From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by mx.groups.io with SMTP id smtpd.web12.9481.1634914335869686934 for ; Fri, 22 Oct 2021 07:52:15 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@ibm.com header.s=pp1 header.b=H6UEPpTL; spf=pass (domain: linux.ibm.com, ip: 148.163.156.1, mailfrom: stefanb@linux.ibm.com) Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 19MDnKmg000712; Fri, 22 Oct 2021 10:52:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=o0XSS0L1iO3gR4hWH8McpPVIPWXoiTXye6tnBAB19fs=; b=H6UEPpTLi2FeDw2UeyblJWS+2knrrRte3opW0jzdLSTe/cqBKtbfoo5UNWEkCLYLYxxQ rNeQZ/VlgYNSaDVnVoUaZUZoWa+j6JQnNjETfoBPYTfFsTu6i8ErF7F4eDxfLGFinvwL J6jFWIoxIPe9M4iH5f8p+jsQKjoUOu08oDUwduoq3WTHcS4MIAexB4VjBPhavDzaLXCJ mKknk7r3u+UfQAe1B9Rx9MN307X5upOnNHCY43vIXoXjmXIya4ynNO1lwRBoMsRTLxds 9bTjhNU3PsQaa4N9OBzYY7DOc4EYeUdar29lXGz5bWGzpPOZ/nn3lxnCuHhBItvU7A6p 3A== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 3butyse22j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 10:52:13 -0400 Received: from m0098409.ppops.net (m0098409.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 19MEUrJC012047; Fri, 22 Oct 2021 10:52:13 -0400 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 3butyse225-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 10:52:12 -0400 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 19MEheuo030600; Fri, 22 Oct 2021 14:52:11 GMT Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18]) by ppma03dal.us.ibm.com with ESMTP id 3bqpcdu7ry-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Oct 2021 14:52:11 +0000 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 19MEqA4i35324402 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Oct 2021 14:52:10 GMT Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1AC93C6057; Fri, 22 Oct 2021 14:52:10 +0000 (GMT) Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 023E9C607E; Fri, 22 Oct 2021 14:52:04 +0000 (GMT) Received: from [9.47.158.152] (unknown [9.47.158.152]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 22 Oct 2021 14:52:04 +0000 (GMT) Subject: Re: [edk2-devel] [PATCH 4/4] OvmfPkg: add TPM2_SHA1_ENABLE build option To: devel@edk2.groups.io, jejb@linux.ibm.com, Gerd Hoffmann Cc: Min Xu , Jordan Justen , Erdem Aktas , Ard Biesheuvel , =?UTF-8?Q?Marc-Andr=c3=a9_Lureau?= , Jiewen Yao , Tom Lendacky , Brijesh Singh References: <20211021122003.2008499-1-kraxel@redhat.com> <20211021122003.2008499-5-kraxel@redhat.com> <03a75199-000f-5575-8898-6d9b113f2bee@linux.ibm.com> <20211022063948.mratwrzgponwiulg@sirius.home.kraxel.org> <46963c6b6e0eea2bf0b3629031f6f04232ea7528.camel@linux.ibm.com> <84d94886-bc85-9b98-6c7e-59207e6ea741@linux.ibm.com> From: "Stefan Berger" Message-ID: Date: Fri, 22 Oct 2021 10:52:04 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: X-TM-AS-GCONF: 00 X-Proofpoint-GUID: KNuPWoyyPIVYX7VXKtcHsZPtGAtXOXbt X-Proofpoint-ORIG-GUID: 3rDKnEmo_CCYWI73G9hSiFZmc7R0MInD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.425,FMLib:17.0.607.475 definitions=2021-10-22_04,2021-10-22_01,2020-04-07_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 bulkscore=0 mlxscore=0 priorityscore=1501 malwarescore=0 spamscore=0 adultscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109230001 definitions=main-2110220083 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-001b2d01.pphosted.com id 19MDnKmg000712 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 10/22/21 10:17 AM, James Bottomley wrote: > On Fri, 2021-10-22 at 09:13 -0400, Stefan Berger wrote: >> On 10/22/21 8:40 AM, James Bottomley wrote: >> >>> On Fri, 2021-10-22 at 07:57 -0400, Stefan Berger wrote: >>>> On 10/22/21 7:49 AM, James Bottomley wrote: >>>>> On Fri, 2021-10-22 at 06:50 -0400, Stefan Berger wrote: >>>>> [...] >>>>>> I see this also but when I get into Linux and run >>>>>> tpm2_pcrread I see the SHA1 bank active but not having >>>>>> received any PCR extensions from the firmware, which is not >>>>>> supposed to happen. >>>>> That's not entirely correct: the TCG firmware profile just >>>>> requires us to log through at least one bank; it doesn't >>>>> require that all active banks be logged. I've got several >>>>> physical systems with three active banks but only one or two >>>>> measured through. >>>> =20 >>>> The problem with this is that you can then fake measured boot on >>>> that system using it's unused SHA1 bank and extend into it >>>> whatever you want and create a fake log along with it and the >>>> quote is going to look alright. >>> I don't think you can. The measured boot PCRs in unused banks >>> should always be their default values and the measurement software >>> should check for this. So on a system that only uses the sha256 >>> bank, the sha1 bank PCR0-7 should be all zeros ... if they aren't >>> this should be a measurement failure. >>> >>> That means that if you try to replace the sha256 agile log with one >>> containing fake sha1 entries, the attestation still fails because >>> the sha256 bank doesn't have default entries. >> You can still pretend that your system only has an active SHA1 bank >> and serve the fake log. > Which "You" can fake a TPM quote? The whole design of the TPM system > is supposed to be that what goes into the TPM can't be erased, only > updated and we can get definitive proof of the values using a quote. What I meant is the admin runs TPM2_PCR_Extend on PCRs 0-7 of the unused=20 sha1 bank and extends it with known good values and has a log that goes=20 with it and presents these to a validator along with the quote on the=20 sha1 bank. > You can fake the log to be sha1 only but you can't make it match the > quote that includes the sha256 banks. Yes, that's right. The client must insist that the sha256 bank, and any=20 other possible bank, is quoted so that the system cannot just pretend=20 that it only has a XYZ [sha1] bank (unlikely for TPM 2), and ABC banks=20 [sha256] doesn't exist there, even though the SHA256 matches the true=20 log. A quote by itself doesn't quote all the banks. You have to select=20 which banks to quote and the client needs to have some control over that=20 it seems to for sure see what the true firmware did. =C2=A0 Stefan