Post AZjIHCOLG4RYI6Hwtk by soleblaze@infosec.exchange
(DIR) More posts by soleblaze@infosec.exchange
(DIR) Post #AZiUMpc1rtsvfiBP8a by mjg59@nondeterministic.computer
2023-09-13T06:52:16Z
0 likes, 0 repeats
Some TPM measurements take place before the firmware has been able to set up an event log (eg, Boot Guard measurements happen before the firmware is even executed, so), which means the firmware has to synthesise an event afterwards to mimic what was measured so you can replay the log correctly. And I've just found a machine that measures the Boot Guard event into PCR 7 rather than PCR 0, and appears to fuck up the event synthesis. Which means replay doesn't work.
(DIR) Post #AZiUXIKPxSQDd1w0I4 by mjg59@nondeterministic.computer
2023-09-13T06:53:52Z
0 likes, 0 repeats
This means that you can't trust the contents of the event log, which is a problem because the contents of the event log are the only thing that let you prove whether or not secure boot was enabled, which is somewhat relevant in this specific use case.
(DIR) Post #AZiUjfVFcXpEyjtzA8 by deetwenty@todon.nl
2023-09-13T06:56:26Z
0 likes, 0 repeats
@mjg59 IIRC replaying the log is important for any form of attestation, or did I get that wrong?
(DIR) Post #AZiVEPvjZPWNeox33o by mjg59@nondeterministic.computer
2023-09-13T07:01:29Z
0 likes, 0 repeats
@deetwenty Depends on whether you care about the information in the log for that specific PCR, which in this case I do. (If PCR 0 were fucked I probably wouldn't care, as long as it was a known good value - but PCR 7 contains individual events that can be reasonably parsed rather than opaque blobs, so replay is important)
(DIR) Post #AZipxrRa7UYj6VnJuy by penguin42@mastodon.org.uk
2023-09-13T10:55:50Z
0 likes, 0 repeats
@mjg59 That feels odd - I thought you were never supposed to trust the contents of the event log?
(DIR) Post #AZj4Hd8wOidptwOdbk by ignaloidas@not.acu.lt
2023-09-13T13:36:18.132Z
0 likes, 0 repeats
@penguin42@mastodon.org.uk @mjg59@nondeterministic.computer it's hard for them to be fake if the attested state matches what the logs say it should be.
(DIR) Post #AZjCUN8A2hipdYcOWG by mjg59@nondeterministic.computer
2023-09-13T15:08:11Z
0 likes, 0 repeats
@penguin42 The event log isn't trustworthy in the absence of a corresponding quote
(DIR) Post #AZjHPzc62KEnJQLqoy by seanfurey@mas.to
2023-09-13T16:01:19Z
0 likes, 0 repeats
@mjg59 if you patch up the boot log to reference the correct pcr does it replay correctly?You'd have to really want the machine even if that worked...
(DIR) Post #AZjIHCOLG4RYI6Hwtk by soleblaze@infosec.exchange
2023-09-13T16:11:31Z
0 likes, 0 repeats
@mjg59 turtles all the way down, complete with phantom turtles and turtles created via the telephone game. I’m guessing PTT and fTPM have the same issues or even more?
(DIR) Post #AZjSnbDbUGwS69M1OC by seanfurey@mas.to
2023-09-13T16:12:20Z
0 likes, 0 repeats
@mjg59 ah, I've realised why that couldn't work, though I'm not sure I could describe it in a non confusing manner.
(DIR) Post #AZjSnby2hc5YQB56m0 by mjg59@nondeterministic.computer
2023-09-13T18:09:22Z
0 likes, 0 repeats
@seanfurey if we know the expected value then we can fix things up, but finding that expected value is the hard part - dumping TPM traffic should provide the truth of what's being measured and with luck allow that to be done