Hi, On Fri, Aug 12, 2022 at 3:55 AM Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > On Thu, Aug 11, 2022 at 07:25:58PM +0930, Brendan Trotter wrote: > > On Thu, Aug 11, 2022 at 3:16 AM Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote: > > > The kernel has no way to know this - *any* code you've run before > > > performing a measurement could tamper with the kernel such that it > > > believes it's fine. This is just as true in DRTM as it is in SRTM. But > > > you know what the expected measurements should be, so you're able to > > > either seal secrets to those PCR values or rely on remote attestation. > > > > In this scenario the kernel has no idea what the measurement should > > be, it only knows the measurement that a potentially malicious boot > > loader felt like giving the kernel previously (e.g. when the kernel > > was installed). > > Even if the kernel has an idea of what the measurement should be, it has > no way to verify that what it believes to be true is true - any > malicious code could simply have modified the kernel to believe that > anything it asks the TPM returns the "correct" answer. Right. To achieve the best possible security; you'd need Secure Boot to ensure that the kernel itself wasn't modified, and then the kernel establishes a dynamic root of trust itself. Anything involving a boot loader (e.g. Secure Boot ensure's boot loader wasn't modified, then boot loader ensure's kernel wasn't modified, then ....) increases the attack surface for no benefit. > > > Measurements are not opaque objects. If you're not able to reconstruct > > > the expected measurement then you're doing it wrong. > > > > OK; so to detect if boot loader has always given kernel a bad/forged > > measurement; the kernel repeats all of the steps involved in creating > > the measurement itself exactly the same as the boot loader should have > > (but might not have) so that kernel can compare a "known > > good/trustworthy" measurement with the useless measurement that the > > boot loader created for no sane reason whatsoever? > > No, some external agent does. Code running on the local machine can > never determine whether the machine is trustworthy. This part of the conversation evolved from "there's no way for kernel to detect a MiTM boot loader (that provides a bad/forged measurement)". I'm not convinced an external agent can detect "bad/forged measurement" either. E.g. if a MiTM boot loader always provided a bad/forged measurement the external agent won't detect it (as the measurement always matches the expected measurement), and then if the MiTM boot loader is replaced by a good/honest boot loader the external agent will decide that the good/honest boot loader is malicious because its measurement doesn't match the expected bad/forged measurement. - Brendan
