Hello,

I'm installing my new PC on archlinux and I have an error when I try to compile TrustedGRUB2.
I don't know if my problem is related with TrustedGrub so I post my issue here. But I'm sorry in advance if I'm wrong.

When I try to compile TrustedGRUB2, I have this error:

grub-core/osdep/unix/getroot.c: Dans la fonction « grub_util_biosdisk_is_floppy »:
grub-core/osdep/unix/getroot.c:751:13: erreur : In the GNU C Library, "major" is defined
 by <sys/sysmacros.h>. For historical compatibility, it is
 currently defined by <sys/types.h> as well, but we plan to
 remove this soon. To use "major", include <sys/sysmacros.h>
 directly. If you did not intend to use a system-defined macro
 "major", you should undefine it after including <sys/types.h>. [-Werror]
   if (major(st.st_rdev) == FLOPPY_MAJOR)
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                                                                                                                                                            
cc1 : tous les avertissements sont traités comme des erreurs
make[2]: *** [Makefile:5618: grub-core/osdep/unix/libgrubkern_a-getroot.o] Error 1
make[1]: *** [Makefile:10703: all-recursive] Error 1
make: *** [Makefile:3099: all] Error 2

Here is my version of gcc:

Utilisation des specs internes.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.1/lto-wrapper
Cible : x86_64-pc-linux-gnu
Configuré avec: /build/gcc-multilib/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release
Modèle de thread: posix
gcc version 6.3.1 20170306 (GCC) 

I try to add "#include <sys/sysmacros.h>" but I have another similar error with "makedev".

Thank in advance for your help.

Dear TrustedGRUB2 team,
What license is this software released under? I was unable to find any information clarifying attribution requirements or distribution requirements.
Thanks and Regards,
J

Hello guys. I have successfully installed TrustedGrub2 and the machine boots fine.I have a LUKS encrypted partition (swap + root) and I want to be able to automatically boot if no changes have been done.
Could you provide some guides how to proceed from now on.
Thanks for spending your time.

I'm working on an Advantech board with Infineon TPM and AMI BIOS where the PCR 10 measurement value is different after each boot, with the same bootloader, kernel and initramfs (no changes made at all between reboots). PCRs 0-9 and 11 remain intact. This is causing all sorts of problems with OS level measurements based on PCR 10. Is there a known or typical cause for this behavior, or a recommended workaround?

Additional information: enabling TGRUB_DEBUG shows that the kernel SHA1 is correct, but no debug message is printed for the initrd. The last message printed is "Loading initial ramdisk ...". Debug messages placed inside grub_cmd_initrd() are not displayed, so I can't confirm if the initrd is being correctly hashed.

When I execute the make, I get the following error:

make[3]: Entering directory '/home/user/Downloads/TrustedGRUB2/grub-core'
gcc -DHAVE_CONFIG_H -I. -I..  -Wall -W  -DGRUB_MACHINE_PCBIOS=1 -DGRUB_MACHINE=I386_PC -m32 -nostdinc -isystem /usr/lib/gcc/x86_64-linux-gnu/6/include -I../include -I../include -DGRUB_FILE=\"lib/disk.c\" -I. -I. -I.. -I.. -I../include -I../include -I../grub-core/lib/libgcrypt-grub/src/    -D_FILE_OFFSET_BITS=64 -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value  -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations  -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror   -ffreestanding   -MT lib/disk_module-disk.o -MD -MP -MF lib/.deps-core/disk_module-disk.Tpo -c -o lib/disk_module-disk.o `test -f 'lib/disk.c' || echo './'`lib/disk.c
mv -f lib/.deps-core/disk_module-disk.Tpo lib/.deps-core/disk_module-disk.Po
gcc -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value  -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations  -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror   -ffreestanding   -m32 -Wl,-melf_i386 -Wl,--build-id=none  -nostdlib -Wl,-N -Wl,-r,-d   -o disk.module lib/disk_module-disk.o
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
Makefile:24266: recipe for target 'disk.module' failed
make[3]: *** [disk.module] Error 1

My gcc version:

gcc --version
gcc (Debian 6.3.0-6) 6.3.0 20170205

The error seems to be caused by the fact that GCC 6 is using by default the -pie option. This can be fixed by appending LDFLAGS="-no-pie" to ./configure':

./configure LDFLAGS="-no-pie"

Afterwards, make completes normally.

