search

osresearch / safeboot

Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
https://safeboot.dev/
GNU General Public License v2.0
270 stars 28 forks source link

tpm2-attest verify does not fail if PCR values are wrong #53

Closed osresearch closed 4 years ago

osresearch commented 4 years ago

If the good PCRs do not match, the verification should fail:

--- Wrong PCRs (should fail)
./tests/quote-t490.tgz: quote signature verified
PCR0: 3fbf10a9dd919cd821c71c71b203f3839233120537798917f53714f1eff7f036
PCR1: 6bad0d93219f5b1e3ba7031bab290eca4d973ae6468145847a49d44bcc0905bd
PCR2: 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
PCR4: d28f2726ba0a11b9fba161419ff95be3da6ca9addc286d5fa1e1e9ec0b79dc35
sha256:0,1,2,4: Valid
./tests/quote-t490.tgz: eventlog PCRs match golden values
./tests/quote-t490.tgz: ek.crt certificate chain valid
./tests/quote-t490.tgz: ek.pub matches ek.crt
./tests/quote-t490.tgz: all tests passed
wrong PCRs: attestion verification should have failed
osresearch commented 4 years ago

Fixed in https://github.com/osresearch/safeboot/commit/db1905ba3c2e45899bdd21fa9663cc05741fb15a