rohde-schwarz / trustedgrub2 Goto Github PK
View Code? Open in Web Editor NEWDEPRECATED TPM enabled GRUB2 Bootloader
License: GNU General Public License v3.0
DEPRECATED TPM enabled GRUB2 Bootloader
License: GNU General Public License v3.0
Hi I have been playing with TrustedGRUB2 with TPM 1.2 device and it boots fine for me. It reports No TPM available when I swapped a TPM 2.0 chip in. I'm wondering if there are any supports with 2.0 or is there any plan for the support?
Thanks.
Hi, I am testing to make TrustedGRUB2 working with a UEFI booting machine. I have tested TG2 with an old machine of legacy BIOS booting option, it works correctly without any problem.
Then I turned off the 'legacy BIOS supporting' from the machine's setting. This time it cannot install into the device again. Here is the output error.
/root/TrustedGRUB2/sbin/grub-bios-setup: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible.
/root/TrustedGRUB2/sbin/grub-bios-setup: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
/root/TrustedGRUB2/sbin/grub-bios-setup: error: will not proceed with blocklists.
My question is, does TG2 support UEFI boot mechanism? Or it only support the legacy BIOS booting option? If it support UEFI, how can I install it?
Thank you very much.
The multiboot
command measurement does not follow the new convention of measuring the same buffer that is loaded into memory. If someone needs this extra security feel free to send a pull request. See GH #9 for more details
Hello guys. I have successfully installed TrustedGrub2 and the machine boots fine.I have a LUKS encrypted partition (swap + root) and I want to be able to automatically boot if no changes have been done.
Could you provide some guides how to proceed from now on.
Thanks for spending your time.
Hi,
I've installed TrustedGRUB2 on an ubuntu 14.04 machine with a TPM v1.2. The installation was completed without errors, but when I reboot the PC this error while booting was show. What this error means? Thank you
Ernesto
I am using CentOS 7.5 64bit.
I have used these parameters: --target=x86_64 -with-platform=pc
All compile and installation completed without error. When I reboot the system, it does not show any boot menu. Just "grub>" prompt. I have to enter fallowing command to boot.
grub> insmod cryptodisk
grub> insmod luks
grub> set root=(hd0,5)
grub> linux /vmlinuz-3.10.0......x86_64 root=/dev/dm-0
grub> initrd /initramfs-3.10.0....img
grub> boot
Why boot menu does not came? Where did I make mistake?
Hi,
Not sure if this is right place to ask this question, but I couldn't find any mailing list, so asking here.
I see that the first transition from pre-OS code to post-OS code, i.e. first boot sector of the diskboot.img image is itself extended to PCR[8] which is actually meant for static OS ? What is the reasoning for the way PCRs index are being used ?
Thanks & Regards,
- Nayna
What is the list of TPM modules/IC compatible with the TrustedGRUB2? I successfully tested it with Infineon TPM IC (present in most of TPM modules). I would like to know if Nuvoton NPCT620A TPM IC also compatible with it?
I am thinking of using TrustedGRUB2 in a situation where the /boot partition is encrypted, with only TG2 itself being on a clear partition. I understand from the readme that the use of a sealed keyfile is supported for bootloader-stage decryption of /boot. So far so good.
However, in order to actually take the proper measurements and seal the keyfile, I would have to do so within the TG2 boot process itself, wouldn't I? Since doing it later would mean that PCR 10 will be in a different state due to loading the /boot contents.
Furthermore, I wonder how this interacts with PCR 11 and PCR 12.
Perhaps you can clarify what the proper process of using TG2 in such a scenario might be - I take it from the extension of the cryptomount command that this is an intended use case?
I am not sure, where to ask a question, so just put it in the issue section.. Sorry
Thanks for the great work. Is there any work going on in enabling UEFI support or any estimated time?
Hi,
I am implementing an embedded system on x86 and was looking to TrustedGRUB2 to perform unlock of a luksFormat partition. This partition is actually on a RAID array. I think I have all the correct modules loaded in grub. ls
shows the devices and if I use a pass-phrase I can open the encrypted partition.
However, when I use the -k
option it fails, either using unsealing or not (I change the key accordingly to one that is sealed or clear). I put some line numbers into grub-core/disk/luks.c
in the grub_fatal("luks_recover_key_failed")
lines to be able to identify where the function was failing but I am unclear to actually what is happening. My thoughts are the file is not being read. It would appear to drop through to the last fatal on line 601.
