Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option

["James Bottomley" <jejb@linux.ibm.com>]

On Fri, 2021-10-22 at 10:52 -0400, Stefan Berger wrote:
> On 10/22/21 10:17 AM, James Bottomley wrote:
> > On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
> > > On 10/22/21 8:40 AM, James Bottomley wrote:
> > > 
> > > > On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
> > > > > On 10/22/21 7:49 AM, James Bottomley wrote:
> > > > > > On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
> > > > > > [...]
> > > > > > > I see this also but when I get into Linux and run
> > > > > > > tpm2_pcrread I see the SHA1 bank active but not having
> > > > > > > received any PCR extensions from the firmware, which is
> > > > > > > not supposed to happen.
> > > > > >  
> > > > > > That's not entirely correct: the TCG firmware profile just
> > > > > > requires us to log through at least one bank; it doesn't
> > > > > > require that all active banks be logged.  I've got several
> > > > > > physical systems with three active banks but only one or
> > > > > > two measured through.
> > > > >    
> > > > > The problem with this is that you can then fake measured boot
> > > > > on that system using it's unused SHA1 bank and extend into it
> > > > > whatever you want and create a fake log along with it and the
> > > > > quote is going to look alright.
> > > > 
> > > > I don't think you can.  The measured boot PCRs in unused banks
> > > > should always be their default values and the measurement
> > > > software should check for this.  So on a system that only uses
> > > > the sha256 bank, the sha1 bank PCR0-7 should be all zeros ...
> > > > if they aren't this should be a measurement failure.
> > > > 
> > > > That means that if you try to replace the sha256 agile log with
> > > > one containing fake sha1 entries, the attestation still fails
> > > > because the sha256 bank doesn't have default entries.
> > >  
> > > You can still pretend that your system only has an active SHA1
> > > bank and serve the fake log.
> >  
> > Which "You" can fake a TPM quote?  The whole design of the TPM
> > system is supposed to be that what goes into the TPM can't be
> > erased, only updated and we can get definitive proof of the values
> > using a quote.
>  
> What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the
> unused sha1 bank and extends it with known good values and has a log
> that goes with it and presents these to a validator

Yes, I got all that.

>  along with the quote on the  sha1 bank.

The validator shouldn't accept that quote ... it should require a quote
covering all banks.  This is the point: you can't fake the quote and
the quote should cover all banks to assure you that unextended banks
really are.

> > You can fake the log to be sha1 only but you can't make it match
> > the quote that includes the sha256 banks.
> 
> Yes, that's right. The client must insist that the sha256 bank, and
> any other possible bank, is quoted so that the system cannot just
> pretend that it only has a XYZ [sha1] bank (unlikely for TPM 2),

Impossible per the TPM spec.

>  and ABC banks [sha256] doesn't exist there, even though the SHA256
> matches the true log. A quote by itself doesn't quote all the banks.
> You have to select which banks to quote and the client needs to have
> some control over that it seems to for sure see what the true
> firmware did.

Hey, I'm not going to disagree that the TPM system leaves many ways for
people to shoot themselves in the foot.  The only point I'm making is
that if you use it correctly (which I fully accept is somewhat complex)
you quote all banks and thus can't be tricked into accepting a fake log
through a bank unextended by firmware.

James