@ -84,9 +84,19 @@ Is is not supposed to think about the network communication.
\end{enumerate}
\chapter{Related Work}
There exist already many interesting projects and implementations which touch the field of trusted computing.
We will introduce some of these projects and discuss why these do not meet the purpose of this thesis.
Schear el.\,al.\@ developed a full featured trusted computing environment for cloud computing.
They show in their paper how a TPM of a hypervisor can be virtualized and used by the guest operating system.
This includes trusted bootstrapping, integrity monitoring, virtualization, compatibility with existing tools for fleet management and scalability\cite{keylime16}.
The concept of a well known virtual environment does, however, not apply to our contribution.
Furthermore, the the system should be self contained as good as possible and it should be possible to get information about the system via anonymous attestation.
%TODO what about the integrity measurements of keylime?
@ -153,10 +153,85 @@ Since TCG published its documents, several IT security teams investigated concep
\end{figure}
\section{Trusted Boot}
A boot process of modern platforms consists of several steps until the Operating System is loaded and controls the platform.
First, the EFI firmware initializes the platform hardware and
A boot process of modern platforms consists of several steps until the Operating System taking over the platform.
During these early steps, the hardware components of the platform are initialized and some self tests are performed.
This is controlled by either the BIOS (for legacy platforms) or the UEFI firmware.
TCG introduced in 2004 their first standard for trusted computing.
As part in this standard, TCG defined a procedure, where every step in the early boot process is measured and saved in a \emph{Platform Configuration Register} (PCR).
The measuring part is a simple cryptographic extension function which works described in formula \ref{form:PCR-measurement}
The function of || represents a concatenation of two binary strings and the hash function is either SHA1 or SHA256.
In recent TPM-platforms, both hashing algorithms are performed by default in each measurement.
If there has to be measured more than one object in one PCR, the BIOS\,/\,UEFI has to perform the measurement in a deterministic way.
The function allows this feature since the current value of the PCR is also part of the hash for the value.
This feature is called \emph{hash chaining} and ensures with a deterministic measurement procedure, that the resulting values are always comparable as long as the measured components keep unchanged.
The procedure of measuring the boot process did not change over the years and is still vaild for the most recent TPM2.0 standard.
A TPM has at least 24 PCR registers in the PC platform.
Every PCR represents a different part of the platform.
When TCG introduced Trusted Boot in 2004, UEFI was not yet available for the ordinary PC platform.
Consequently, TCG standardized the roles of every PCR only for the BIOS platform.
Later, when UEFI became popular, the PCR descriptions got adopted for the new platform.
The most recent description of the registers, as defined in section 2.3.3 of the \emph{TCG PC Client Platform Firmware Profile}\cite{tcg-pc19}, is shown in table \ref{tab:PCR}.
\begin{table}[ht]
\centering
\begin{sffamily}
\caption{Usage of PCRs during an UEFI trusted boot process}\label{tab:PCR}
0 & SRTM, BIOS, Host Platform Extensions, Embedded Option ROMs and PI Drivers \\
1 & Host platform configuration\\
2 & UEFI driver and application code \\
3 & UEFI driver and application configuration and data \\
4 & UEFI Boot Manager Code and Boot Attempts \\
5 & Boot Manager Code Configuration and Data and GPT\,/\,Partition Table\\
6 & Host Platform Manufacturer specific \\
7 & Secure Boot Policy \\
8-15 & Defined for use by the static OS \\
16 & Debug \\
17-23 & Application\\
\bottomrule
\end{tabular}
\end{sffamily}
\end{table}
The standard furthermore defines which part of the platform or firmware has to perform the measurement.
Since the TPM itself is a purely passive element in the platform, the BIOS\,/\,UEFI firmware itself has to initiate the measurement beginning by the binary representation of the firmware itself.
This procedure is well defined in the TCG standard and the platform user has to \emph{trust} the manufacturer, that it is performed as expected.
It is called the \emph{Static Root of Trust for Measurement} (SRTM) and is described in section 2.2 of the TCG PC Client Platform Firmware Profile\cite{tcg-pc19}.
The SRTM is a small immutable piece of the firmware which is executed by default after the platform was reset.
It is the first software that is executed on the platform and measures itself into PCR[0].
It furthermore must measure all platform initialization code like embedded drivers, host platform firmware, etc.\@ as they are provided as part of the PC motherboard.
If these measurements cannot be performed, the chain of trust is broken and consequently the platform cannot be trusted.
One may see a zeroed PCR[0] or a value representing a hashed string of zeros as a strong indicator of a broken chain of trust.
As the manufacturer of the motherboards do not publish their firmware code, one may have to reverse engineer the firmware to prove correct implementation of the SRTM.
This is the point where the platform user has to trust the manufacturer as well as the manufacturer of the TPM.
The PCR[1-7] are then written by the motherboard firmware itself.
As last step, the bootloader is measured into PCR[4] and PCR[5] and then executed.
Consequently, the bootloader and the OS are then responsible for continuing the chain of trust for this platform.
%TODO reference to GRUB and unified kernel in the practical part.
\section{Integrity Measurements}
As described in the previous section, when the boot process is eventually finished, the OS is then responsible for extending the chain of trust.
Given a valid trusted boot procedure, the binary representation of the kernel is already measured.
Therefore the Kernel itself has the responsibility to keep track of everything happening on the platform from the OS point of view.
Soon after the first TPM standard was published, the \emph{Integrity Measurement Architecture} (IMA) for the Linux Kernel was introduced.
Since Kernel 3.7 it is possible to use all IMA features, when the compiler options of the Kernel are set correspondingly.
IMA
Extend the Chain of Trust beyond the boot process.
The Kernel can measure many different types of Resources.
@ -13,7 +13,7 @@ Minimization also useful, because the logging gets shorter.
\autoref{tab:example} is an example of a table, in which the numbers are aligned at the comma, every second line is colored and the commands \texttt{\textbackslash toprule}, \texttt{\textbackslash midrule} and \texttt{\textbackslash bottomrule} are used \cite{arthur15}.
\begin{table}[ht]
\begin{table}[ht]
\centering
\caption{Example}\label{tab:example}
\rowcolors{2}{lightgray}{white}
@ -27,6 +27,6 @@ Minimization also useful, because the logging gets shorter.