Hi,

Not sure if this is right place to ask this question, but I couldn't find any mailing list, so asking here.

I see that the first transition from pre-OS code to post-OS code, i.e. first boot sector of the diskboot.img image is itself extended to PCR[8] which is actually meant for static OS ? What is the reasoning for the way PCRs index are being used ?

Thanks & Regards,
- Nayna

Hi, I am testing to make TrustedGRUB2 working with a UEFI booting machine. I have tested TG2 with an old machine of legacy BIOS booting option, it works correctly without any problem.

Then I turned off the 'legacy BIOS supporting' from the machine's setting. This time it cannot install into the device again. Here is the output error.

/root/TrustedGRUB2/sbin/grub-bios-setup: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible.
/root/TrustedGRUB2/sbin/grub-bios-setup: warning: Embedding is not possible.  GRUB can only be installed in this setup by using blocklists.  However, blocklists are UNRELIABLE and their use is discouraged..
/root/TrustedGRUB2/sbin/grub-bios-setup: error: will not proceed with blocklists.

My question is, does TG2 support UEFI boot mechanism? Or it only support the legacy BIOS booting option? If it support UEFI, how can I install it?

Thank you very much.

It's me again...

You might be interested in the xtra/TructedGRUB2.spec file I've made to build the rpm.

OK, this is probably a very bad spec file, I learned about building RPM only 3 days ago, and my only objective was to have a very simple RPM to deploy on servers without having to manually build localy.

I found the spec file of grub2 2.0.2 on the web, but it seems much to complex for my poor little experience.

Also, I didn't understand the difference between grub and efi (on my hardware grub.cfg files are in /boot/efi/... instead of only /boot, I still haven't understood why. Should we build something special to have EFI support ? or should I just forget about it, and if so, what should I do with the 2 partitions /boot and /boot/efi ?

My comprehension was that EFI needed to be signed, so maybe TrustedGRUB2 cannot work in EFI mode.

Thank's a lot!

The current implementation is TPM 1.2 based. Are there any plans to support TPM 2.0 in the future?

It seems as TrustedGRUB2 is constantly rebooting if there are more than five submenu entries in grub.cfg. The grub.cfg that triggers the rebooting is https://gist.github.com/anonymous/07fe464370636e3b4b69 . Could anyone maybe confirm that issue? And, in case it is reproducible, how could it be fixed?

Update: It seems as the number of submenu entries that TrustedGRUB2 is working with depends on the path length of the linux, initrd, systemConfig or init entries.

The multiboot command measurement does not follow the new convention of measuring the same buffer that is loaded into memory. If someone needs this extra security feel free to send a pull request. See GH #9 for more details

Hello i compiled the grub source from here and tried loading on my HP Z440 desktop.
I have enabled the TPM security knob in my BIOS but i am seeing this error and my system refuses to Boot

+++++++++++++++++++++++++
rustedGRUB2 loading
Welcome to TrustedGRUB2!
TCG_HasgLogExtendEvent failed : 0x2
Aborted. Press any key to exit

+++++++++++++++++++++=
Any ideas what am i doing wrong here.
I looked the TCG PC spec the error number 0x2 seems to indicate that i got TCG_PC_LOGOVERFLOW
it means insufficient memory to create log entry. What am i missing here
my dmesg output when i boot without trusted grub shows this

tpm_tis 00:09: 1.2 TPM (device-id 0x1A, rev-id 16)

The most recent commits to master brought in Grub 2.02 and documented release 1.5.0 in the Changelog.md. Should the current version of master be considered 1.5.0 and do you have plans to git tag a release of 1.5.0?

I am thinking of using TrustedGRUB2 in a situation where the /boot partition is encrypted, with only TG2 itself being on a clear partition. I understand from the readme that the use of a sealed keyfile is supported for bootloader-stage decryption of /boot. So far so good.

However, in order to actually take the proper measurements and seal the keyfile, I would have to do so within the TG2 boot process itself, wouldn't I? Since doing it later would mean that PCR 10 will be in a different state due to loading the /boot contents.

Furthermore, I wonder how this interacts with PCR 11 and PCR 12.

Perhaps you can clarify what the proper process of using TG2 in such a scenario might be - I take it from the extension of the cryptomount command that this is an intended use case?

