insomniacslk
commented
4 years ago CC @zaolin , don't we have something like that already?
Open xaionaro opened 4 years ago
insomniacslk
commented
4 years ago CC @zaolin , don't we have something like that already?
zaolin
commented
4 years ago It's already done by go-attestation attest tooling and my 9elements/tpmtool
xaionaro
commented
4 years ago @zaolin:
9elements/tpmtool is a very interesting tool, thank you for pointing this out. Could you please give an advice how to calculate a PCR0 value of a firmware binary? Sorry if I explained myself unclear above, but we need to predict/calculate a PCR0 value which would a firmware produce if it will boot on a real system.
zaolin
commented
4 years ago @xaionaro PCR0 is tricky because of technologies like Intel Boot Guard / TXT. The easiest way would be to write a FIT, Boot Guard Manifest and Key Manifest parser for the firmware image. We didn't implement it yet. If you are interested in consulting services let us know (9esec.io). Otherwise, feel free to look into the slimmbootloader repository in order to understand the Boot Guard and FIT data structures.
Keep in mind that it might be not enough. There is some effort of Matthew Garret but it's not ready yet. https://github.com/google/go-attestation/pull/108/files I hope that helps.
xaionaro
commented
4 years ago Otherwise, feel free to look into the slimmbootloader repository in order to understand the Boot Guard and FIT data structures.
We've managed to create a proof of concept, but still thank you -- it may be useful.
Hello.
I'm thinking about to try to implement two tools:
And it seems right to me to implement it as part of this project "fiano". I suppose these tools should be implemented as:
github.com/linuxboot/fiano/cmds/pcr0sumgithub.com/linuxboot/fiano/cmds/pcr0diffSo the question is: would you agree to merge such code into "fiano" (after codereview&fixes of course)? :)