I tried on a disk that had both ms_dos
and gpt
layouts. For reference I build TrustedGRUB2 with the following options which is a derivation of what the buildroot team use for GURB2:
TRUSTEDGRUB2_TARGET = i386
TRUSTEDGRUB2_PLATFORM = pc
TRUSTEDGRUB2_CONF_OPTS = \
--prefix=$(HOST_DIR) \
--disable-nls \
--target=$(TRUSTEDGRUB2_TARGET) \
--with-platform=$(TRUSTEDGRUB2_PLATFORM) \
--disable-grub-mkfont \
--enable-efiemu=no \
--enable-liblzma=no \
--enable-device-mapper=no \
--enable-libzfs=no \
--disable-werror
If I try to unseal the key then I am faced with the following error:
Attempting to decrypt master key...
tcg_passThroughToTPM: asm_tcg_passThroughToTPM failed: 10000
Aborted. Press any key to exit.
If I try to use the key in the clear I get:
Attempting to decrypt master key...
luks_recover_key failed
Aborted. Press any key to exit.
The grub config is I am using is:
set default="0"
set timeout="5"
menuentry "Bank 1" {
cryptomount md/0,gpt1 -k (hd0,gpt2)/keyfile -s
linux (hd0,gpt5)/boot/bzImage
}
If I change the keyfile name in grub so it is mismatched with the file on the disk I get the correct error that the file is not found, ie:
error: file `/keyfil' not found
But somewhere along the line the keyfile is not being pass through. Do you have any pointers for me as to where I am going wrong?
Thanks,
Al
When I execute the make
, I get the following error:
make[3]: Entering directory '/home/user/Downloads/TrustedGRUB2/grub-core'
gcc -DHAVE_CONFIG_H -I. -I.. -Wall -W -DGRUB_MACHINE_PCBIOS=1 -DGRUB_MACHINE=I386_PC -m32 -nostdinc -isystem /usr/lib/gcc/x86_64-linux-gnu/6/include -I../include -I../include -DGRUB_FILE=\"lib/disk.c\" -I. -I. -I.. -I.. -I../include -I../include -I../grub-core/lib/libgcrypt-grub/src/ -D_FILE_OFFSET_BITS=64 -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror -ffreestanding -MT lib/disk_module-disk.o -MD -MP -MF lib/.deps-core/disk_module-disk.Tpo -c -o lib/disk_module-disk.o `test -f 'lib/disk.c' || echo './'`lib/disk.c
mv -f lib/.deps-core/disk_module-disk.Tpo lib/.deps-core/disk_module-disk.Po
gcc -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror -ffreestanding -m32 -Wl,-melf_i386 -Wl,--build-id=none -nostdlib -Wl,-N -Wl,-r,-d -o disk.module lib/disk_module-disk.o
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
Makefile:24266: recipe for target 'disk.module' failed
make[3]: *** [disk.module] Error 1
My gcc version:
gcc --version
gcc (Debian 6.3.0-6) 6.3.0 20170205
The error seems to be caused by the fact that GCC 6 is using by default the -pie
option. This can be fixed by appending LDFLAGS="-no-pie"
to ./configure'
:
./configure LDFLAGS="-no-pie"
Afterwards, make completes normally.
The current implementation is TPM 1.2 based. Are there any plans to support TPM 2.0 in the future?
Hi,
I built trustedgrub2 and installed it, no error when installing it on /dev/sda.
TPM is enabled but when I reboot my server after installation (Lenovo X3650 M5), I get stuck at:
TrustedGRUB2 loading.
Welcome to TrustedGRUB2!
/boot partition in not encrypted.
No errors are thrown even after waiting several minutes.
Is there a way to troubleshoot this issue?
I have two raid : sda with raid 1 and sdb2 with raid 5 . I have modified tpm-luks.conf for /dev/sda2 and sdb1 with index 1 and 2 . However i reboot the Pc , the application asks me the password on the volumes ... I don't understand ... Best regard
Dear TrustedGRUB2 team,
What license is this software released under? I was unable to find any information clarifying attribution requirements or distribution requirements.
Thanks and Regards,
J
In version 1.3 with debug info, I can see that hash values of kernel and ramdisk are correct and have been written to PCR-10. However when I change kernel or ramdisk on purpose, the PCR-10 has been updated to a new value automatically and device still can boot successfully. I do not see the verification process to avoid the illegal change of kernel or ramdisk.
Am I wrong in somewhere?
What I'm trying to do is install TrustedGRUB2 on a Lenovo x3550 M5 server to boot into a CentOS installation on disk. Without any changes, TrustedGRUB2 will successfully measure core.img and diskboot.img. After that it will try to load the GRUB modules which fail by being stuck inside grub_bios_interrupt for TCG_HashLogExtendEvent. To clarify, this means that if I print a message before and after grub_bios_interrupt inside grub_TPM_int1A_hashLogExtendEvent the message after is not printed and GRUB does not abort. I can also provide a video of the console if that helps.
I noticed that for earlier measurements (which work) you use TCG_CompactHashLogExtendEvent. If I modified the source for grub_TPM_int1A_hashLogExtendEvent to use this interrupt instead everything suddenly starts to work. My suspicion is that there's a bug inside Lenovo's implementation of this interrupt, but I've pretty much hit a wall in trying to debug this further.
Have you ever run into any similar issues or have any ideas on how to proceed?
BIOS Information: UEFI 2.10 Build TBE124M
# tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.5.81
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: WEC
Vendor Specific data: 0000
TPM Version: 01010000
Manufacturer Info: 57454300
Some more information about my build:
I have installed trustedgrub2 successfully.
and now when i rebooted, it identifies the tpm, shows
Booting From Harddisk
Trustedgrub2 loading....
And then goes reboot to "booting from hard disk"... It is just looping over this and not proceeding.
What might be the issue ?
Where can i check issues ?
Hello again,
I've made some research and I am in the move to integrate trustedgrub2 with a modified vesion of tpm-luks (improvements + rhel7 support), you may find in my github repos.
My next questions are about how one shuold configure trustedgrub2 with tpm-luks.
For 1., it seems I'll need to seal with all PCR values, 8 to 12, but should I add other numbers (like 0 etc.) ? May is it possible to compute
I will also probably add a password to the sealed NVRAM, as TPM has a built-in security that locks the TPM to prevent brute force attacks.
For 2, in the original tpm-luks, there is a shell script which computes the permissions file to seal the NVRAM. This is basically a simple text file containing a list of "r ". Unfortunately this script was made for grub1, and I'll need to update it to deal with grub2 config files. May be you can help in identifying the elements I should compute the hash for, and I hope this is possible to do.
I'll be happy to share my experience on all this with you as it seems nobody has ever tried to do all this before :)
I want to be able to decrypt the rootfs from TrustedGRUB2 using keys from TPM that were not sealed (do not rely on a good state). Is that possible? Is there an example config I can use to achieve that?
Thanks!
Hello,
First of all, thank you for making this project!
I would like to know if building TrustedGRUB 2 from the same source archive would lead to the same output binaries each time and, in consequence, to the same measurements in the TPM.
Hello,
I'm installing my new PC on archlinux and I have an error when I try to compile TrustedGRUB2.
I don't know if my problem is related with TrustedGrub so I post my issue here. But I'm sorry in advance if I'm wrong.
When I try to compile TrustedGRUB2, I have this error:
grub-core/osdep/unix/getroot.c: Dans la fonction « grub_util_biosdisk_is_floppy »:
grub-core/osdep/unix/getroot.c:751:13: erreur : In the GNU C Library, "major" is defined
by <sys/sysmacros.h>. For historical compatibility, it is
currently defined by <sys/types.h> as well, but we plan to
remove this soon. To use "major", include <sys/sysmacros.h>
directly. If you did not intend to use a system-defined macro
"major", you should undefine it after including <sys/types.h>. [-Werror]
if (major(st.st_rdev) == FLOPPY_MAJOR)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1 : tous les avertissements sont traités comme des erreurs
make[2]: *** [Makefile:5618: grub-core/osdep/unix/libgrubkern_a-getroot.o] Error 1
make[1]: *** [Makefile:10703: all-recursive] Error 1
make: *** [Makefile:3099: all] Error 2
Here is my version of gcc:
Utilisation des specs internes.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.1/lto-wrapper
Cible : x86_64-pc-linux-gnu
Configuré avec: /build/gcc-multilib/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release
Modèle de thread: posix
gcc version 6.3.1 20170306 (GCC)
I try to add "#include <sys/sysmacros.h>" but I have another similar error with "makedev".