Out of idle curiosity, I'm putting together a luks system with a keyfile for unlocking the system at boot. According to the readme, TrustedGRUB2 is supposed to support the -k argument to specify a keyfile, but it doesn't appear to be working. The system is a clean install of slackware, with TrustedGRUB2 built from source; the vanilla GRUB2 package has never touched the disk.

I have two raid : sda with raid 1 and sdb2 with raid 5 . I have modified tpm-luks.conf for /dev/sda2 and sdb1 with index 1 and 2 . However i reboot the Pc , the application asks me the password on the volumes ... I don't understand ... Best regard

grub-core/loader/i386/linux.c appears to read the kernel from disk into a series of buffers for later execution, and then reads the kernel again to perform a measurement. A sufficiently malicious storage device might provide a backdoored kernel on the first read attempt, followed by the correct kernel on the second read attempt. The measurement would then appear correct.

I am using tpm-luks to store keys in the TPM NVRAM and the initramfs has a module (provided by tpm-luks) which retrieves the key from TPM and mounts the LUKS partition using that key. These keys can also be sealed using the TPM and are only retrievable if the TPM is in the correct state.

The issue is that when I upgrade the kernel etc., the PCR states will change on next boot and I won't be able to unseal the data. So my question is, what specific things does TrustedGRUB2 measure that I can measure using tpm-luks kernel update hook so that the key can be reasealed using the correct PCR states?

In particular, from the question here: #2, I gather:

• PCR 8 First sector of TrustedGRUB2 kernel (diskboot.img): This is easy to do: dd if=/dev/sdX bs=512 skip=1 count=1 | sha1sum and then PCR8 = sha1sum( 0000000000000000000000000000000000000000 || SHA1 from command above ).
• PCR 9 TrustedGRUB2 kernel (core.img): This is the part that I am confused about - I am not sure how to get the size of core.img and how many bytes to read to use for the sha1sum. Help would be appreciated!
• PCR 10 Everything that is loaded from disk (grub2-modules, Linux-kernel, initrd, ntldr, etc.) // TODO: fonts, themes, locales: For this, I will follow your advice and build the modules into the core.img so that it's measured in PCR 9 above.
• PCR 11 contains all commandline arguments from scripts (e.g. grub.cfg) and those entered in the shell: For this, I assume if there is only one menuentry in grub.cfg, then I can just hash all the strings except the menuentry string itself? This assumption is from reading the TrustedGRUB2 code so I am not 100% sure - would appreciate if you could confirm!

And of course I can easily verify this on the machine to make sure that tpm-luks and TrustedGRUB2 are making the same measurements.

Thanks a lot for being so helpful! 😄

Hi,
I built trustedgrub2 and installed it, no error when installing it on /dev/sda.
TPM is enabled but when I reboot my server after installation (Lenovo X3650 M5), I get stuck at:

TrustedGRUB2 loading.
Welcome to TrustedGRUB2!

/boot partition in not encrypted.
No errors are thrown even after waiting several minutes.

Is there a way to troubleshoot this issue?

I'd like to use TrustedGRUB2 to seal a key that I can then use to decrypt the root partition automatically. However, in order to properly seal the data, I need to be able to compute the expected PCRs (See Issue #2 for a similar approach), because if I update the kernel, I'll need to be able to seal the data to the expected values of the PCRs so that it will unseal at boot. Because the kernel changes, PCR10 will certainly change, and PCR11 will likely change because the name of the kernel in the command line will change.

When I attempt to calculate PCR10, I follow along with the debugging output and I do the following:
PCR10=00000000000000000000
PCR10=sha1sum($PCR10 || sha1sum(/boot/vmlinuz...))
PCR10=sha1sum($PCR10 || sha1sum(/boot/initrd...))

My hashes match what I see in the debug output, but the actual value in PCR10 differs when I get to a command prompt. Is there anything else that is measured after loading the initrd image?

As for PCR11, is there a way to invoke the GRUB command line from the shell in a way that will evaluate the conditionals and print out the commands that would be executed? Alternatively, is there a way to log all of the commands that were executed at the last boot? I could probably use that log and pair things up with the current grub.cfg file to determine what commands will be executed on the next bootup.

