does not include the metadata in the hash that is used to extend the PCR. The original issue can be found here: https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md
The most effective way to mitigate against that is to reduce the usage of
acceptAll
and limit how often they can be used.As discussed with @mpeters we will first update our example policy and then provide documentation on how to write custom policies.