Thank in advance for your help.
The TCG code added to grub-core/disk/luks.c
function luks_recover_key()
introduced out-of-bounds memory access in its handling of the variables secret
and secretSize
.
Specifically, on luks.c
line 389 (master), secret
is set to the contents of a disk file of arbitrary size while secretSize
is set to keysize
, a quantity unrelated to the length of the disk file. Further, on line 398, secret
is set to the unsealed contents of a disk file but secretSize
is not changed at all.
These circumstances result in the call to grub_crypto_pbkdf2()
on line 437 passing a byte array secret
with an incorrect length secretSize
. If the true length of secret
is less than the value keysize
, such as a disk file or sealed payload that is shorter than required, this will result in the GRUB crypto functions reading from the heap past the length of the secret
byte array. Since the functions are merely computing hashes and GRUB is running in real mode, this is unlikely to introduce a security vulnerability nor crash, but generally considered unsafe practice.
Moreover, in any case where the keyfile (or sealed key payload) is of a different size than the native key length in the LUKS header, this will result in incorrect hashing and decrypt failures. In particular, there is no requirement that the keyfile be exactly the size of the native key length in LUKS, due to the PBKDF2 hashing. I believe this to be the true cause of the problem in issue #5.
luks.c
lines 388 - 389 should be changed to:
secret = (char*) keyFileBuf;
secretSize = fileSize;
luks.c
line 398 should be changed to:
secret = (char*) unsealedKeyFile;
secretSize = resultSize;
I'm trying to complile TrustedGRUB2 on Debian stretch x64. make
returns
gcc -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror -ffreestanding -m32 -Wl,-melf_i386 -Wl,--build-id=none -nostdlib -Wl,-N -Wl,-r,-d -o disk.module lib/disk_module-disk.o
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
Makefile:24266: recipe for target 'disk.module' failed
make[3]: *** [disk.module] Error 1
gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 6.2.1-5' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc=auto --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.2.1 20161124 (Debian 6.2.1-5)
ld -version
GNU ld (GNU Binutils for Debian) 2.27.51.20161127
The most recent commits to master brought in Grub 2.02 and documented release 1.5.0 in the Changelog.md
. Should the current version of master be considered 1.5.0 and do you have plans to git tag a release of 1.5.0?
Currently PCR 10 is used for grub2-modules, Linux-kernel, initrd, ntldr, etc.
I wan't to have grub2 measurements seperated from other usecase specific measurements.
The goal is to use PCR 10 for grub2-modules, fonts, locales etc. and some other PCR for initrd, kernel etc.
I am currently using TrustedGrub2.
As I expected the PCR 8 (diskboot.S), PCR 9 (boot.S) , PCR10 and PCR11 are filled by the TrustedGrub2. I can see the value under my fedora 21 with the tpm_readpcr command.
In parallel, I used openpts for generation an attestation.
Openpts attestation is based on TPM eventlog.
So when I try to look at the TPM event log, no event are reported for PCR8,PCR9,PCR10,PCR11.
I check it out by typing the command "iml2text". (trace below).
Is it normal ?
If yes is it planned to add this feature to TrustedGrub2 ?
Trace of iml2text.