My current setup is using a minimal CentOS 7.2 image with stock trousers and a custom tpm-tools (solution from https://bugzilla.redhat.com/show_bug.cgi?id=1126097), and TrustedGRUB2 1.3.0 compiled in debug mode (-DTGRUB_DEBUG).

Thanks for your help and amazing software!

What I am doing is build TrustedGrub2 on Ubuntu 16.04 in Broadwell DE / Xeon platform (AMI BIOS:core version 5.0.11 0.20 x64).
Nonetheless, after using the tpm-tool to seal data with PCRS 8 & 9, the TrustedGrub2 was unable to unseal the with the key.
Is there any specific mismatch in seal/unseal procedure or detail information about the return error code (TCG_PassThroughFail: 0xc0000)

Thank you!

Kernels loaded using the multiboot command don't seem to be measured. E.g. a typical Xen menuentry looks like this:

menuentry 'Xen with Linux 3.2 ...' {
  ...
  multiboot /xen.gz placeholder ${xen_rm_opts}
  module /vmlinuz-3.2 placeholder root=/dev/sda1 ...
  module --nounzip /initramfs-3.2.img
  ...
}

In this case, the files xen.gz, vliminux-3.2, initramfs-3.2.img need to be measured but aren't. The command functions are defined in grub-core/loader/i386/xen.c.

The change seems simple enough if I don't follow the new convention of measuring the same buffer that is loaded into memory. Would you be able to pick this up or would you rather I work on it?

The general idea of this test case is the following: We will seal a piece of data using TPM and try to unlock it from TrustedGrub2. Every time I try to unseal the key I get a TCG_PassThroughFail: 0xc0000 error.

The test is as follows:

Download VirtualBox or VMWare

Download Ubuntu 16.04 (http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso)

Install the OS

sudo apt-get update

sudo apt-get install build-essential automake autopoint libtool libtspi-dev bison flex git

wget https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2/archive/1.4.0.tar.gz

tar xzf 1.4.0.tar.gz

cd TrustedGRUB2-1.4.0/

export INSTALL_DIR=/path/to/install_dir

./autogen.sh

./configure --prefix=$INSTALL_DIR --target=i386 -with-platform=pc

make CPPFLAGS=-DTGRUB_DEBUG && make install

If everything goes well we should have a file called grub-install under $INSTALL_DIR/sbin/

I installed TrustedGrub2 into a USB stick using the following command:

sudo $INSTALL_DIR/sbin/grub-install --directory=$INSTALL_DIR/lib/grub/i386-pc /dev/sdb ; # device name may be different in your case

Build tpm-tools and tpm ownership

I used Ubuntu 16.04 running on a machine that we want to seal/unseal a key.

Clear and enable TPM (from BIOS)

Boot the OS

sudo apt-get update

sudo apt-get install git

git clone https://github.com/shpedoikal/tpm-tools.git

git checkout tpm-sealdata-raw (# checking out this branch is very important because it adds the -r option to tpm_sealdata).

sudo apt-get install automake autoconf libtool gettext trousers trousers-devel libtspi-dev autopoint (link to instructions https://github.com/shpedoikal/tpm-tools)

sh ./bootstrap.sh

export TPM_DIR=/path/to/tpm_build_dir

./configure --prefix=$TPM_DIR

make && make install

$TPM_DIR/sbin/tpm_takeownership -y -z

$TPM_DIR/sbin/tpm_setenabled --enable -z

$TPM_DIR/sbin/tpm_setactive -z

Create a key

echo “TPM UNSEAL FROM GRUB” > /tmp/key

#seal the key now that we own the TPM using PCRs 8 and 9

$TPM_DIR/bin/tpm_sealdata -p 8 -p 9 -z -r -i /tmp/key -o /tmp/key.enc

If everything goes well we should have a sealed key named ‘/tmp/key.enc’.

We should now copy the sealed key to a place that we can access from TrustedGrub2. I copied /tmp/key.enc to the root of the USB drive that we installed TrustedGrub2.

Reboot the system and boot it using the newly created image. Press ‘c’ in the TrustedGrub2 menu. Execute the following command from the grub menu:

grub> unseal /root/key.enc

I always get an error after this step
TCG_PassThroughFail: 0xc0000

Hi guys,

as I'm new to TrustedGRUB 2 , I'm not sure that the situation that have happened to me is really an issue.
Let me summarize.

