-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The event data of EV_EFI_VARIABLE_AUTHORITY may not cover the whole EFI variable #9
Comments
When verifying the TPM2_EFI_VARIABLE_AUTHORITY event, the event data may not cover the whole EFI variable. For example, edk2 only measures the x509 certificate in "db" that verifies the EFI image, not the whole "db" variable. Instead of rehashing the EFI variable, just check if the raw event data is from the given EFI variable. (_GNU_SOURCE is introduced to support memem().) Fixes: okirch#9 Signed-off-by: Gary Lin <glin@suse.com>
When verifying the TPM2_EFI_VARIABLE_AUTHORITY event, the event data may not cover the whole EFI variable. For example, edk2 only measures the x509 certificate in "db" that verifies the EFI image, not the whole "db" variable. Instead of rehashing the EFI variable, just check if the raw event data is from the given EFI variable. (_GNU_SOURCE is introduced to support memem().) Fixes: okirch#9 Signed-off-by: Gary Lin <glin@suse.com>
When verifying the TPM2_EFI_VARIABLE_AUTHORITY event, the event data may not cover the whole EFI variable. For example, edk2 only measures the x509 certificate in "db" that verifies the EFI image, not the whole "db" variable. Instead of rehashing the EFI variable, just check if the raw event data is from the given EFI variable. (_GNU_SOURCE is introduced to support memem().) Fixes: okirch#9 Signed-off-by: Gary Lin <glin@suse.com>
Can you attach the -ddd output for one such example event here, please? I'd like to understand what exactly is in this hash. The problem with just re-hashing the existing data we find in the event log is that it will fail when a new shim is installed with a new signer's certificate, or a new grub with a new SUSE certificate. I think we could address this case very much like the "Shim" variable event. We can inspect the shim to extract the x509 certificate of the signer, and build the EFI_SIGNATURE_DATA for it. We would have to consult the db to find the signature owner. |
There are 3 affected EFI_VARIABLE_AUTHORITY events.
|
Thank you. I have some code, but it's not fully working yet. I pushed some new code to the main branch that should help me with lifting data from users' systems as test cases. Can you please give this a spin: ./pcr-oracle --from eventlog all --verify current -d --create-testcase /tmp/pcr-oracle.test Then please create a tarball from /tmp/pcr-oracle.test and send it to me. Thank you! |
Hi!
None of this is tested properly, because I'm currently not testing on openSUSE. Please give it a spin (and don't forget to send me a testcase as described above). |
It's clever to read the CA file directly so that we don't have to fiddle with the shim binary. So far, the "db" and "Shim" events are handled properly in my laptop. The "MokList" event for my kernel is tricky since the kernel file is not in ESP, so there is no BSA event for the kernel path :-\ |
Who generates the MokList event for the kernel? It looks like it's not the shim, because shim loads grub in your log file. Anyway, this issue is getting rather longish. I'll open another one and close this one. |
Let's continue this investigation in issue #14. |
Per TCG Trusted Boot Chain in EDK II:
So the EV_EFI_VARIABLE_AUTHORITY events for db or MokList only cover
EFI_SIGNATURE_DATA
, i.e. the x509 certificate used to verify the EFI image, not the whole variable. In such case, we have to check if the event data is really in the EFI variable and rehash the event data.The text was updated successfully, but these errors were encountered: