diff --git a/thesis/02_concept.tex b/thesis/02_concept.tex index 4295d79..20a7a76 100644 --- a/thesis/02_concept.tex +++ b/thesis/02_concept.tex @@ -1,3 +1,94 @@ +\chapter{Background}% +\label{cha:background} + +In this Chapter we describe three main concepts which contribute the fundamentals for this thesis. +\emph{Trusted Boot} and the \emph{Integrity Measurement Architecture} (IMA) are two approaches to generate trust on a system from the hardware level up to the Operating System. +The generated trust should then be provable by an external party---in our case the PIA---by using the protocol of \emph{Direct Anonymous Attestation} (DAA). +We describe the basic functionality of these three concepts in the following. +\section{Trusted Boot}% +\label{sec:trusted_boot} + +A boot process of modern platforms consists of several steps until the OS taking over the platform. +During these early steps, the hardware components of the platform are initialized and some self tests are performed. +This is controlled by either the BIOS (for legacy platforms) or the UEFI firmware. +In this common boot procedure exists no source of trust and hence no check for integrity or intended execution. + +The \emph{Trusted Computing Group} (TCG) introduced in 2004 their first standard for a new {Trusted Computing Module} (TPM). +As part in this standard, TCG defined a procedure, where every step in the early boot process is measured and saved in a \emph{Platform Configuration Register} (PCR). +\emph{Measuring} means in this context a simple cryptographic extension function which works described in formula \ref{form:PCR-measurement} +\begin{equation} + \text{new\_PCR} = hash(\text{old\_PCR}\,||\,\text{data}) + \label{form:PCR-measurement} +\end{equation} +The function of || represents a concatenation of two binary strings and the hash function is either SHA1 or SHA256 hash. +In recent TPM-platforms, both hashing algorithms can be performed for each measurement. +Consequently, both hash results are available for further computations. + +The formula shows in addition that a new PCR value holds the information of the preceeding value as well. +This \emph{hash chain} enables the user to add an arbitrary number of hash computations. +One can clearly see that the resulting hash will also change when the order of computations change. +Therefore, the BIOS\,/\,UEFI has to provide a deterministic way to compute the hash chain if there is more than one operation necessary. +The procedure of measurements is available since the first public standard of TPM, version 1.2. +For the recent TPM2.0 standard, the process was only extended with the support for the newer SHA256 standard. + +A PCR is now useful for a sequence of measurements with similar purpose. +When, for example, a new bootloader is installed on the main disk, we want to detect this with a separate PCR value. +The measured firmware BLOBs may be still the same. +So the TPM standard defines 24 PCRs for the PC platform. +The purpose of every PCR is well defined in Section 2.3.3 of the \emph{TCG PC Client Platform Firmware Profile}\cite{tcg-pc19} and shown in table \ref{tab:PCR}. + +\begin{table}[ht] + \centering + \begin{sffamily} + \caption{Usage of PCRs during an UEFI trusted boot process} \label{tab:PCR} + %\rowcolors{2}{lightgray}{white} + \begin{tabular}{rl} + \toprule + \multicolumn{1}{c}{\textit{PCR}} & \multicolumn{1}{p{5.8cm}}{\textit{Explanation}}\\ + \midrule + 0 & SRTM, BIOS, host platform extensions, embedded option ROMs and PI drivers \\ + 1 & Host platform configuration\\ + 2 & UEFI driver and application code \\ + 3 & UEFI driver and application configuration and data \\ + 4 & UEFI Boot Manager code and boot attempts \\ + 5 & Boot Manager code configuration and data and GPT\,/\,partition table\\ + 6 & Host platform manufacturer specific \\ + 7 & Secure Boot Policy \\ + 8-15 & Defined for use by the static OS \\ + 16 & Debug \\ + 17-23 & Application\\ + \bottomrule + \end{tabular} + \end{sffamily} +\end{table} + +When TCG introduced Trusted Boot in 2004, UEFI was not yet available for the ordinary PC platform. +Consequently, TCG standardized the roles of every PCR only for the BIOS platform. +Later, when UEFI became popular, the PCR descriptions got adopted for the new platform. + +The standard furthermore defines which part of the platform or firmware has to perform the measurement. +Since the TPM