diff --git a/references/EFI-Protocol-Specification-rev13-160330final.pdf b/references/EFI-Protocol-Specification-rev13-160330final.pdf new file mode 100644 index 0000000..8de1de0 Binary files /dev/null and b/references/EFI-Protocol-Specification-rev13-160330final.pdf differ diff --git a/references/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf b/references/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf new file mode 100644 index 0000000..624eace Binary files /dev/null and b/references/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf differ diff --git a/thesis/01_introduction.tex b/thesis/01_introduction.tex index 190742e..49eb079 100644 --- a/thesis/01_introduction.tex +++ b/thesis/01_introduction.tex @@ -84,9 +84,19 @@ Is is not supposed to think about the network communication. \end{enumerate} \chapter{Related Work} +There exist already many interesting projects and implementations which touch the field of trusted computing. +We will introduce some of these projects and discuss why these do not meet the purpose of this thesis. + +Schear el.\,al.\@ developed a full featured trusted computing environment for cloud computing. +They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system. +This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability\cite{keylime16}. +The concept of a well known virtual environment does, however, not apply to our contribution. +Furthermore, the the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation. +%TODO what about the integrity measurements of keylime? + \begin{itemize} \item What exists in the field? - \item Keylime + \item Keylime - DONE \item Xaptum ECDAA \item FIDO 2 ECDAA \item Strongswan Attestation diff --git a/thesis/02_concept.tex b/thesis/02_concept.tex index 3cded3d..61f4111 100644 --- a/thesis/02_concept.tex +++ b/thesis/02_concept.tex @@ -153,10 +153,85 @@ Since TCG published its documents, several IT security teams investigated concep \end{figure} \section{Trusted Boot} -A boot process of modern platforms consists of several steps until the Operating System is loaded and controls the platform. -First, the EFI firmware initializes the platform hardware and +A boot process of modern platforms consists of several steps until the Operating System taking over the platform. +During these early steps, the hardware components of the platform are initialized and some self tests are performed. +This is controlled by either the BIOS (for legacy platforms) or the UEFI firmware. + +TCG introduced in 2004 their first standard for trusted computing. +As part in this standard, TCG defined a procedure, where every step in the early boot process is measured and saved in a \emph{Platform Configuration Register} (PCR). +The measuring part is a simple cryptographic extension function which works described in formula \ref{form:PCR-measurement} +\begin{equation} + \text{new\_PCR} = hash(\text{old\_PCR}\,||\,\text{data}) + \label{form:PCR-measurement} +\end{equation} +The function of || represents a concatenation of two binary strings and the hash function is either SHA1 or SHA256. +In recent TPM-platforms, both hashing algorithms are performed by default in each measurement. +If there has to be measured more than one object in one PCR, the BIOS\,/\,UEFI has to perform the measurement in a deterministic way. +The function allows this feature since the current value of the PCR is also part of the hash for the value. +This feature is called \emph{hash chaining} and ensures with a deterministic measurement procedure, that the resulting values are always comparable as long as the measured components keep unchanged. +The procedure of measuring the boot process did not change over the years and is still vaild for the most recent TPM2.0 standard. + +A TPM has at least 24 PCR registers in the PC platform. +Every PCR represents a different part of the platform. +When TCG introduced Trusted Boot in 2004, UEFI was not yet available for the ordinary PC platform. +Consequently, TCG standardized the roles of every PCR only for the BIOS platform. +Later, when UEFI became popular, the PCR descriptions got adopted for the new platform. +The most recent description of the registers, as defined in section 2.3.3 of the \emph{TCG PC Client Platform Firmware Profile}\cite{tcg-pc19}, is shown in table \ref{tab:PCR}. + +\begin{table}[ht] + \centering + \begin{sffamily} + \caption{Usage of PCRs during an UEFI trusted boot process} \label{tab:PCR} + %\rowcolors{2}{lightgray}{white} + \begin{tabular}{rl} + \toprule + \multicolumn{1}{c}{\textit{PCR}} & \multicolumn{1}{p{6cm}}{\textit{Explanation}}\\ + \midrule + 0 & SRTM, BIOS, Host Platform Extensions, Embedded Option ROMs and PI Drivers \\ + 1 & Host platform configuration\\ + 2 & UEFI driver and application code \\ + 3 & UEFI driver and application configuration and data \\ + 4 & UEFI Boot Manager Code and Boot Attempts \\ + 5 & Boot Manager Code Configuration and Data and GPT\,/\,Partition Table\\ + 6 & Host Platform Manufacturer specific \\ + 7 & Secure Boot Policy \\ + 8-15 & Defined for use by the static OS \\ + 16 & Debug \\ + 17-23 & Application\\ + \bottomrule + \end{tabular} + \end{sffamily} +\end{table} + +The standard furthermore defines which part of the platform or firmware has to perform the measurement. +Since the TPM itself is a purely passive element in the platform, the BIOS\,/\,UEFI firmware itself has to initiate the measurement beginning by the binary representation of the firmware itself. +This procedure is well defined in the TCG standard and the platform user has to \emph{trust} the manufacturer, that it is performed as expected. +It is called the \emph{Static Root of Trust for Measurement} (SRTM) and is described in section 2.2 of the TCG PC Client Platform Firmware Profile\cite{tcg-pc19}. + +The SRTM is a small immutable piece of the firmware which is executed by default after the platform was reset. +It is the first software that is executed on the platform and measures itself into PCR[0]. +It furthermore must measure all platform initialization code like embedded drivers, host platform firmware, etc.\@ as they are provided as part of the PC motherboard. +If these measurements cannot be performed, the chain of trust is broken and consequently the platform cannot be trusted. +One may see a zeroed PCR[0] or a value representing a hashed string of zeros as a strong indicator of a broken chain of trust. + +As the manufacturer of the motherboards do not publish their firmware code, one may have to reverse engineer the firmware to prove correct implementation of the SRTM. +This is the point where the platform user has to trust the manufacturer as well as the manufacturer of the TPM. +The PCR[1-7] are then written by the motherboard firmware itself. +As last step, the bootloader is measured into PCR[4] and PCR[5] and then executed. +Consequently, the bootloader and the OS are then responsible for continuing the chain of trust for this platform. +%TODO reference to GRUB and unified kernel in the practical part. \section{Integrity Measurements} +As described in the previous section, when the boot process is eventually finished, the OS is then responsible for extending the chain of trust. +Given a valid trusted boot procedure, the binary representation of the kernel is already measured. +Therefore the Kernel itself has the responsibility to keep track of everything happening on the platform from the OS point of view. + +Soon after the first TPM standard was published, the \emph{Integrity Measurement Architecture} (IMA) for the Linux Kernel was introduced. +Since Kernel 3.7 it is possible to use all IMA features, when the compiler options of the Kernel are set correspondingly. + +IMA + + Extend the Chain of Trust beyond the boot process. The Kernel can measure many different types of Resources. What is a useful set of measurements diff --git a/thesis/04_outlook.tex b/thesis/04_outlook.tex index 665bddc..6d98d52 100644 --- a/thesis/04_outlook.tex +++ b/thesis/04_outlook.tex @@ -13,7 +13,7 @@ Minimization also useful, because the logging gets shorter. \autoref{tab:example} is an example of a table, in which the numbers are aligned at the comma, every second line is colored and the commands \texttt{\textbackslash toprule}, \texttt{\textbackslash midrule} and \texttt{\textbackslash bottomrule} are used \cite{arthur15}. - \begin{table}[ht] +\begin{table}[ht] \centering \caption{Example} \label{tab:example} \rowcolors{2}{lightgray}{white} @@ -27,6 +27,6 @@ Minimization also useful, because the logging gets shorter. 23.3 & 333.2 & 32.4 \\ \bottomrule \end{tabular} - \end{table} +\end{table} diff --git a/thesis/MAIN.pdf b/thesis/MAIN.pdf index 1583c75..72e20f8 100644 Binary files a/thesis/MAIN.pdf and b/thesis/MAIN.pdf differ diff --git a/thesis/literature.bib b/thesis/literature.bib index de1a652..7df8f14 100644 --- a/thesis/literature.bib +++ b/thesis/literature.bib @@ -253,3 +253,45 @@ url = {https://trustedcomputinggroup.org/resource/tpm-library-specification/}, urldate = {2020-05-16} } + +@online{tcg-efi16, + author = {}, + year = {2016}, + title = {TCG EFI Protocol Specification}, + url = {https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/}, + urldate = {2020-08-01} +} + +@online{tcg-pc19, + author = {}, + year = {2019}, + title = {TCG PC Client Platform Firmware Profile Specification Revision 1.04}, + url = {https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf}, + urldate = {2020-08-01} +} + +@online{ima-overview, + author = {}, + year = {2020}, + title = {Integrity Measurement Architecture (IMA)}, + url = {https://sourceforge.net/p/linux-ima/wiki/Home/}, + urldate = {2020-08-01} +} + +@inproceedings{keylime16, + author = {Schear, Nabil and Cable, Patrick T. and Moyer, Thomas M. and Richard, Bryan and Rudd, Robert}, + title = {Bootstrapping and Maintaining Trust in the Cloud}, + year = {2016}, + isbn = {9781450347716}, + publisher = {Association for Computing Machinery}, + address = {New York, NY, USA}, + url = {https://doi.org/10.1145/2991079.2991104}, + doi = {10.1145/2991079.2991104}, + booktitle = {Proceedings of the 32nd Annual Conference on Computer Security Applications}, + pages = {65–77}, + numpages = {13}, + location = {Los Angeles, California, USA}, + series = {ACSAC ’16} +} + +