Dasharo / dasharo-issues

The Dasharo issue tracker
https://dasharo.com/
25 stars 0 forks source link

Measured Boot: TPM2 event log does not match actual value of PCR-2 #455

Open frederictobiasc opened 1 year ago

frederictobiasc commented 1 year ago

Dasharo version

v1.0.19 - shipped with the device

Dasharo variant

protectli VP4650

Affected component(s) or functionality

TPM2 event log (exposed in Linux at /sys/kernel/security/tpm0/binary_bios_measurements)

Brief summary

The PCR-2 value deduced from the TPM2 event log (exposed on Linux at /sys/kernel/security/tpm0/binary_bios_measurements) does not match the actual value of PCR-2.

How reproducible

1

How to reproduce

Steps to reproduce the behavior:

  1. Boot Linux-based OS (eg. Ubuntu 22.04.2 LTS) with tpm2-tools installed
  2. Get current value of PCR-2:256: sudo tpm2_pcrread sha256:2
  3. Calculate expected PCR values according to the event log: tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
  4. Note that the values do not match.

Expected behavior

The current value of PCR-2 matches with the value of PCR-2 deduced from the event log.

Actual behavior

The current value of PCR-2 differs from the value of PCR-2 deduced from the event log.

Additional context

binary_bios_measurements.log pcrread.log cbmem-tcpa-log.log

miczyg1 commented 1 year ago

That's true. Currently the Event log exposed to OS contains onyl the UEFIPayload measurement events. coreboot events are stored separately and can be accessed with cbmem utility. That affects all Dasharo boards. Thank you for submitting the issue.

pietrushnic commented 1 year ago

@frederictobiasc @miczyg1 I think this is a serious issue. We have to fix this, at least for upcoming MSI hardware. In the case of customers platforms, we have to ask if they want such support.

@macpijan @BeataZdunczyk cc

miczyg1 commented 1 year ago

Yes it is, I recall working on it a few years ago (back when I was playing with UEFI Payload on OptiPlex even before Dasharo) to record the coreboot measurements in TCG format in TcgPei module, however, given that we have improved the event logging in coreboot to use TCG formats, it will be much simpler to do today...

miczyg1 commented 1 year ago

In the current scenario coreboot uses its own event log format. This header shows how current the TPM event log looks like in coreboot: https://github.com/coreboot/coreboot/blob/master/src/commonlib/include/commonlib/tpm_log_serialized.h it is stored in cbmem under the ID of #define CBMEM_ID_TPM_CB_LOG 0x54435041 /* TPM log in coreboot-specific format */

One has to modify EDK2 SecurityPkg/Tcg/Tcg2Pei and SecurityPkg/Tcg/TcgPei to parse these entries and create the event log entries for those measurements. THere is one caveat though. Each TCG compliant log should start with an SpecID event with CSRTM version. In our case we have no such event. The very first measurement are VBOOT boot mode in PCR0 and GBB HWID in PCR1 typically. We would like to use GBB HWID for SpecID event but the SpecID event PCR should be PCR0. coreboot also has a function that initializes CRTM which could be an ideal SpecID event. We just have to make sure the tspi_init_crtm function in coreboot is called before the first measurements done in src/security/vboot/vboot_logic.c (so before extend_pcrs is called). That way we will have a nice SpecID event candidate. Although we would have to change the TPM_CRTM_PCR to be 0. This scenario requires the most work and probably shouldn't be pursued due to the patches with TCG standard log are already merged (see second scenario below).

Second scenario is that coreboot uses the TCG standard log introduced in patches: https://review.coreboot.org/q/topic:%22tpm-std-logs%22

In that case, the logs stored under cbmem IDs:

#define CBMEM_ID_TCPA_TCG_LOG 0x54445041 /* TPM log per TPM 1.2 specification */ #define CBMEM_ID_TPM2_TCG_LOG 0x54504d32 /* TPM log per TPM 2.0 specification */

should be simply copied over in EDK2 SecurityPkg/Tcg/Tcg2Pei and SecurityPkg/Tcg/TcgPei before any new events are measured and gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy and gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy should be set to zero.

The code must detect which log is used and act accordingly.

krystian-hebel commented 1 year ago

How about making TCG format the default one if EDK2 is used as a payload?

miczyg1 commented 1 year ago

How about making TCG format the default one if EDK2 is used as a payload?

Yes, it has been on my mind as well

SergiiDmytruk commented 5 months ago

The following PRs should resolve this issue: