search

9elements / converged-security-suite

Converged Security Suite for Intel & AMD platform security features
https://www.9esec.io
BSD 3-Clause "New" or "Revised" License
59 stars 15 forks source link

[pcr0tool] Detect TXT-disabled cases correctly #231

Closed xaionaro closed 3 years ago

xaionaro commented 3 years ago

I splitted the PR to 6 commits for easier review. The end goal is to correctly detect when TXT is disabled in pcr0tool sum. It is a part of work for implementing a tool to validate measured boot.

Test Plan

xaionaro@void:~/go/src/github.com/9elements/converged-security-suite$ go build -o /tmp/pcr0tool ./cmd/pcr0tool/ && sudo /tmp/pcr0tool sum -registers /dev ~/firmware/Y3DLD11.bin | grep 'Event\|warnings'
  "warnings": "errors: unable to collect measurement 'pcdFirmwareVendor_measured_data': unable to find the source of firmware vendor version"
Event 'PCR0_DATA': 3a0000000000000001005a76c66425f0dbf6ff16... (len: 798) (*sha1.digest)
Event 'pcdFirmwareVendor_measured_data': 1efb6b540c1d5540a4ad4ef4bf17b83a (*sha1.digest)
Event 'DXE': 000000000000000000000000000000007ac07354... (len: 11206656) (*sha1.digest)
Event 'separator': 00000000 (*sha1.digest)

(CBnT)

xaionaro@void:~/firmware$ ~/bin/fwtest setup InvalidBPMSignature Y3DLD11.bin Y3DLD11.bin-invalidBPMSignature
The modified image is written to 'Y3DLD11.bin-invalidBPMSignature'.
It is required to flash the firmware to the system and reboot it.
After that execute "'/home/xaionaro/bin/fwtest' validate '/home/xaionaro/firmware/Y3DLD11.bin-invalidBPMSignature'" to get the test result.

xaionaro@void:~/go/src/github.com/9elements/converged-security-suite$ go build -o /tmp/pcr0tool ./cmd/pcr0tool/ && sudo /tmp/pcr0tool sum -registers /dev ~/firmware/Y3DLD11.bin-invalidBPMSignature | grep 'Event\|warnings'
  "warnings": "errors: unable to collect measurement 'pcdFirmwareVendor_measured_data': unable to find the source of firmware vendor version; TXT disabled: validator pcr.ValidateManifests failed: unable to confirm KM signature: verification failed: signature does not correspond to the pub key: crypto/rsa: verification error"
Event 'pcdFirmwareVendor_measured_data': 1efb6b540c1d5540a4ad4ef4bf17b83a (*sha1.digest)
Event 'DXE': 000000000000000000000000000000007ac07354... (len: 11206656) (*sha1.digest)
Event 'separator': 00000000 (*sha1.digest)

(invalid BPM signature -> TXT-disabled)

xaionaro commented 3 years ago

There was a conflict. Solved it. But it reset the approvals :(

Could you restamp please? @rihter007 @ChriMarMe