RFE: Make it possible to 'predict' PCR[7] upon shim update #555
Comments
I think it is probably desirable to NOT use a standalone file, as it introduces the problem of having to find the metadata file that matches the binary you are interested in. I think it would be preferable to be able to extract the info from the shim.efi binary directly, avoiding the need to locate a corresponding metadata file. This could potentially just be a case of adding a specially named PE file section to shim, which contains the hash info in some particular format - it could still be JSON/YAML, just embedded in the PE binary. |
|
Just to be sure I understand, the scenario is that the system is installed, and you've got a new shim binary being installed as part of an update, as well as the tpm log from the current boot, and you want to examine the new binary (and/or just a corresponding metadata file) to tell which log entries it is replacing? |
|
I'd say there are two main scenarios
|
|
Yeah, okay I think that makes plenty of sense, and building it in as a PE section makes sense as well (though I suspect we'll want to emit a separate artifact for convenience as well). That said, I do have a couple of (minor) concerns - the biggest concern is that we probably do need some kind of entry for the system variables, because when you don't have the log, you still need to know the order the extends happen in even if we don't know the value. My other (even more minor) thought is that my go-to for simplicity here is probably CSV rather than JSON or whatnot, though since we're merely embedding it it's less big a deal than if we have to consume it. So, to me this basically looks like we should add a ".tpm" PE section that has something like: ... and so forth, in the order the extends would happen and containing the hashes for those we're aware of. Does this seem more or less right to y'all? |
I'm not so fussed about the ordering of extends, as I feel like that isn't likely to change, and in any case it is just one small part of the much bigger global ordering problem for the whole boot sequence. IOW, I've been pretty much accepting that ordering of PCR extends is something that's going to end up as code, rather than data driven. Or at least if it were data driven, that ordering might be expressed in a data file that describes the inputs for full OS boot sequence. As an example, I've got a PoC python program that demonstrates one possible way to do PCR prediction. It uses two data files that describe the inputs for the guest image and the host(hypervisor) firmware https://gitlab.com/berrange/tpm-prevision/-/blob/master/examples/image.yaml While the ordering of specific extends is still defined by the code, the shim part of it is https://gitlab.com/berrange/tpm-prevision/-/blob/master/tpm/prevision/precog.py#L251 could be interesting to think about how to make the ordering of PCRs be metadata driven across the whole OS boot sequence, but hadn't got as far as considering that.
A CSV with just the hashes would work from a functional POV. I wonder though if it is worth having a format with both the hashes and corresponding actual content. Debugging mis-matched PCR extends is incredibly difficult at the best of times, so if we exposed the source data as well the hashes, it might make life less painful. That might push direct something a bit more expressive than a CSV ? |
|
Assuming we can do both PE section and a standalone artifact, these can be in different formats. I.e. PE section uses CSV for simplicity and the standalone file is a full fledged YAML with not only the resulting hashes but the actual content. |
|
Shim only measures SbatLevel and the CAs used for authenticating things it loads to PCR7, and it's already largely possible to predict these values from a particular shim binary using the information available in the There are still some gaps where it can be tricky - eg, sometimes fixes land that make subtle changes to measurements and it's not possible to identify these externally today. Eg, e3325f8 made a subtle change to the format of authentication measurements in some circumstances. |
Ah, I missed that there were already separate PE sections for this data, thanks for pointing that out.
Yep, I think the raw data is more important than the hashes anyway, since the hashes are easily calculated once you have the raw data.
I think those kind of cases could be handled by exposing a list of string "feature flags". eg that example could have a "authority-with-sig-owner" flag. If there were a PE section ".flags" that could expose a list of named feature flags. Any time the code does something that alters the measurements, add another flag. Apps that need to predict shim PCRs can look for the flags and alter their logic accordingly |
Indeed, I missed as it is only in shim-15.7 but both Fedora and RHEL I've checked ship 15.6. I'll close this for now as it seems we already have the information available. |
Shim extends PCR7 with certain builtin objects, e.g. vendor_db, MokList, vendor_cert, shim_cert, SBAT and these objects may change if shim gets updated. In case there are some objects (e.g. credentials) in the system, TPM sealed against PCR7 (or a set of PCRs including PCR7), these objects require re-sealing against the expected post-reboot PCR state. It is, however, quite hard to extract the required information from shim binary.
The suggestion is to produce the list of hashes from built-in shim objects during shim package build and publish them in an easy to consume form, e.g. standalone JSON or YAML file. Distributions may package this new file significantly simplifying PCR prediction procedure upon shim package update.
Note, this is orthogonal to the system objects which get measured in PCR7, e.g. system DB, DBX,... as these objects are not known during shim package build. Re-sealing procedure may treat this objects as immutable and get the required hashes from TPM event log.
The text was updated successfully, but these errors were encountered: