Missing .p7b files

[zerellaaa]

I have an external SSD drive which is encrypted and unfortunately has the following legacy PCR validation profile:

0, 2, 4, 11

I could not alter the PCR profile for this encrypted drive :(

Though this drive is not be eligible for the Bitpixie exploit, I am not actually even able to load the PE or Linux environments due to missing files, is this solely because of the PCR profiles? See below for my output running dnsmasq with WinPE BCD configurations.

GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
...
dnsmasq-dhcp: DHCP, IP range 192.168.1.90 -- 192.168.1.200, lease time 1h                                                                 
dnsmasq-dhcp: DHCP, sockets bound exclusively to interface wlp3s0                                                                         
dnsmasq-tftp: TFTP root is /home/user/bitpixie/pxe/tftp                                                                      
dnsmasq: reading /etc/resolv.conf                                    
dnsmasq: using nameserver 127.0.0.53#53                              
dnsmasq: read /etc/hosts - 8 names
...
Breakpoint 1, __libc_open64 (file=0x5555555ce850 "/home/user/bitpixie/pxe/tftp/bootmgfw.efi", oflag=0)                       
    at ../sysdeps/unix/sysv/linux/open64.c:30                                                                                             
warning: 30     ../sysdeps/unix/sysv/linux/open64.c: No such file or directory                                                            
--Type <RET> for more, q to quit, c to continue without paging--                                                                          
$1 = "Preparing stage 1"
...
dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/bootmgfw.efi to 192.168.1.170
dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/bootmgfw.efi to 192.168.1.170
dnsmasq-tftp: error 0 TFTP Aborted received from 192.168.1.170
dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/Boot/BCD to 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/Policies/SbcpFlightToken.p7b not found for 192.168.1.170
dnsmasq-tftp: sent /home/user/bitpixie/pxe-server/Boot/BCD to 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SecureBootPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/SkuSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/WinSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/ATPSiPolicy.p7b not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/en-GB/BOOTMGFW.EFI.MUI not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/BOOTMGFW.EFI not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/Fonts/wgl4_boot.ttf not found for 192.168.1.170
dnsmasq-tftp: file /home/user/bitpixie/pxe-server/EFI/Microsoft/Boot/Fonts/wgl4_boot.ttf not found for 192.168.1.170

Is there anything else I can try here? Is there another known way to modify the PCR profile?

[martanne]

These files aren't required for a successful exploitation, i.e. you can ignore these messages from the PXE server, they are normal.

As you mentioned this being an external drive, does it use BitLocker To Go? According to my current understanding, the TPM (and hence the PCR profile) would not be involved, because the encryption of the portable drive is not bound to a particular machine.

More information about WinRE based BitLocker attack vectors (including the CVE you mentioned via email) was disclosed in a recent Blackhat presenation. I have no practical experience with it and I'm not aware of any public PoC. The whole security concept seems incredibly shaky to me.

[zerellaaa]

Doesn't use BitLocker To Go. Just a standard nVME SSD that was removed from a PC.

I'm still surprised we cannot modify the PCR profile for an already encrypted drive

[martanne]

When sealing the BitLocker key, a set of PCRs can be specified. The TPM will only release the key material, if the the selected PCRs have the same value as during this sealing process. The whole point of this procedure is to use the TPM to bind the key material to a particular machine. Therefore, the PCR profile is chosen when performing the encryption. Of course once you managed to recover the key material, you can re-seal it with a different set of PCRs.