itself is a purely passive element, executing instructions provided by the CPU, the BIOS\,/\,UEFI firmware has to initiate the measurement beginning by the binary representation of the firmware itself. +This procedure is described in the TCG standard and the platform user has to \emph{trust} the manufacturer, that it is performed as expected. +It is called the \emph{Static Root of Trust for Measurement} (SRTM) and is defined in section 2.2 of the TCG PC Client Platform Firmware Profile\cite{tcg-pc19}. +As the manufacturer of the motherboards do not publish their firmware code, one may have to reverse engineer the firmware to prove correct implementation of the SRTM. + +The SRTM is a small immutable piece of the firmware which is executed by default after the platform was reset. +It is the first piece of software that is executed on the platform and measures itself into PCR[0]. +It furthermore must measure all platform initialization code like embedded drivers, host platform firmware, etc.\@ as they are provided as part of the PC motherboard. +If these measurements cannot be performed, the chain of trust is broken and consequently the platform cannot be trusted. +One may see a zeroed PCR[0] or a value representing a hashed string of zeros as a strong indicator of a broken chain of trust. + +The BIOS or UEFI performs then the next measurements until PCRs 1-7 are filled. +Before any further measurements are done, the control of the platform is handed over to the first part of the OS, which is usually the bootloader either in the Master Boot Record or provided as EFI BLOB in the EFI boot partition. +It is noteworthy that the bootloader itself and its configuration payload is measured in PCR 4 and 5 before the handover is done. +This guarantees that the chain of trust keeps intact when the bootloader takes control. + +The Bootloader has then to continue the chain of trust by measuring the Kernel and the corresponding command line parameters into the next PCRs. +The support and the way of how the measurements are done is not standardized. +GRUB, for example, measures all executed grub commands, the kernel command line and the module command line into PCR 8, whereas any file read by GRUB will be measured into PCR 9\cite{grub19}. + +\ToDo{Überleitung zu IMA und IMA beschreiben. Danach DAA theoretisch beschreiben, kopie aus dem Seminarpaper. Erwähnung, dass die PCR-Register nur bei neustart zurückgesetzt werden können} + \chapter{Concept} \label{cha:concept} The theoretical tool that should be formed to one whole system implementation in this thesis. @@ -200,73 +291,6 @@ Since TCG published its documents, several IT security teams investigated concep \end{figure} \section{Trusted Boot} -A boot process of modern platforms consists of several steps until the Operating System taking over the platform. -During these early steps, the hardware components of the platform are initialized and some self tests are performed. -This is controlled by either the BIOS (for legacy platforms) or the UEFI firmware. - -TCG introduced in 2004 their first standard for trusted computing. -As part in this standard, TCG defined a procedure, where every step in the early boot process is measured and saved in a \emph{Platform Configuration Register} (PCR). -The measuring part is a simple cryptographic extension function which works described in formula \ref{form:PCR-measurement} -\begin{equation} - \text{new\_PCR} = hash(\text{old\_PCR}\,||\,\text{data}) - \label{form:PCR-measurement} -\end{equation} -The function of || represents a concatenation of two binary strings and the hash function is either SHA1 or SHA256. -In recent TPM-platforms, both hashing algorithms are performed by default in each measurement. -If there has to be measured more than one object in one PCR, the BIOS\,/\,UEFI has to perform the measurement in a deterministic way. -The function allows this feature since the current value of the PCR is also part of the hash for the value. -This feature is called \emph{hash chaining} and ensures with a deterministic measurement procedure, that the resulting values are always comparable as long as the measured components keep unchanged. -The procedure of measuring the boot process did not change over the years and is still vaild for the most recent TPM2.0 standard. - -A TPM has at least 24 PCR registers in the PC platform. -Every PCR represents a different