Come resettare i PCR TPM?

Naviga le tue risposte
2

Sto lavorando al dispositivo ATMEL TPM su una piattaforma integrata. Durante la sperimentazione dell'operazione di estensione della PCR, ho esteso la PCR 0 con una stringa di 20 byte. Come menzionato nella specifica TPM, le PCR 0-15 sono ripristinabili al riavvio. Al riavvio, PCR 0 non è stato ripristinato e anche le PCR 1-15 sono state modificate. Ecco il flusso di operazioni che ho eseguito e l'output corrispondente. 

# cat /sys/class/misc/tpm0/device/pcrs

PCR-00: FD 89 A2 DE 1A 91 D7 A2 2B D1 78 7A A7 C2 77 9D E0 99 F7 C0
PCR-01: 49 20 44 4B 1E AF B2 AA 4A C1 2B D1 44 2B 82 1F 52 EC E7 4B
PCR-02: 38 53 A8 EF 61 83 59 ED 7F 7F 2E CC 7B C8 D2 F3 87 EB 7C 55
PCR-03: 2C 2F B4 2A 15 36 B2 28 C6 01 40 D8 64 D7 30 7F AA 6D 91 54
PCR-04: 2E CF 07 F9 C7 30 B4 4C EE 19 7B 0D 36 4E EE 6C F1 36 57 F6
PCR-05: 38 70 21 67 DB 54 96 54 A1 4F 45 5F 6A 32 42 EF EC 51 21 F5
PCR-06: 17 74 56 21 A9 45 7A 43 5C AD 2E 9E 96 4C EE 6B 6C EC FA 25
PCR-07: E3 0D 10 07 E5 38 19 5D 25 1E 8E 49 6E DE BF 8F AE 38 20 21
PCR-08: B9 1D 40 71 B0 AB AF 01 BD 14 1D 2B 7C 5B AF 66 9A B7 2C 00
PCR-09: D3 D4 51 B9 CA 9D FE 28 DC 5E AD 02 9A 84 44 67 49 48 0A 87
PCR-10: 6A 30 46 F0 4E DC D3 A8 A5 4F 4C 26 0F 64 63 0C 83 83 C7 3A
PCR-11: 42 5D 51 0A 0B 91 4C A3 1F 76 26 98 A8 97 8C 32 46 A0 92 6F
PCR-12: BD 7D 9D 93 C7 B2 17 80 38 E3 55 E9 45 19 3B 55 0A 3F EF 06
PCR-13: 39 0B 31 0A 42 EC 07 07 A2 02 E5 A6 D3 CB 8E BB 33 FD 7C 0D
PCR-14: 98 BB 81 70 A6 F3 7B 3A 4B 79 45 C0 15 2F DC EE 5F A1 1F 3B
PCR-15: 06 86 9D E0 B9 0E 0E D6 12 37 5C 9C 68 74 67 D2 7E 47 7B D4
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

# ./tpm_extendpcr -i pcr.txt -p 0
# cat /sys/class/misc/tpm0/device/pcrs

PCR-00: 9A D9 2D 86 9D 81 BD 58 08 7C F7 8E C6 31 CB BF 0C 9D 0D 28
PCR-01: 49 20 44 4B 1E AF B2 AA 4A C1 2B D1 44 2B 82 1F 52 EC E7 4B
PCR-02: 38 53 A8 EF 61 83 59 ED 7F 7F 2E CC 7B C8 D2 F3 87 EB 7C 55
PCR-03: 2C 2F B4 2A 15 36 B2 28 C6 01 40 D8 64 D7 30 7F AA 6D 91 54
PCR-04: 2E CF 07 F9 C7 30 B4 4C EE 19 7B 0D 36 4E EE 6C F1 36 57 F6
PCR-05: 38 70 21 67 DB 54 96 54 A1 4F 45 5F 6A 32 42 EF EC 51 21 F5
PCR-06: 17 74 56 21 A9 45 7A 43 5C AD 2E 9E 96 4C EE 6B 6C EC FA 25
PCR-07: E3 0D 10 07 E5 38 19 5D 25 1E 8E 49 6E DE BF 8F AE 38 20 21
PCR-08: B9 1D 40 71 B0 AB AF 01 BD 14 1D 2B 7C 5B AF 66 9A B7 2C 00
PCR-09: D3 D4 51 B9 CA 9D FE 28 DC 5E AD 02 9A 84 44 67 49 48 0A 87
PCR-10: 6A 30 46 F0 4E DC D3 A8 A5 4F 4C 26 0F 64 63 0C 83 83 C7 3A
PCR-11: 42 5D 51 0A 0B 91 4C A3 1F 76 26 98 A8 97 8C 32 46 A0 92 6F
PCR-12: BD 7D 9D 93 C7 B2 17 80 38 E3 55 E9 45 19 3B 55 0A 3F EF 06
PCR-13: 39 0B 31 0A 42 EC 07 07 A2 02 E5 A6 D3 CB 8E BB 33 FD 7C 0D
PCR-14: 98 BB 81 70 A6 F3 7B 3A 4B 79 45 C0 15 2F DC EE 5F A1 1F 3B
PCR-15: 06 86 9D E0 B9 0E 0E D6 12 37 5C 9C 68 74 67 D2 7E 47 7B D4
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

