Giter Site home page Giter Site logo

Comments (4)

neusdan avatar neusdan commented on May 27, 2024

First of all thanks for this detailed bug report. Thanks to this i could very quickly reproduce this bug. I'll look into it.

from trustedgrub2.

Zepmann avatar Zepmann commented on May 27, 2024

I found the culprit. The grub_TPM_measureFile function in tpm_kern.c uses GRUB's grub_file_open function (from file.c) , which pre-processes compressed files (such as initramfs files) by decompressing them into memory before returning them. Therefore, grub_TPM_measureFile (used by GRUB commands measure, initrd, etc.) does not measure the file on the disk (as would be expected), but the decompressed data in memory. This does not affect non-compressed files, since they are not modified by GRUB when they are loaded into memory.

The attached patch has one possible solution. It adds a grub_file_open_nofilter function to file.c, which is called by grub_TPM_measureFile in tpm_kern.c (instead of grub_file_open). grub_file_open_nofilter is a copy of grub_file_open with the filter code removed. Therefore, it opens a file 'raw' into the memory. The result is as expected: the correct SHA-1 hash is now calculated over compresed (and other) files.

tgrub-1.2.1-nofilefilter.patch.zip

To apply the patch (assuming that TrustedGRUB2 is already installed):
First make sure that the debug option for TPM operations is enabled in tpm.h, so the calculated SHA-1 hashes are visible during boot. Start from the TrustedGRUB2 source code directory.

Apply and install the patch:

patch -p1 < tgrub-1.2.1-nofilefilter.patch
make clean
make
make install

Install the patched TrustedGRUB2 to the MBR. Make sure that the device (/dev/sda in the example below) is correct.

grub-install --recheck --target=i386-pc --directory=/usr/lib/grub/i386-pc --no-rs-codes /dev/sda

Reboot, and you will see that SHA-1 checksums for initramfs and other compressed files are now correctly calculated.

from trustedgrub2.

neusdan avatar neusdan commented on May 27, 2024

Thanks a lot for reporting and fixing this!

I would like to see more such well written issue reports on GitHub 👍

from trustedgrub2.

neusdan avatar neusdan commented on May 27, 2024

found a simpler solution to fix this

from trustedgrub2.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.