1. I have 1 encrypted with LUKS drive.
2. I have enabled the TPM and started all relevant services
3. Compiled the TrustedGRUB 2 (there was a warning regarding "locales" , I think)
4. Booting failed (probably didn't find stage 1.5 or stage 2 )

I'm trying to make the TPM unlock the LUKS encrypted partition without user intervention.

Please provide your guidance ,as I expected that TrusedGRUB 2 should still boot the system and LUKS to ask for password.

Hello,

First of all, thank you for making this project!

I would like to know if building TrustedGRUB 2 from the same source archive would lead to the same output binaries each time and, in consequence, to the same measurements in the TPM.

Precomputation of the command measurement is uncomfortable at the moment. Logging the measurements of the last boot is quite easy and should help a lot.
#39

Problem

The TCG code added to grub-core/disk/luks.c function luks_recover_key() introduced out-of-bounds memory access in its handling of the variables secret and secretSize.

Details

Specifically, on luks.c line 389 (master), secret is set to the contents of a disk file of arbitrary size while secretSize is set to keysize, a quantity unrelated to the length of the disk file. Further, on line 398, secret is set to the unsealed contents of a disk file but secretSize is not changed at all.

These circumstances result in the call to grub_crypto_pbkdf2() on line 437 passing a byte array secret with an incorrect length secretSize. If the true length of secret is less than the value keysize, such as a disk file or sealed payload that is shorter than required, this will result in the GRUB crypto functions reading from the heap past the length of the secret byte array. Since the functions are merely computing hashes and GRUB is running in real mode, this is unlikely to introduce a security vulnerability nor crash, but generally considered unsafe practice.

Moreover, in any case where the keyfile (or sealed key payload) is of a different size than the native key length in the LUKS header, this will result in incorrect hashing and decrypt failures. In particular, there is no requirement that the keyfile be exactly the size of the native key length in LUKS, due to the PBKDF2 hashing. I believe this to be the true cause of the problem in issue #5.

Recommended Solution

luks.c lines 388 - 389 should be changed to:

    secret = (char*) keyFileBuf;
    secretSize = fileSize;

luks.c line 398 should be changed to:

        secret = (char*) unsealedKeyFile;
        secretSize = resultSize;

Hi,
I've installed TrustedGRUB2 on an ubuntu 14.04 machine with a TPM v1.2. The installation was completed without errors, but when I reboot the PC this error while booting was show. What this error means? Thank you

Ernesto

I am using CentOS 7.5 64bit.
I have used these parameters: --target=x86_64 -with-platform=pc
All compile and installation completed without error. When I reboot the system, it does not show any boot menu. Just "grub>" prompt. I have to enter fallowing command to boot.
grub> insmod cryptodisk
grub> insmod luks
grub> set root=(hd0,5)
grub> linux /vmlinuz-3.10.0......x86_64 root=/dev/dm-0
grub> initrd /initramfs-3.10.0....img
grub> boot

Why boot menu does not came? Where did I make mistake?

Hi,
When I was using grub-0.97 (I know... long time ago) there were some very useful options for embedded systems to avoid a lot of files in the physical support, facilitating the update process for instance. With this version I only have three files: stage1, e2fs_stage1_5 and stage2. That's perfect for rigid environments :)

Now I need some TPM support and I need to update my boot process. I'm missing two options and I would like to ask how difficult could be implementing them.

1. In the old version was a configure option --enable-preset-menu to embed a grub.cfg file inside the stage2 file.
2. In the new version there are a lot of modules files in the i386-pc directory. A full of them are not needed in my system. Is it possible to configure the compiling process to customize which modules to build? and is it possible to avoid modules and generate a monolithic file (the previous stage2) grouping all of them?

Thanks!

I have installed trustedgrub2 successfully.
and now when i rebooted, it identifies the tpm, shows
Booting From Harddisk
Trustedgrub2 loading....

And then goes reboot to "booting from hard disk"... It is just looping over this and not proceeding.
What might be the issue ?
Where can i check issues ?

What I'm trying to do is install TrustedGRUB2 on a Lenovo x3550 M5 server to boot into a CentOS installation on disk. Without any changes, TrustedGRUB2 will successfully measure core.img and diskboot.img. After that it will try to load the GRUB modules which fail by being stuck inside grub_bios_interrupt for TCG_HashLogExtendEvent. To clarify, this means that if I print a message before and after grub_bios_interrupt inside grub_TPM_int1A_hashLogExtendEvent the message after is not printed and GRUB does not abort. I can also provide a video of the console if that helps.