part of the platform. -When TCG introduced Trusted Boot in 2004, UEFI was not yet available for the ordinary PC platform. -Consequently, TCG standardized the roles of every PCR only for the BIOS platform. -Later, when UEFI became popular, the PCR descriptions got adopted for the new platform. -The most recent description of the registers, as defined in section 2.3.3 of the \emph{TCG PC Client Platform Firmware Profile}\cite{tcg-pc19}, is shown in table \ref{tab:PCR}. - -\begin{table}[ht] - \centering - \begin{sffamily} - \caption{Usage of PCRs during an UEFI trusted boot process} \label{tab:PCR} - %\rowcolors{2}{lightgray}{white} - \begin{tabular}{rl} - \toprule - \multicolumn{1}{c}{\textit{PCR}} & \multicolumn{1}{p{5.8cm}}{\textit{Explanation}}\\ - \midrule - 0 & SRTM, BIOS, host platform extensions, embedded option ROMs and PI drivers \\ - 1 & Host platform configuration\\ - 2 & UEFI driver and application code \\ - 3 & UEFI driver and application configuration and data \\ - 4 & UEFI Boot Manager code and boot attempts \\ - 5 & Boot Manager code configuration and data and GPT\,/\,partition table\\ - 6 & Host platform manufacturer specific \\ - 7 & Secure Boot Policy \\ - 8-15 & Defined for use by the static OS \\ - 16 & Debug \\ - 17-23 & Application\\ - \bottomrule - \end{tabular} - \end{sffamily} -\end{table} - -The standard furthermore defines which part of the platform or firmware has to perform the measurement. -Since the TPM itself is a purely passive element in the platform, the BIOS\,/\,UEFI firmware itself has to initiate the measurement beginning by the binary representation of the firmware itself. -This procedure is well defined in the TCG standard and the platform user has to \emph{trust} the manufacturer, that it is performed as expected. -It is called the \emph{Static Root of Trust for Measurement} (SRTM) and is described in section 2.2 of the TCG PC Client Platform Firmware Profile\cite{tcg-pc19}. - -The SRTM is a small immutable piece of the firmware which is executed by default after the platform was reset. -It is the first software that is executed on the platform and measures itself into PCR[0]. -It furthermore must measure all platform initialization code like embedded drivers, host platform firmware, etc.\@ as they are provided as part of the PC motherboard. -If these measurements cannot be performed, the chain of trust is broken and consequently the platform cannot be trusted. -One may see a zeroed PCR[0] or a value representing a hashed string of zeros as a strong indicator of a broken chain of trust. - -As the manufacturer of the motherboards do not publish their firmware code, one may have to reverse engineer the firmware to prove correct implementation of the SRTM. -This is the point where the platform user has to trust the manufacturer as well as the manufacturer of the TPM. -The PCR[1-7] are then written by the motherboard firmware itself. -As last step, the bootloader is measured into PCR[4] and PCR[5] and then executed. -Consequently, the bootloader and the OS are then responsible for continuing the chain of trust for this platform. -%TODO reference to GRUB and unified kernel in the practical part. \section{Integrity Measurements} As described in the previous section, when the boot process is eventually finished, the OS is then responsible for extending the chain of trust. diff --git a/thesis/MAIN.pdf b/thesis/MAIN.pdf index 3e187ff..d92a184 100644 Binary files a/thesis/MAIN.pdf and b/thesis/MAIN.pdf differ diff --git a/thesis/literature.bib b/thesis/literature.bib index 2cfc16b..d58682e 100644 --- a/thesis/literature.bib +++ b/thesis/literature.bib @@ -254,7 +254,7 @@ } @online{tcg-pc19, - author = {}, + author = {Trusted Computing Group}, year = {2019}, title = {TCG PC Client Platform Firmware Profile Specification Revision 1.04}, url = {https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf}, @@ -262,7 +262,7 @@ } @online{ima-overview, - author = {}, + author = {Dmitry Kasatkin and Mimi Zohar}, year = {2020}, title = {Integrity Measurement Architecture (IMA)}, url = {https://sourceforge.net/p/linux-ima/wiki/Home/}, @@ -285,4 +285,10 @@ series = {ACSAC ’16} } - +@online{grub19, + author = {Free Software Foundation}, + year = {2019}, + title = {GRUB 2.04 User Manual: Measuring Boot Components}, + url = {https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html}, + urldate = {2021-03-29}, +}