[root@localhost TrustedGRUB2]# iml2text
0 0 0x00000008 c42fedad268200cb1d15f97841c344e79dae3320 [BIOS:EV_S_CRTM_VERSION]
1 0 0x00000001 5553ddf5f17dbc8609fdce6a14ffc5be9faf2084 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
2 0 0x80000009 a50db81c18bf95bb16d5f375043818a926da8a0a [BIOS:EV_EFI_HANDOFF_TABLE,num=0x1,GUID=11d8ac35-fb8a-44d1-8d-09-0b-56-06-d3-21-b9]
3 0 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
4 1 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
5 2 0x80000005 b8d3f0963299c8f016382bba508e56d260cbabb3 [BIOS:EV_EFI_RUNTIME_SERVICES_DRIVER,base=0xdc76e018,len=0x2e40,len=0x180000000,len=0x0]
6 2 0x00000006 ab125862bd8dc852f1d2b5fad7eb8f2847f3943b [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
7 2 0x00000006 7d6f11c82dab57d0ed1b0c0d8a87954899b2b220 [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
8 2 0x00000006 868a1e48243629c8ba950faac0fdf0898d4405d5 [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
9 2 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
10 3 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
11 4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
12 4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h]
13 4 0x00000005 38f30a0a967fcf2bfee1e3b2971de540115048c8 [BIOS:EV_ACTION, Returned INT 19h]
14 4 0x00000005 410ec39247963e52793f7047bf2ac5f1eee25574 [BIOS:EV_ACTION, Booting Bcv Device P4: GLS85LS1032A CS 32GBN A101]
15 4 0x0000000d 275d29c63c9b9a95f22be7284939a7990ead49ca [BIOS:EV_IPL]
16 5 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
17 5 0x0000000e 33b2488503f7e1a56bda3a47b607e4d5ec30a51d [BIOS:EV_IPL_PARTITION_DATA]
18 6 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
19 7 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
20 10 0x00000000 b9e131be993a209f6a97f25559eb1c833bcd21fc [IMA:(TBD)]
Hi,
The normal grub2 is installing and running properly, but when I try to install TrustedGRUB2 I receive:
sudo /opt/trustedgrub2/sbin/grub-install --directory=/opt/trustedgrub2/lib/grub/i386-pc/ /dev/sda
Installing for i386-pc platform.
/opt/trustedgrub2/sbin/grub-install: warning: cannot open directory `/opt/trustedgrub2/share/locale': No such file or directory.
/opt/trustedgrub2/sbin/grub-install: error: disk `lvm/sda1_crypt' not found.
sda1_crypt is the alias for the decrypted /dev/sda1 which is my boot partition.
I guess it is because of the /boot encryption, as /opt/trustedgrub2/sbin/grub-mkconfig is throwing the same error. My idea is to enter the luks password once, to decrypt the /boot partition, and then use TrustedGRUB2 with TPM to decrypt the other partitions. Is that possible at the moment?
The HP workaround makes it necessary to append --no-rs-codes
to grub-install
. Otherwise the system will end in a reboot loop.
People will forget this easily. So only activate the workaround explicitly.
#14
Hello i compiled the grub source from here and tried loading on my HP Z440 desktop.
I have enabled the TPM security knob in my BIOS but i am seeing this error and my system refuses to Boot
+++++++++++++++++++++++++
rustedGRUB2 loading
Welcome to TrustedGRUB2!
TCG_HasgLogExtendEvent failed : 0x2
Aborted. Press any key to exit
+++++++++++++++++++++=
Any ideas what am i doing wrong here.
I looked the TCG PC spec the error number 0x2 seems to indicate that i got TCG_PC_LOGOVERFLOW
it means insufficient memory to create log entry. What am i missing here
my dmesg output when i boot without trusted grub shows this
tpm_tis 00:09: 1.2 TPM (device-id 0x1A, rev-id 16)
This was tested using TrustedGRUB2 1.2.1 in debug mode on Arch Linux using the standard (latest) kernel and initramfs.
There is a bug in the SHA-1 implementation of TrustedGRUB2. If a hash is calculated over an initramfs file, the resulting SHA-1 hash is incorrect. If a hash is calculated over a file with the same size as the initramfs file but filled with random data, the SHA-1 hash is calculated correctly.
Expected behavior:
SHA-1 hashes calculated by TrustedGRUB2 based on any file should be equal to the output of other SHA-1 implementations.
Actual behavior:
SHA-1 hashes calculated by TrustedGRUB2 can differ compared to the output of other SHA-1 implementations.
To test this:
You will need to have TrustedGRUB2 installed with the debug option for TPM operations enabled.
In binaryfiles.zip are two files. ramdisk.bin is an initramfs file. random.bin is a file filled with semi-random data (source: /dev/urandom) of the same size.
