On Mon, Jun 5, 2023 at 11:38 PM Adrian Vovk <adrianvovk@xxxxxxxxx> wrote:
2. The alternative approach involves pre-calculating PCR[7] on the
client if we're updating DBX or Shim. Here's how I envision this
going:
- We read the TPM log (which we can trust because we're currently
booted to system verified via the chain of trust) and extract
everything read into PCR[7]
- We clear PCR[16], then start replaying everything from the TPM log
- When we reach the measurement of DBX, we pre-calculate the new value
of DBX and measure that in instead. This would probably need
collaboration w/ fwupd
- When we reach the measurements made by Shim, we use the new values
instead. See https://github.com/rhboot/shim/issues/555
- PCR[16] now contains the future value for PCR[7]. We enroll (into a
new keyslot) TPM decryption. We seal against 16+11+14, but then
configure it to unseal against 7+11+14 (this is the one step I'm iffy
about. Is this possible??)
You don't need to replay everything *into a real PCR* at all – the extend operation is just a regular hash operation SHA(pcr||value), you can recalculate everything in software, then seal the keyslot against your provided PCR values instead of the "live" ones.
I have an old hack proof of concept for that (written mostly because I didn't want to touch any of that SB signing even with a stick):
1. PCR[4] replay in userspace https://github.com/grawity/tpm_futurepcr
(code is ugly but it's really just calculating a hash chain, while "updating" certain TPM log events)
2. Creating systemd-compatible LUKS tpm2 tokens against arbitrary PCR values https://git.nullroute.lt/cgit/hacks/tpmreseal.git/
(systemd has extended its LUKS token format a little bit since then, but the basic format still works, at least I'm able to use it on my system)
I expected #1 to be superseded by `systemd-measure` (available in latest systemd); apparently it's not quite the same but it does focus on Secure Boot and signed PCRs, so maybe you can get `systemd-measure` to do exactly what you want? There's a github RFE filed for #2 so it might show up in systemd-cryptenroll someday.
Mantas Mikulėnas