# reboot
# cat /sys/class/misc/tpm0/device/pcrs

PCR-00: 9A D9 2D 86 9D 81 BD 58 08 7C F7 8E C6 31 CB BF 0C 9D 0D 28
PCR-01: 2E 0D 03 0E 76 63 BE 09 DC 86 E8 1F 54 C2 3E 7C C7 C6 AD 9D
PCR-02: 4A A6 1A 10 8B 42 18 05 C9 61 E7 CD 1C BD 6A E9 02 F3 CC E0
PCR-03: 3A E2 33 E3 2D 76 3C A6 0D 40 BB 50 AC 28 20 CC A4 57 63 43
PCR-04: 60 19 D2 55 90 F7 D4 69 01 F2 18 1A AD 54 5A 77 11 CE 28 9E
PCR-05: 03 24 C9 EE A6 AE 65 65 51 1A 5B F2 68 2B C0 0F 56 48 80 31
PCR-06: 17 74 56 21 A9 45 7A 43 5C AD 2E 9E 96 4C EE 6B 6C EC FA 25
PCR-07: E3 0D 10 07 E5 38 19 5D 25 1E 8E 49 6E DE BF 8F AE 38 20 21
PCR-08: B9 1D 40 71 B0 AB AF 01 BD 14 1D 2B 7C 5B AF 66 9A B7 2C 00
PCR-09: D3 D4 51 B9 CA 9D FE 28 DC 5E AD 02 9A 84 44 67 49 48 0A 87
PCR-10: 6A 30 46 F0 4E DC D3 A8 A5 4F 4C 26 0F 64 63 0C 83 83 C7 3A
PCR-11: 42 5D 51 0A 0B 91 4C A3 1F 76 26 98 A8 97 8C 32 46 A0 92 6F
PCR-12: BD 7D 9D 93 C7 B2 17 80 38 E3 55 E9 45 19 3B 55 0A 3F EF 06
PCR-13: 39 0B 31 0A 42 EC 07 07 A2 02 E5 A6 D3 CB 8E BB 33 FD 7C 0D
PCR-14: 98 BB 81 70 A6 F3 7B 3A 4B 79 45 C0 15 2F DC EE 5F A1 1F 3B
PCR-15: 06 86 9D E0 B9 0E 0E D6 12 37 5C 9C 68 74 67 D2 7E 47 7B D4
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Come posso resettare il PCR0? Non sono in grado di capire perché anche i valori delle PCR 1-15 sono stati modificati. Ho anche provato ad estendere il PCR16 e non è stato reimpostato al riavvio.

    
posta Pritha Ganguly 03.03.2017 - 05:26
fonte

1 risposta

-1

The only way to add data to a PCR is with TPM Extend Current value of a PCR is X. (Say, 0x0000....0000.) We extend the PCR with some data Y. Y must be 160 bit (20 byte) value 20 bytes = SHA1 hash, allowing longer data TPM calculates hash(Y,X)=Z; changes value in PCR to Z. We can update further: Extend with A: value is hash(A,Z)=hash(A, hash(Y,X)) Extend with B: PCR value is hash(B, hash(A,Z)) ...etc. Verifiers who know the values extended into the PCRs can easily verify Perform the same hash chain themselves Computationally infeasible to forge (must break SHA-1) Given PCR state N and desired state M, adversary would need to find X such that hash(X,N)=M; violates one-way assumption

Some (but not all) PCRs are resettable. This means they can be reset to a known state by executing the TPM PCR Reset command. Whether a given PCR is resettable or not is defined in platform spec All PC client TPMs have the same settings Server or virtual TPMs could differ; specs do not exist yet Reset requires appropriate permissions Usually based on locality, which we’ll discuss next Sets PCR value back to default, erasing all data currently present Either 0x000...000 or 0xFFF...FFF, depending on PCR & machine state

SOURCE

    
risposta data 03.03.2017 - 16:37
fonte

Leggi altre domande sui tag

Perché Chrome avvisa di "Obsoleto Connection Settings" per lo scambio di chiavi? Terminologia (analogia?) per aver perso il controllo di un segreto dovuto alla ricondivisione