Copy these two files to your /boot partition. Add the following lines at the bottom of your Linux boot entry in /boot/grub/grub.cfg:
measure /ramdisk.bin 13
measure /random.bin 14
sleep 120
With debug enabled, you will see the SHA-1 hashes for two minutes. Look for the hashes calculated to extend PCRs 13 and 14. The SHA-1 hashes as calculated by TrustedGRUB2:
ramdisk.bin: e08917009ede788e93e54f3d4d921276980e995e
random.bin: 3485431bf315767c9010857a40dd5b01f0b22c7f
For reference, these are the SHA-1 values as calculated by GNU Core Utilities' sha1sum
:
$ sha1sum /boot/ramdisk.bin
1778d21a9c7b5f6d432494941ebde5de02303d2c /boot/ramdisk.bin
$ sha1sum -b /boot/ramdisk.bin
1778d21a9c7b5f6d432494941ebde5de02303d2c */boot/ramdisk.bin
$ sha1sum /boot/random.bin
3485431bf315767c9010857a40dd5b01f0b22c7f /boot/random.bin
$ sha1sum -b /boot/random.bin
3485431bf315767c9010857a40dd5b01f0b22c7f */boot/random.bin
The same SHA-1 function used by Microsoft's implementation, indicating that sha1sum
is correct (since if the implementation of sha1sum
would be flawed, it would be unlikely that Microsoft's implementation would contain the same flaw):
C:\>fciv -sha1 ramdisk.bin
//
// File Checksum Integrity Verifier version 2.05.
//
1778d21a9c7b5f6d432494941ebde5de02303d2c ramdisk.bin
C:\>fciv -sha1 random.bin
//
// File Checksum Integrity Verifier version 2.05.
//
3485431bf315767c9010857a40dd5b01f0b22c7f random.bin
The use of the measure
command in TrustedGRUB2 in the above example is for clarity. The same wrong hash is also calculated by the initrd
command. Due to this, values of PCR-10 are wrong starting from the measurement of the initramfs. Note that hashes for kernel files are calculated correctly.
I also tried it with a newly generated initramfs file with some changed files inside and a newly generated random file. Again, the SHA-1 hash value calculated for the new initramfs was incorrect, whereas this value for the random data file was correctly calculated.
Correct calculation of SHA-1 hash values of startup files is vital when sealing new startup files to PCRs before a reboot and unsealing the same data after a reboot. (Re)sealing relies on two SHA-1 implementations:
sha1sum
, which is correct).Hello, thank's a lot for your contribution, as we are trying to use tpm-luks on rhel7.
I was curious if we could get rid of tp-luks and use cryptomount -k KEYFILE -s.
For what I understand, -K KEYFILE specifies the file to use by LUKS, so no more nead to use a password, and -s mean unsealing the file (decrypt ?) using the unseal command of the TPM.
If this is all true, I haven't yet found a way to seal the file, is there something special to do for this ? Is it using PCR or something else ?
Or maybe I am totaly wrong and this has nothing to do with luks.
FYI: i finnaly get my rhel7 working with grub2 + tpm-luks + recompiled(trousers,tpm-tools) and it automatically open luks using NVRAM secured with PCR without password.
I am using tpm-luks
to store keys in the TPM NVRAM and the initramfs has a module (provided by tpm-luks) which retrieves the key from TPM and mounts the LUKS partition using that key. These keys can also be sealed using the TPM and are only retrievable if the TPM is in the correct state.
The issue is that when I upgrade the kernel etc., the PCR states will change on next boot and I won't be able to unseal the data. So my question is, what specific things does TrustedGRUB2 measure that I can measure using tpm-luks
kernel update hook so that the key can be reasealed using the correct PCR states?
In particular, from the question here: #2, I gather:
dd if=/dev/sdX bs=512 skip=1 count=1 | sha1sum
and then PCR8 = sha1sum( 0000000000000000000000000000000000000000 || SHA1 from command above )
.menuentry
string itself? This assumption is from reading the TrustedGRUB2 code so I am not 100% sure - would appreciate if you could confirm!And of course I can easily verify this on the machine to make sure that tpm-luks
and TrustedGRUB2
are making the same measurements.
Thanks a lot for being so helpful! 😄
Hi Daniel Neus,
I am not sure, it is a good place to ask this question..
You have done the PCR read & write with trusted GRUB, just wondering, is it possible to extend that feature to retrieve keys from TPM as well (does TPM offers that API)?
I know with trousers, we can do it after boot but not sure we can do that during BIOS/Boot loader stage.
Thanks
But still keep a compile time flag to activate a "works with TPM only mode"
#14
Hi guys,
as I'm new to TrustedGRUB 2 , I'm not sure that the situation that have happened to me is really an issue.
Let me summarize.