I noticed that for earlier measurements (which work) you use TCG_CompactHashLogExtendEvent. If I modified the source for grub_TPM_int1A_hashLogExtendEvent to use this interrupt instead everything suddenly starts to work. My suspicion is that there's a bug inside Lenovo's implementation of this interrupt, but I've pretty much hit a wall in trying to debug this further.

Have you ever run into any similar issues or have any ideas on how to proceed?

BIOS Information: UEFI 2.10 Build TBE124M

# tpm_version
  TPM 1.2 Version Info:
  Chip Version:        1.2.5.81
  Spec Level:          2
  Errata Revision:     3
  TPM Vendor ID:       WEC
  Vendor Specific data: 0000
  TPM Version:         01010000
  Manufacturer Info:   57454300

Some more information about my build:

• Checkout of version 1.4.0
• Configure with --enable_boot_time and i386-pc
• Added a print statement to the boot time logging function
• Enabled the TGRUB_DEBUG
• Added debug=all to grub.cfg

The HP workaround makes it necessary to append --no-rs-codes to grub-install. Otherwise the system will end in a reboot loop.

People will forget this easily. So only activate the workaround explicitly.
#14

In version 1.3 with debug info, I can see that hash values of kernel and ramdisk are correct and have been written to PCR-10. However when I change kernel or ramdisk on purpose, the PCR-10 has been updated to a new value automatically and device still can boot successfully. I do not see the verification process to avoid the illegal change of kernel or ramdisk.

Am I wrong in somewhere?

I want to be able to decrypt the rootfs from TrustedGRUB2 using keys from TPM that were not sealed (do not rely on a good state). Is that possible? Is there an example config I can use to achieve that?

Thanks!

I am not sure, where to ask a question, so just put it in the issue section.. Sorry

Thanks for the great work. Is there any work going on in enabling UEFI support or any estimated time?

Hi I have been playing with TrustedGRUB2 with TPM 1.2 device and it boots fine for me. It reports No TPM available when I swapped a TPM 2.0 chip in. I'm wondering if there are any supports with 2.0 or is there any plan for the support?

Thanks.

Hi Daniel Neus,

I am not sure, it is a good place to ask this question..

You have done the PCR read & write with trusted GRUB, just wondering, is it possible to extend that feature to retrieve keys from TPM as well (does TPM offers that API)?

I know with trousers, we can do it after boot but not sure we can do that during BIOS/Boot loader stage.

Thanks

Hello again,

I've made some research and I am in the move to integrate trustedgrub2 with a modified vesion of tpm-luks (improvements + rhel7 support), you may find in my github repos.

My next questions are about how one shuold configure trustedgrub2 with tpm-luks.

1. which PCR should we use to seal the NVRAM
2. how to compute the expected PCR values

For 1., it seems I'll need to seal with all PCR values, 8 to 12, but should I add other numbers (like 0 etc.) ? May is it possible to compute
I will also probably add a password to the sealed NVRAM, as TPM has a built-in security that locks the TPM to prevent brute force attacks.

For 2, in the original tpm-luks, there is a shell script which computes the permissions file to seal the NVRAM. This is basically a simple text file containing a list of "r ". Unfortunately this script was made for grub1, and I'll need to update it to deal with grub2 config files. May be you can help in identifying the elements I should compute the hash for, and I hope this is possible to do.

I'll be happy to share my experience on all this with you as it seems nobody has ever tried to do all this before :)

Hello, thank's a lot for your contribution, as we are trying to use tpm-luks on rhel7.
I was curious if we could get rid of tp-luks and use cryptomount -k KEYFILE -s.
For what I understand, -K KEYFILE specifies the file to use by LUKS, so no more nead to use a password, and -s mean unsealing the file (decrypt ?) using the unseal command of the TPM.
If this is all true, I haven't yet found a way to seal the file, is there something special to do for this ? Is it using PCR or something else ?
Or maybe I am totaly wrong and this has nothing to do with luks.
FYI: i finnaly get my rhel7 working with grub2 + tpm-luks + recompiled(trousers,tpm-tools) and it automatically open luks using NVRAM secured with PCR without password.

