tlaurion
commented
4 years ago @Thrilleratplay ? linked to https://github.com/osresearch/heads/pull/867#issuecomment-721277325 explanations. Might need more explanations?
Closed tlaurion closed 3 years ago
tlaurion
commented
4 years ago @Thrilleratplay ? linked to https://github.com/osresearch/heads/pull/867#issuecomment-721277325 explanations. Might need more explanations?
Thrilleratplay
commented
4 years ago @tlaurion Reading the comment and looking at the image, I think this needs more context. Rewording the PR comment should be enough. Something like:
If the the firmware integrity has changed or TPM NVRAM is provided the wrong Disk Unlock Key passphrase, the PCRs output will indicate failed authentication. The following is an example:
The emphasis on firmware integrity seems out of place though. It should be something that answers the question "As a user, how do I know if my device has been compromised?" and clearly states that if you see this A) your device may be compromised or B) you entered the wrong password/mistyped your password/have fat fingers.
Also, for consistency, maybe add the image as a file under images/ and link it like the others.
tlaurion
commented
3 years ago @Thrilleratplay the objective of putting it there is that it is the only place under Heads, as of right now, from gui-init path to OS boot, that pcrs is called and where the measurements are shown to screen.
If the passphrase provided for Disk Unlock Key release by TPM is good and the Disk Unlock Key cannot be released by TPM, this means that measurements of either LUKS header or firmware measurements are invalid.
This picture also shows which PCRs are actually filled by the current measuring scheme, which might be helpful for @Tonux599 on https://github.com/osresearch/heads/pull/867#issuecomment-721396427
Note that this feature is on by default unless deactivated in board configs for boards having TPM in code
@Thrilleratplay does this change your views on this PR?
Thrilleratplay
commented
3 years ago @tlaurion I understand what you are saying in the comments of the PR. The PR itself would a title and an image, which personally I think is not enough for a user who is new to heads. If the goal is highlight the filled PCRs in the image, maybe highlight them in the image or crop the image. The wiki page currently has
0: Nothing for the moment 1: Nothing for the moment 2: Boot block, ROM stage, RAM stage, Heads linux kernel and initrd 3: Nothing for the moment 4: Boot mode (0 during /init, then recovery or normal-boot) 5: Heads Linux kernel modules 6: Drive LUKS headers 7: Heads user-specific config files
Until your last comment, I did not associate those numbers with PCR-02, PCR-06 and PCR-07 in the image.
What about adding the line:
Here you can see that "Boot block, ROM stage, RAM stage, Heads linux kernel and initrd", "Drive LUKS headers" and "Heads user-specific config files" have filled the registers
PCR-02,PCR-06andPCR-07respectively.
I have no object to the PR, if this is already clear enough for you and @Tonux599 then merge it.
Tonux599
commented
3 years ago I feel like I have been brought into this discussion but I'm kind of unsure to why. However if my feedback is being sought, in terms of the documentation I have no issue with a photograph displaying correct behaviour of heads (in almost any sense) in aiding new developers to make correct contributions.
Add PCRs output of Disk Unlock Key passphrase prompt when a provided with a TPM NVRAM's wrong passphrase/firmware integrity changed.
Here, that TPM NVRAM region is unlocked only when provided with valid LUKS Header + Firmware measurements + user provided Disk Unlock Key passphrase.