I'm trying to make the TPM unlock the LUKS encrypted partition without user intervention.
Please provide your guidance ,as I expected that TrusedGRUB 2 should still boot the system and LUKS to ask for password.
grub-core/loader/i386/linux.c appears to read the kernel from disk into a series of buffers for later execution, and then reads the kernel again to perform a measurement. A sufficiently malicious storage device might provide a backdoored kernel on the first read attempt, followed by the correct kernel on the second read attempt. The measurement would then appear correct.
Hi,
When I was using grub-0.97 (I know... long time ago) there were some very useful options for embedded systems to avoid a lot of files in the physical support, facilitating the update process for instance. With this version I only have three files: stage1, e2fs_stage1_5 and stage2. That's perfect for rigid environments :)
Now I need some TPM support and I need to update my boot process. I'm missing two options and I would like to ask how difficult could be implementing them.
Thanks!
What I am doing is build TrustedGrub2 on Ubuntu 16.04 in Broadwell DE / Xeon platform (AMI BIOS:core version 5.0.11 0.20 x64).
Nonetheless, after using the tpm-tool to seal data with PCRS 8 & 9, the TrustedGrub2 was unable to unseal the with the key.
Is there any specific mismatch in seal/unseal procedure or detail information about the return error code (TCG_PassThroughFail: 0xc0000)
Thank you!
Kernels loaded using the multiboot
command don't seem to be measured. E.g. a typical Xen menuentry looks like this:
menuentry 'Xen with Linux 3.2 ...' {
...
multiboot /xen.gz placeholder ${xen_rm_opts}
module /vmlinuz-3.2 placeholder root=/dev/sda1 ...
module --nounzip /initramfs-3.2.img
...
}
In this case, the files xen.gz
, vliminux-3.2
, initramfs-3.2.img
need to be measured but aren't. The command functions are defined in grub-core/loader/i386/xen.c
.
The change seems simple enough if I don't follow the new convention of measuring the same buffer that is loaded into memory. Would you be able to pick this up or would you rather I work on it?
It's me again...
You might be interested in the xtra/TructedGRUB2.spec file I've made to build the rpm.
OK, this is probably a very bad spec file, I learned about building RPM only 3 days ago, and my only objective was to have a very simple RPM to deploy on servers without having to manually build localy.
I found the spec file of grub2 2.0.2 on the web, but it seems much to complex for my poor little experience.
Also, I didn't understand the difference between grub and efi (on my hardware grub.cfg files are in /boot/efi/... instead of only /boot, I still haven't understood why. Should we build something special to have EFI support ? or should I just forget about it, and if so, what should I do with the 2 partitions /boot and /boot/efi ?
My comprehension was that EFI needed to be signed, so maybe TrustedGRUB2 cannot work in EFI mode.
Thank's a lot!
Out of idle curiosity, I'm putting together a luks system with a keyfile for unlocking the system at boot. According to the readme, TrustedGRUB2 is supposed to support the -k argument to specify a keyfile, but it doesn't appear to be working. The system is a clean install of slackware, with TrustedGRUB2 built from source; the vanilla GRUB2 package has never touched the disk.
It seems as TrustedGRUB2 is constantly rebooting if there are more than five submenu entries in grub.cfg. The grub.cfg that triggers the rebooting is https://gist.github.com/anonymous/07fe464370636e3b4b69 . Could anyone maybe confirm that issue? And, in case it is reproducible, how could it be fixed?
Update: It seems as the number of submenu entries that TrustedGRUB2 is working with depends on the path length of the linux, initrd, systemConfig or init entries.
The general idea of this test case is the following: We will seal a piece of data using TPM and try to unlock it from TrustedGrub2. Every time I try to unseal the key I get a TCG_PassThroughFail: 0xc0000 error.
The test is as follows:
Download VirtualBox or VMWare
Download Ubuntu 16.04 (http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso)
Install the OS
sudo apt-get update
sudo apt-get install build-essential automake autopoint libtool libtspi-dev bison flex git
wget https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2/archive/1.4.0.tar.gz
tar xzf 1.4.0.tar.gz
cd TrustedGRUB2-1.4.0/
export INSTALL_DIR=/path/to/install_dir
./autogen.sh
./configure --prefix=$INSTALL_DIR --target=i386 -with-platform=pc
make CPPFLAGS=-DTGRUB_DEBUG && make install
If everything goes well we should have a file called grub-install under $INSTALL_DIR/sbin/
I installed TrustedGrub2 into a USB stick using the following command:
sudo $INSTALL_DIR/sbin/grub-install --directory=$INSTALL_DIR/lib/grub/i386-pc /dev/sdb ; # device name may be different in your case
Build tpm-tools and tpm ownership
I used Ubuntu 16.04 running on a machine that we want to seal/unseal a key.
