new pcrlock tool for generating signed PCR policies for PCR 0, 1, 4, … #28891
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
build-system
util-lib
tests
sd-boot/sd-stub/bootctl
meson
please-review
medhefgo
reviewed
Aug 18, 2023
|
Haven't had the time to fully review this yet; but I wanted to share the following link about avoiding footguns whilst verifying the event log. https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md We should really carefully review the code that makes trust decisions based on the event log contents. As multiple event logs can lead to the same PCR values and this allow a smart attacker to tamper with the event log without the user noticing. But from my initial reading of the code we're only using the event log to re-calculate the PCRs. Not actually trusting any of the other fields as trusted. So maybe this is not a concern at all. |
poettering
force-pushed
the
pcrlock
branch
2 times, most recently
from
552ff07
to
df63be0
Compare
so there's three cases where we do use the event log for more:
These three validate the event log and then generate policy for future boots from it by reusing the hashes listed in the event log. In case of lock-firmware-code + lock-firmware-config we'll do so blanket for PCRs 0-3, and up to the separator record for PCRs 4,5. The separator record is hard to fake though, since the hash is about a fixed string, and we validate that. People cannot just tag arbitrary records with EV_SEPARATOR, it must also have the right contents. For PCR 4 we also accept the EV_ACTION with "Calling EFI Application from Boot Option" as point where we stop copying records. This is optional however, as some systems appear not to generate it (in contradiction to the spec afaics). Situation is similar here though. In case of "lock-secureboot-authority" we'll generate policy records from all EV_VARIABLE_AUTHORITY records we find. Here too, the contents is protected by the hash. We do some further checks, such as ensuring the other mesaurements in PCR 7 are in order, i.e. PK, KEK, db are all measured, and in the right order, beofre the first EV_VARIABLE_AUTHORITY. We could go further on EV_VARIABLE_AUTHORITY (and I think Windows does), by ensuring the data in it is always a subset of the "db". But I think we are fairly well protected here so far. While you can corrupt the event log it should be hard to do so in meaningful ways. Also, note that this is not a remote attestation situation, but local only. Or in other words: we very much trust the source of the event log here, it's the kernel and firmware, i.e. stuff we have to rely on anyway. |
poettering
force-pushed
the
pcrlock
branch
2 times, most recently
from
ca750fd
to
4577cc9
Compare
This was referenced Aug 24, 2023
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bluca
added
needs-rebase
ci-fails/needs-rework 🔥
github-actions
bot
added
please-review
(Contains various test additions added by @mrc0mmand)
|
All points addressed. |
bluca
added
good-to-merge/waiting-for-ci 👍
github-actions
bot
removed
the
good-to-merge/waiting-for-ci 👍
|
I posted an issue on fwupd, in the hope we can convince them to supply expected firmware PCR measurements as .pcrlock files to us: |
ssahani
pushed a commit
to ssahani/systemd
that referenced
this pull request
Nov 23, 2023
…files This is preparation for systemd#28891, which adds a bunch more helpers around "struct iovec", at which point this really deserves its own .c/.h file. The idea is that we sooner or later can consider "struct iovec" as an entirely generic mechanism to reference some binary blob, and is the go-to type for this purpose whenever we need one.
ssahani
pushed a commit
to ssahani/systemd
that referenced
this pull request
Nov 23, 2023
…".." If we use CHASE_PARENT on a path ending in ".." then things are a bit weird, because we the last path we look at is actually the *parent* and not the *child* of the preceeding path. Hence we cannot just return the 2nd to last fd we look at. We have to correct it, by going *two* levels up, to get to the actual parent, and make sure CHASE_PARENT does what it should. Example: for the path /a/b/c chase() with CHASE_PARENT will return /a/b/c as path, and the fd returned points to /a/b. All good. But now, for the path /a/b/c/.. chase() with CHASE_PARENT would previously return /a/b as path (which is OK) but the fd would point to /a/b/c, which is *not* the parent of /a/b, after all! To get to the actual parent of /a/b we have to go *two* levels up to get to /a. Very confusing. But that's what we here for, no? @mrc0mmand ran into this in systemd#28891 (comment)
Yamakuzure
pushed a commit
to elogind/elogind
that referenced
this pull request
Jan 29, 2024
…".." If we use CHASE_PARENT on a path ending in ".." then things are a bit weird, because we the last path we look at is actually the *parent* and not the *child* of the preceeding path. Hence we cannot just return the 2nd to last fd we look at. We have to correct it, by going *two* levels up, to get to the actual parent, and make sure CHASE_PARENT does what it should. Example: for the path /a/b/c chase() with CHASE_PARENT will return /a/b/c as path, and the fd returned points to /a/b. All good. But now, for the path /a/b/c/.. chase() with CHASE_PARENT would previously return /a/b as path (which is OK) but the fd would point to /a/b/c, which is *not* the parent of /a/b, after all! To get to the actual parent of /a/b we have to go *two* levels up to get to /a. Very confusing. But that's what we here for, no? @mrc0mmand ran into this in systemd/systemd#28891 (comment)
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 5, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
quaresmajose
added a commit
to quaresmajose/openembedded-core
that referenced
this pull request
Feb 6, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 6, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 6, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 30a018a567eb315ab4d5940dad175ec2222bb11e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to yoctoproject/poky
that referenced
this pull request
Feb 6, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 (From OE-Core rev: 0ee7002d8f6bfca7b275c082d032936494dc7e8e) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead
pushed a commit
to openembedded/openembedded-core
that referenced
this pull request
Feb 6, 2024
The new pcrlock tool systemd-pcrlock [1] is installed when the tpm2 and openssl package config is enabled and with them some pre-defined pcrlock files is installed on the target. [1] systemd/systemd#28891 Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We already support signed PCR policies based on UKIs, computed at UKI build time, based on PCR 11.
This adds a second mechanism for signed PCR policies, covering evreything local, i.e. the firmware, and boot PCRs. The idea is to analyze the event log, identify components of the boot, then use it to precalculate a set of expected PCRs. Then generate a signing key pair, store it in the TPM, lock it down with a signed PCR policy of itself against the PCRs. Whenever a PCR change is expected we can generate a new access policy for the next boot.
This is heavily WIP. Currently only event log analysis is implement and pre-calculating expected PCR measurements. On typical systems this covers 95-100% of the events measured.
Next step is to use this analyze to calculate all expected PCRs and then generate a PCR policy for this.
I am posting this mostly to get initial CI coverage. No ready for review, but it's already a lot of fun to play with the analysis so far.