[systemd-devel] Usage of PCR[7]

Andrei Borzenkov arvidjaar at gmail.com
Tue Jun 6 06:33:32 UTC 2023


On Tue, Jun 6, 2023 at 8:20 AM Mantas Mikulėnas <grawity at gmail.com> wrote:
>
> On Mon, Jun 5, 2023 at 11:38 PM Adrian Vovk <adrianvovk at gmail.com> wrote:
>>
>>
>> 2. The alternative approach involves pre-calculating PCR[7] on the
>> client if we're updating DBX or Shim. Here's how I envision this
>> going:
>> - We read the TPM log (which we can trust because we're currently
>> booted to system verified via the chain of trust) and extract
>> everything read into PCR[7]
>> - We clear PCR[16], then start replaying everything from the TPM log
>> - When we reach the measurement of DBX, we pre-calculate the new value
>> of DBX and measure that in instead. This would probably need
>> collaboration w/ fwupd
>> - When we reach the measurements made by Shim, we use the new values
>> instead. See https://github.com/rhboot/shim/issues/555
>> - PCR[16] now contains the future value for PCR[7]. We enroll (into a
>> new keyslot) TPM decryption. We seal against 16+11+14, but then
>> configure it to unseal against 7+11+14 (this is the one step I'm iffy
>> about. Is this possible??)
>
>
> You don't need to replay everything *into a real PCR* at all – the extend operation is just a regular hash operation SHA(pcr||value), you can recalculate everything in software, then seal the keyslot against your provided PCR values instead of the "live" ones.
>
> I have an old hack proof of concept for that (written mostly because I didn't want to touch any of that SB signing even with a stick):
>
> 1. PCR[4] replay in userspace https://github.com/grawity/tpm_futurepcr
> (code is ugly but it's really just calculating a hash chain, while "updating" certain TPM log events)
>

There is also https://github.com/okirch/pcr-oracle which can
automatically measure updated binaries (it is grub2 oriented in the
sense it knows how to find binaries accessed by grub2 at boot time).
The idea is the same.

> 2. Creating systemd-compatible LUKS tpm2 tokens against arbitrary PCR values https://git.nullroute.lt/cgit/hacks/tpmreseal.git/
> (systemd has extended its LUKS token format a little bit since then, but the basic format still works, at least I'm able to use it on my system)
>
> I expected #1 to be superseded by `systemd-measure` (available in latest systemd); apparently it's not quite the same but it does focus on Secure Boot and signed PCRs, so maybe you can get `systemd-measure` to do exactly what you want? There's a github RFE filed for #2 so it might show up in systemd-cryptenroll someday.
>
> --
> Mantas Mikulėnas


More information about the systemd-devel mailing list