Clear and enable TPM (from BIOS)
Boot the OS
sudo apt-get update
sudo apt-get install git
git clone https://github.com/shpedoikal/tpm-tools.git
git checkout tpm-sealdata-raw (# checking out this branch is very important because it adds the -r option to tpm_sealdata).
sudo apt-get install automake autoconf libtool gettext trousers trousers-devel libtspi-dev autopoint (link to instructions https://github.com/shpedoikal/tpm-tools)
sh ./bootstrap.sh
export TPM_DIR=/path/to/tpm_build_dir
./configure --prefix=$TPM_DIR
make && make install
$TPM_DIR/sbin/tpm_takeownership -y -z
$TPM_DIR/sbin/tpm_setenabled --enable -z
$TPM_DIR/sbin/tpm_setactive -z
Create a key
echo “TPM UNSEAL FROM GRUB” > /tmp/key
#seal the key now that we own the TPM using PCRs 8 and 9
$TPM_DIR/bin/tpm_sealdata -p 8 -p 9 -z -r -i /tmp/key -o /tmp/key.enc
If everything goes well we should have a sealed key named ‘/tmp/key.enc’.
We should now copy the sealed key to a place that we can access from TrustedGrub2. I copied /tmp/key.enc to the root of the USB drive that we installed TrustedGrub2.
Reboot the system and boot it using the newly created image. Press ‘c’ in the TrustedGrub2 menu. Execute the following command from the grub menu:
grub> unseal /root/key.enc
I always get an error after this step
TCG_PassThroughFail: 0xc0000
I'd like to use TrustedGRUB2 to seal a key that I can then use to decrypt the root partition automatically. However, in order to properly seal the data, I need to be able to compute the expected PCRs (See Issue #2 for a similar approach), because if I update the kernel, I'll need to be able to seal the data to the expected values of the PCRs so that it will unseal at boot. Because the kernel changes, PCR10 will certainly change, and PCR11 will likely change because the name of the kernel in the command line will change.
When I attempt to calculate PCR10, I follow along with the debugging output and I do the following:
PCR10=00000000000000000000
PCR10=sha1sum($PCR10 || sha1sum(/boot/vmlinuz...))
PCR10=sha1sum($PCR10 || sha1sum(/boot/initrd...))
My hashes match what I see in the debug output, but the actual value in PCR10 differs when I get to a command prompt. Is there anything else that is measured after loading the initrd image?
As for PCR11, is there a way to invoke the GRUB command line from the shell in a way that will evaluate the conditionals and print out the commands that would be executed? Alternatively, is there a way to log all of the commands that were executed at the last boot? I could probably use that log and pair things up with the current grub.cfg file to determine what commands will be executed on the next bootup.
My current setup is using a minimal CentOS 7.2 image with stock trousers and a custom tpm-tools (solution from https://bugzilla.redhat.com/show_bug.cgi?id=1126097), and TrustedGRUB2 1.3.0 compiled in debug mode (-DTGRUB_DEBUG).
Thanks for your help and amazing software!
I'm working on an Advantech board with Infineon TPM and AMI BIOS where the PCR 10 measurement value is different after each boot, with the same bootloader, kernel and initramfs (no changes made at all between reboots). PCRs 0-9 and 11 remain intact. This is causing all sorts of problems with OS level measurements based on PCR 10. Is there a known or typical cause for this behavior, or a recommended workaround?
Additional information: enabling TGRUB_DEBUG
shows that the kernel SHA1 is correct, but no debug message is printed for the initrd. The last message printed is "Loading initial ramdisk ...". Debug messages placed inside grub_cmd_initrd()
are not displayed, so I can't confirm if the initrd is being correctly hashed.
Precomputation of the command measurement is uncomfortable at the moment. Logging the measurements of the last boot is quite easy and should help a lot.
#39
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.