From Fedora Project Wiki

Line 87: Line 87:
== TPM PCRs ==
== TPM PCRs ==


* PCR 0 - CRTM, BIOS, and Host Platform Extensions
* PCR 0 - CRTM, BIOS, and Host Platform Extensions
* PCR 1 - Host Platform Configuration (BIOS Data)
* PCR 1 - Host Platform Configuration (BIOS Data)
* PCR 2 - Option ROM Code
* PCR 2 - Option ROM Code
* PCR 3 - Option ROM Configuration and Data
* PCR 3 - Option ROM Configuration and Data
* PCR 4 - IPL Code (usually the MBR)
* PCR 4 - IPL Code (usually the MBR)
* PCR 5 - IPL Code Configuration and Data (Partition Table?)
* PCR 5 - IPL Code Configuration and Data (Partition Table?)
* PCR 6 - State Transition and Wake Events
* PCR 6 - State Transition and Wake Events
* PCR 7 - Host Platform Manufactuer Control
* PCR 7 - Host Platform Manufactuer Control
* PCR 10 - IMA Measurement List
* PCR 17 - TXT Stuff ?!?!
* PCR 18 - SHA-1 Hash of MLE (Kernel and initrd)


== Notes ==
== Notes ==


We may need to modprobe tpm --force=1
We may need to modprobe tpm --force=1

Revision as of 14:29, 22 June 2012

Introduction

Trusted Boot is a technique...

Prerequisites

   yum install tboot
   yum install openssl

Installation

The following will provide a trusted boot setup with checksums on the initramd and kernel.

Step 1

Take ownership of the TPM

   tpm_takeownership -z

Download the proper tboot.gz file for your architecture. Place it in /boot/tboot.gz

Step 2

In order to create a VLP we need the path to the initial ram disk and kernel, as well as the kernel line in grub.conf.

Create a new verified launch policy.

   tb_polgen --create --type nonfatal vl.pol

Add the kernel hash / grub command to our VLP

   tb_polgen --add --num 0 --pcr 18 --hash image --cmdline "$grub_cmdline" --image $kernel_file vl.pol

Add the initramd to VLP

   tb_polgen --add --num 1 --pcr 19 --hash image --cmdline "" --image $initramd_file vl.pol

Hash tboot.gz

   lcp_mlehash -c "logging=vga,serial,memory" /boot/tboot.gz > mle_hash
   lcp_crtpolelt --create --type mle --ctrl 0x00 --minver 17 --out mle.elt mle_hash

Find your system's pcr values. They may alternatively be in /sys/bus/pnp/devices/00:0a/pcrs

   cat /sys/devices/platform/tpm_tis/pcrs | grep -e PCR-00 -e PCR-01 > pcrs

Create the Launch Policy

   lcp_crtpolelt --create --type pconf --out pconf.elt pcrs

Note: the following command uses a default uuid. You may want to replace tboot with your systems uuid.

   lcp_crtpolelt --create --type custom --out custom.elt --uuid tboot vl.pol
   lcp_crtpollist --create --out list_unsig.lst mle.elt pconf.elt
   openssl genrsa -out privkey.pem 2048
   openssl rsa -pubout -in privkey.pem -out pubkey.pem
   cp list_unsig.lst list_sig.lst
   lcp_crtpollist --sign --pub pubkey.pem --priv privkey.pem --out list_sig.lst
   lcp_crtpol2 --create --type list --pol list.pol --data list.data list_{unsig,sig}.lst
   tcsd

Step 3

Load the Launch policy into nvram.

   lcp_writepol -z -i owner -f list.pol
   lcp_writepol -z -i 0x20000001 -f vl.pol

Step 4

Create a new grub.conf.

LCP

Add more in depth information about launch control policy here.

TPM PCRs

  • PCR 0 - CRTM, BIOS, and Host Platform Extensions
  • PCR 1 - Host Platform Configuration (BIOS Data)
  • PCR 2 - Option ROM Code
  • PCR 3 - Option ROM Configuration and Data
  • PCR 4 - IPL Code (usually the MBR)
  • PCR 5 - IPL Code Configuration and Data (Partition Table?)
  • PCR 6 - State Transition and Wake Events
  • PCR 7 - Host Platform Manufactuer Control
  • PCR 10 - IMA Measurement List
  • PCR 17 - TXT Stuff ?!?!
  • PCR 18 - SHA-1 Hash of MLE (Kernel and initrd)

Notes

We may need to modprobe tpm --force=1