multiboot: Do not measure multiboot modules
In the L4 case, this is left for bootstrap (the "kernel") to do. It knows better than grub which modules are important.
|3 months ago|
|asm-tests||2 years ago|
|build-aux||4 years ago|
|conf||3 years ago|
|docs||2 years ago|
|grub-core||3 months ago|
|include||2 years ago|
|m4||4 years ago|
|po||3 years ago|
|tests||2 years ago|
|themes/starfield||7 years ago|
|unicode||7 years ago|
|util||1 year ago|
|.gitignore||2 years ago|
|.travis.yml||2 years ago|
|ABOUT-NLS||8 years ago|
|AUTHORS||13 years ago|
|BUGS||8 years ago|
|COPYING||11 years ago|
|ChangeLog-2015||4 years ago|
|Changelog.md||1 year ago|
|INSTALL||2 years ago|
|Makefile.am||1 year ago|
|Makefile.util.def||2 years ago|
|NEWS||2 years ago|
|README||3 years ago|
|README.md||1 year ago|
|THANKS||9 years ago|
|TODO||3 years ago|
|acinclude.m4||2 years ago|
|autogen.sh||3 years ago|
|config.h.in||4 years ago|
|configure.ac||1 year ago|
|coreboot.cfg||5 years ago|
|geninit.sh||8 years ago|
|gentpl.py||3 years ago|
|linguas.sh||2 years ago|
|runSonarQubeAnalysis.sh||2 years ago|
|sonar-project.properties||2 years ago|
This file describes the extensions made to transform a standard GRUB2 into a version that offers TCG (TPM) support for granting the integrity of the boot process (trusted boot). This project was highly inspired by the former projects TrustedGrub1 and GRUB-IMA. However TrustedGRUB2 was completely written from scratch.
TrustedGRUB2 is measuring all critical components during the boot process, i.e. GRUB2 kernel, GRUB2 modules, the OS kernel or OS modules and so on, together with their parameters. Please note that the TrustedGRUB2 MBR bootcode has not to be checked here (it wouldn’t even be possible). The MBR bootcode has already been measured by the TPM itself. Since the TPM is passive, it has no direct ability to check if the integrity of bootloader (and the OS kernel/modules and so on) actually is correct. This can only be done indirectly by using the seal/unseal functions of the TPM (for details on this topic, you should have a look at the TCG specifications or on other documents describing TCG/TPM abilities).
cryptomountcommand. LUKS-header is measured before unsealing into PCR 12. Currently unsealing only supported with SRK and well known secret (20 zero bytes)
measure FILE PCRNUM
cryptomount -k KEYFILE
cryptomount -k KEYFILE -s
Kernel measurements are only implemented for diskboot so far (e.g. no cdboot or pxeboot measurement)
In order to use the TCG-enhanced TrustedGRUB2, you need a computer which has TCG enhancements according to TCG specs. v1.2, since SHA1-calculations are extended into PC-Registers of the TPM.
grub_mkimageto do step 1 and step 2 for us.
TGRUB_HP_WORKAROUND. For example like this:
grub-installotherwise you end up in a reboot loop.
If you find any other bugs, create an issue on github
PCR selection for module measurement, command measurement and loaded files measurement can be adjusted in tpm.h:
#define TPM_LOADER_MEASUREMENT_PCR 10 #define TPM_COMMAND_MEASUREMENT_PCR 11 #define TPM_LUKS_HEADER_MEASUREMENT_PCR 12 #define TPM_GRUB2_LOADED_FILES_MEASUREMENT_PCR 13
To enable some debug output define
TGRUB_DEBUG. For example like this
Required Packages for compiling:
To compile and install TrustedGRUB2, please run
./autogen.sh ./configure --prefix=INSTALLDIR --target=i386 -with-platform=pc make make install
Installing to device:
./INSTALLDIR/sbin/grub-install --directory=INSTALLDIR/lib/grub/i386-pc /dev/sda
[WARNING] if installing over an old GRUB2 install you probably have to adjust your grub.cfg
For usb-devices this command can be used (assuming /dev/sdb/ is your usb-device):
./INSTALLDIR/sbin/grub-install --directory=INSTALLDIR/lib/grub/i386-pc --root-directory=/mnt/sdb1 /dev/sdb
The goal of TrustedGRUB2 is to accomplish a chain of trust, i.e. every component measures the integrity of the succeeding component. Concretely, this looks like the following:
|TrustedGRUB2 MBR bootcode||BIOS|
|start of TrustedGRUB2 kernel (diskboot.img)||TrustedGRUB2 MBR bootcode|
|rest of TrustedGRUB2 kernel (core.img)||start of TrustedGRUB2 kernel|
|Grub modules + OS (kernel and so on)||TrustedGRUB2 kernel|
This chain of trust can be extended by using the newly added
measure command to measure the integrity of arbitrary files.
GRUB2 MBR bootcode is already measured by the TPM. The MBR bootcode has the task to load first sector of TrustedGRUB2 kernel (diskboot.img). Diskboot.img itself loads the rest of GRUB2 kernel. Therefore GRUB2 MBR code is extended to measure diskboot.img before jumping to it:
Due to the PC architecture, the size of the MBR (where TrustedGRUB2 boot.S is located) is limited to 512 bytes. But the original GRUB2 MBR bootcode is already very close to this limit, leaving very few space for the TCG extensions. Because of this, it was necessary (in the current version of TrustedGRUB2) to eliminate the CHS-code. This results in the problem that we support only LBA-discs now. FDD boot is not possible.
boot.S contains the code for loading the first sector of TrustedGRUB2 kernel (diskboot.img). Its only task is the load the rest of TrustedGRUB2 kernel. Therefore, the TCG extension now has to measure the rest of TrustedGRUB2 kernel The changes here are widely the same as in TrustedGRUB2 bootcode, with the differences that the entry point for the code which has to be checked is a address 0x8200 and that the result is written into PCR 9.
Grub2 has a modular structure. GRUB2 dynamically loads needed modules which are not contained in kernel. Modifications in boot.S and diskboot.S are only measuring GRUB2 kernel. Therefore the GRUB2 module loader was modified to measure modules to PCR 13 before they are loaded. Changes can be found in dl.c .
In order to make GRUB2 modules measurement possible, a SHA1-implementation had to be added to the kernel. GRUB2 already contains an SHA1-implementation in its crypto module, but this isn’t loaded at this stage.
All commands which are entered in shell or executed by scripts is measured to PCR 11. Therefore commands in grub.cfg are automatically measured. No need to measure grub.cfg separately.
One exception applies to this rule: The
[ ... ] commands are not measured because it makes precomputation of the PCR
value difficult and is unnecessary because each command within
submenu is anyway measured. For
[ ... ] it shouldn’t be possible to
write commands between the square brackets.
Display current value of the PCR (Platform Configuration Register) within TPM (Trusted Platform Module) at index,
Displays TCG event log entry at position,
LOGINDEX. Type in “0” for all entries.
measure FILE PCRNUM
Perform TCG measurement operation with the file
FILE and with PCR(
Sets Memory Overwrite Request (MOR) Bit.
DISABLEAUTODETECT specifies if BIOS should auto detect unscheduled reboots.
--nounzipto get measuremens of the compressed file
These commands are modified to measure before loading. PCR 10 is extended.
Additionally the following commands have been modified:
All modifications have been commented with
/* BEGIN TCG EXTENSION */ /* END TCG EXTENSION */
multibootcommand measurement does not follow the new convention of measuring the same buffer that is loaded into memory. If someone needs this extra security feel free to send a pull request. See GH #9 and GH #38 for more details.
The following list presents the files that have been added / modified to add TCG support to GRUB2.
TrustedGrub1 and GRUB-IMA have done a lot of preparatory work in the field and were used for code examples.