tpm2-attest: validate AK parameters and PCR list

osresearch / safeboot

Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support

https://safeboot.dev/

GNU General Public License v2.0

270 stars 28 forks source link

tpm2-attest: validate AK parameters and PCR list #36

Closed osresearch closed 4 years ago

osresearch commented 4 years ago

The tpm2-attest validate currently doesn't check the AK parameters to ensure that it came from a real TPM, and the client could include a different set of PCRs that desired.

osresearch commented 4 years ago

AK attribute validation: https://github.com/osresearch/safeboot/commit/5ff8672f68edb8ff86d68fe9a31966dd70396726

osresearch commented 4 years ago

PCR validation is possible as of https://github.com/osresearch/safeboot/commit/5088570c78bd0f3859659a624f99fd6ea2a35f6d

osresearch commented 4 years ago

PCR validation done in https://github.com/osresearch/safeboot/commit/4db01683cc34387c4fdbb2d44125d64e1037fb99