Re: [PATCH v3 0/9] kexec_file_load implementation for PowerPC

From: Thiago Jung Bauermann
Date: Thu Jun 23 2016 - 19:49:22 EST


Am Freitag, 24 Juni 2016, 08:33:24 schrieb Balbir Singh:
> On 24/06/16 02:44, Thiago Jung Bauermann wrote:
> > Sorry, I still don't understand your concern. What kind of cheating?
> > Which values? If it's the values in the event log, there's no need to
> > trust the old kernel. The new kernel knows that the old kernel didn't
> > pass wrong measurement values in the event log because it can
> > recalculate the PCR extend operations recorded in the log and compare
> > the results of the replay with the current PCR values stored in the TPM
> > device. If they match, then the event log is guaranteed to be correct.
> > If they don't match, either the memory was corrupted somehow during the
> > kexec process, or the old kernel tried to pass a falsified event log.
>
> Yep, get it/got it. My concern was anything using passed on the values
> should compare the results with the current PCR values.
>
> BTW, what do we gain by passing the values if we are relying on the PCR
> registers anyway, can't we directly read them off from there? Aren't we
> going to ready anyway to compare, what does passing the values gain?

The PCR values themselves change for reasons that the application/user may
not care about. For example, just changing the order in which measurements
are made changes the final value of the PCR, even if all the measurements
themselves don't change. And in current multi-processor machines this order
does change at each boot, so you can't rely on two boots of the same machine
with the same software to have the same PCR values.

Also, you may want to verify only the measurement of one of the components
and not care about the other components.

With an event log, you can verify the checksum of each measured component
individually, and the PCR value serves to confirm that the event log is
correct. Just having the final PCR value without the event log, you don't
know which measurements were made.

> >> and
> >>
> >> How do we know the new kernel is safe to load - I guess via a signature
> >> that the new kernel is signed with (assuming it is present in the key
> >> ring).
> >
> > Correct. That goal is met by signature verification, not by integrity
> > assurance.
> >
> > I'll note that even with both of my patch series there's still code
> > missing for kernel signature verification in PowerPC. I believe there's
> > not a file format defined yet for how to store a signature in a PowerPC
> > kernel image.
> >
> > Integrity assurance doesn't depend on kernel signature verification
> > though. There's value in both my patch series even without kernel
> > signature verification support. They're complementary features.
>
> Thanks for clarifying

Thank you for your interest.

--
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center