Hi,

I am implementing an embedded system on x86 and was looking to TrustedGRUB2 to perform unlock of a luksFormat partition. This partition is actually on a RAID array. I think I have all the correct modules loaded in grub. ls shows the devices and if I use a pass-phrase I can open the encrypted partition.

However, when I use the -k option it fails, either using unsealing or not (I change the key accordingly to one that is sealed or clear). I put some line numbers into grub-core/disk/luks.c in the grub_fatal("luks_recover_key_failed") lines to be able to identify where the function was failing but I am unclear to actually what is happening. My thoughts are the file is not being read. It would appear to drop through to the last fatal on line 601.

I tried on a disk that had both ms_dos and gpt layouts. For reference I build TrustedGRUB2 with the following options which is a derivation of what the buildroot team use for GURB2:

TRUSTEDGRUB2_TARGET = i386
TRUSTEDGRUB2_PLATFORM = pc

TRUSTEDGRUB2_CONF_OPTS = \
        --prefix=$(HOST_DIR) \
        --disable-nls \
        --target=$(TRUSTEDGRUB2_TARGET) \
        --with-platform=$(TRUSTEDGRUB2_PLATFORM) \
        --disable-grub-mkfont \
        --enable-efiemu=no \
        --enable-liblzma=no \
        --enable-device-mapper=no \
        --enable-libzfs=no \
        --disable-werror

If I try to unseal the key then I am faced with the following error:

Attempting to decrypt master key...
tcg_passThroughToTPM: asm_tcg_passThroughToTPM failed: 10000
Aborted. Press any key to exit.

If I try to use the key in the clear I get:

Attempting to decrypt master key...
luks_recover_key failed
Aborted.  Press any key to exit.

The grub config is I am using is:

set default="0"
set timeout="5"

menuentry "Bank 1" {
        cryptomount md/0,gpt1 -k (hd0,gpt2)/keyfile -s
        linux (hd0,gpt5)/boot/bzImage
}

If I change the keyfile name in grub so it is mismatched with the file on the disk I get the correct error that the file is not found, ie:

error: file `/keyfil' not found

But somewhere along the line the keyfile is not being pass through. Do you have any pointers for me as to where I am going wrong?

Thanks,
Al

This was tested using TrustedGRUB2 1.2.1 in debug mode on Arch Linux using the standard (latest) kernel and initramfs.

There is a bug in the SHA-1 implementation of TrustedGRUB2. If a hash is calculated over an initramfs file, the resulting SHA-1 hash is incorrect. If a hash is calculated over a file with the same size as the initramfs file but filled with random data, the SHA-1 hash is calculated correctly.

Expected behavior:
SHA-1 hashes calculated by TrustedGRUB2 based on any file should be equal to the output of other SHA-1 implementations.

Actual behavior:
SHA-1 hashes calculated by TrustedGRUB2 can differ compared to the output of other SHA-1 implementations.

To test this:
You will need to have TrustedGRUB2 installed with the debug option for TPM operations enabled.

In binaryfiles.zip are two files. ramdisk.bin is an initramfs file. random.bin is a file filled with semi-random data (source: /dev/urandom) of the same size.

Copy these two files to your /boot partition. Add the following lines at the bottom of your Linux boot entry in /boot/grub/grub.cfg:

measure /ramdisk.bin 13
measure /random.bin 14
sleep 120

With debug enabled, you will see the SHA-1 hashes for two minutes. Look for the hashes calculated to extend PCRs 13 and 14. The SHA-1 hashes as calculated by TrustedGRUB2:

ramdisk.bin: e08917009ede788e93e54f3d4d921276980e995e
random.bin:  3485431bf315767c9010857a40dd5b01f0b22c7f

For reference, these are the SHA-1 values as calculated by GNU Core Utilities' sha1sum:

$ sha1sum /boot/ramdisk.bin
1778d21a9c7b5f6d432494941ebde5de02303d2c  /boot/ramdisk.bin
$ sha1sum -b /boot/ramdisk.bin
1778d21a9c7b5f6d432494941ebde5de02303d2c */boot/ramdisk.bin
$ sha1sum /boot/random.bin
3485431bf315767c9010857a40dd5b01f0b22c7f  /boot/random.bin
$ sha1sum -b /boot/random.bin
3485431bf315767c9010857a40dd5b01f0b22c7f */boot/random.bin

