Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option

["Stefan Berger" <stefanb@linux.ibm.com>]

On 10/22/21 10:17 AM, James Bottomley wrote:
> On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote:
>> On 10/22/21 8:40 AM, James Bottomley wrote:
>>
>>> On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote:
>>>> On 10/22/21 7:49 AM, James Bottomley wrote:
>>>>> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote:
>>>>> [...]
>>>>>> I see this also but when I get into Linux and run
>>>>>> tpm2_pcrread I see the SHA1 bank active but not having
>>>>>> received any PCR extensions from the firmware, which is not
>>>>>> supposed to happen.
>>>>> That's not entirely correct: the TCG firmware profile just
>>>>> requires us to log through at least one bank; it doesn't
>>>>> require that all active banks be logged.  I've got several
>>>>> physical systems with three active banks but only one or two
>>>>> measured through.
>>>>    
>>>> The problem with this is that you can then fake measured boot on
>>>> that system using it's unused SHA1 bank and extend into it
>>>> whatever you want and create a fake log along with it and the
>>>> quote is going to look alright.
>>> I don't think you can.  The measured boot PCRs in unused banks
>>> should always be their default values and the measurement software
>>> should check for this.  So on a system that only uses the sha256
>>> bank, the sha1 bank PCR0-7 should be all zeros ... if they aren't
>>> this should be a measurement failure.
>>>
>>> That means that if you try to replace the sha256 agile log with one
>>> containing fake sha1 entries, the attestation still fails because
>>> the sha256 bank doesn't have default entries.
>> You can still pretend that your system only has an active SHA1 bank
>> and serve the fake log.
> Which "You" can fake a TPM quote?  The whole design of the TPM system
> is supposed to be that what goes into the TPM can't be erased, only
> updated and we can get definitive proof of the values using a quote.
What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the unused 
sha1 bank and extends it with known good values and has a log that goes 
with it and presents these to a validator along with the quote on the 
sha1 bank.
> You can fake the log to be sha1 only but you can't make it match the
> quote that includes the sha256 banks.

Yes, that's right. The client must insist that the sha256 bank, and any 
other possible bank, is quoted so that the system cannot just pretend 
that it only has a XYZ [sha1] bank (unlikely for TPM 2), and ABC banks 
[sha256] doesn't exist there, even though the SHA256 matches the true 
log. A quote by itself doesn't quote all the banks. You have to select 
which banks to quote and the client needs to have some control over that 
it seems to for sure see what the true firmware did.

   Stefan