Line 87: | Line 87: | ||
== TPM PCRs == | == TPM PCRs == | ||
* PCR 0 - CRTM, BIOS, and Host Platform Extensions | * PCR 0 - CRTM, BIOS, and Host Platform Extensions | ||
* PCR 1 - Host Platform Configuration (BIOS Data) | * PCR 1 - Host Platform Configuration (BIOS Data) | ||
* PCR 2 - Option ROM Code | * PCR 2 - Option ROM Code | ||
* PCR 3 - Option ROM Configuration and Data | * PCR 3 - Option ROM Configuration and Data | ||
* PCR 4 - IPL Code (usually the MBR) | * PCR 4 - IPL Code (usually the MBR) | ||
* PCR 5 - IPL Code Configuration and Data (Partition Table?) | * PCR 5 - IPL Code Configuration and Data (Partition Table?) | ||
* PCR 6 - State Transition and Wake Events | * PCR 6 - State Transition and Wake Events | ||
* PCR 7 - Host Platform Manufactuer Control | * PCR 7 - Host Platform Manufactuer Control | ||
* PCR 10 - IMA Measurement List | |||
* PCR 17 - TXT Stuff ?!?! | |||
* PCR 18 - SHA-1 Hash of MLE (Kernel and initrd) | |||
== Notes == | == Notes == | ||
We may need to modprobe tpm --force=1 | We may need to modprobe tpm --force=1 |
Revision as of 14:29, 22 June 2012
Introduction
Trusted Boot is a technique...
Prerequisites
yum install tboot
yum install openssl
Installation
The following will provide a trusted boot setup with checksums on the initramd and kernel.
Step 1
Take ownership of the TPM
tpm_takeownership -z
Download the proper tboot.gz file for your architecture. Place it in /boot/tboot.gz
Step 2
In order to create a VLP we need the path to the initial ram disk and kernel, as well as the kernel line in grub.conf.
Create a new verified launch policy.
tb_polgen --create --type nonfatal vl.pol
Add the kernel hash / grub command to our VLP
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$grub_cmdline" --image $kernel_file vl.pol
Add the initramd to VLP
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image $initramd_file vl.pol
Hash tboot.gz
lcp_mlehash -c "logging=vga,serial,memory" /boot/tboot.gz > mle_hash
lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash
Find your system's pcr values. They may alternatively be in /sys/bus/pnp/devices/00:0a/pcrs
cat /sys/devices/platform/tpm_tis/pcrs | grep -e PCR-00 -e PCR-01 > pcrs
Create the Launch Policy
lcp_crtpolelt --create --type pconf --out pconf.elt pcrs
Note: the following command uses a default uuid. You may want to replace tboot with your systems uuid.
lcp_crtpolelt --create --type custom --out custom.elt --uuid tboot vl.pol
lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt
openssl genrsa -out privkey.pem 2048
openssl rsa -pubout -in privkey.pem -out pubkey.pem
cp list_unsig.lst list_sig.lst
lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
lcp_crtpol2 --create --type list --pol list.pol --data list.data list_{unsig,sig}.lst
tcsd
Step 3
Load the Launch policy into nvram.
lcp_writepol -z -i owner -f list.pol
lcp_writepol -z -i 0x20000001 -f vl.pol
Step 4
Create a new grub.conf.
LCP
Add more in depth information about launch control policy here.
TPM PCRs
- PCR 0 - CRTM, BIOS, and Host Platform Extensions
- PCR 1 - Host Platform Configuration (BIOS Data)
- PCR 2 - Option ROM Code
- PCR 3 - Option ROM Configuration and Data
- PCR 4 - IPL Code (usually the MBR)
- PCR 5 - IPL Code Configuration and Data (Partition Table?)
- PCR 6 - State Transition and Wake Events
- PCR 7 - Host Platform Manufactuer Control
- PCR 10 - IMA Measurement List
- PCR 17 - TXT Stuff ?!?!
- PCR 18 - SHA-1 Hash of MLE (Kernel and initrd)
Notes
We may need to modprobe tpm --force=1