The same SHA-1 function used by Microsoft's implementation, indicating that sha1sum is correct (since if the implementation of sha1sum would be flawed, it would be unlikely that Microsoft's implementation would contain the same flaw):

C:\>fciv -sha1 ramdisk.bin
//
// File Checksum Integrity Verifier version 2.05.
//
1778d21a9c7b5f6d432494941ebde5de02303d2c ramdisk.bin

C:\>fciv -sha1 random.bin
//
// File Checksum Integrity Verifier version 2.05.
//
3485431bf315767c9010857a40dd5b01f0b22c7f random.bin

The use of the measure command in TrustedGRUB2 in the above example is for clarity. The same wrong hash is also calculated by the initrd command. Due to this, values of PCR-10 are wrong starting from the measurement of the initramfs. Note that hashes for kernel files are calculated correctly.

I also tried it with a newly generated initramfs file with some changed files inside and a newly generated random file. Again, the SHA-1 hash value calculated for the new initramfs was incorrect, whereas this value for the random data file was correctly calculated.

Correct calculation of SHA-1 hash values of startup files is vital when sealing new startup files to PCRs before a reboot and unsealing the same data after a reboot. (Re)sealing relies on two SHA-1 implementations:

1. The implementation offered by the operating system (in my case sha1sum, which is correct).
2. The implementation in TrustedGRUB2 (which is incorrect for ramdisk files).

Currently PCR 10 is used for grub2-modules, Linux-kernel, initrd, ntldr, etc.

I wan't to have grub2 measurements seperated from other usecase specific measurements.

The goal is to use PCR 10 for grub2-modules, fonts, locales etc. and some other PCR for initrd, kernel etc.

Hi,

The normal grub2 is installing and running properly, but when I try to install TrustedGRUB2 I receive:

sudo /opt/trustedgrub2/sbin/grub-install --directory=/opt/trustedgrub2/lib/grub/i386-pc/ /dev/sda
Installing for i386-pc platform.

/opt/trustedgrub2/sbin/grub-install: warning: cannot open directory `/opt/trustedgrub2/share/locale': No such file or directory.

/opt/trustedgrub2/sbin/grub-install: error: disk `lvm/sda1_crypt' not found.

sda1_crypt is the alias for the decrypted /dev/sda1 which is my boot partition.

I guess it is because of the /boot encryption, as /opt/trustedgrub2/sbin/grub-mkconfig is throwing the same error. My idea is to enter the luks password once, to decrypt the /boot partition, and then use TrustedGRUB2 with TPM to decrypt the other partitions. Is that possible at the moment?

What is the list of TPM modules/IC compatible with the TrustedGRUB2? I successfully tested it with Infineon TPM IC (present in most of TPM modules). I would like to know if Nuvoton NPCT620A TPM IC also compatible with it?

But still keep a compile time flag to activate a "works with TPM only mode"
#14

I am currently using TrustedGrub2.
As I expected the PCR 8 (diskboot.S), PCR 9 (boot.S) , PCR10 and PCR11 are filled by the TrustedGrub2. I can see the value under my fedora 21 with the tpm_readpcr command.
In parallel, I used openpts for generation an attestation.
Openpts attestation is based on TPM eventlog.
So when I try to look at the TPM event log, no event are reported for PCR8,PCR9,PCR10,PCR11.
I check it out by typing the command "iml2text". (trace below).

Is it normal ?
If yes is it planned to add this feature to TrustedGrub2 ?

Trace of iml2text.
[root@localhost TrustedGRUB2]# iml2text

Idx PCR Type Digest EventData

0 0 0x00000008 c42fedad268200cb1d15f97841c344e79dae3320 [BIOS:EV_S_CRTM_VERSION]
1 0 0x00000001 5553ddf5f17dbc8609fdce6a14ffc5be9faf2084 [BIOS:EV_POST_CODE(EV_CODE_NOCERT)]
2 0 0x80000009 a50db81c18bf95bb16d5f375043818a926da8a0a [BIOS:EV_EFI_HANDOFF_TABLE,num=0x1,GUID=11d8ac35-fb8a-44d1-8d-09-0b-56-06-d3-21-b9]
3 0 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
4 1 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
5 2 0x80000005 b8d3f0963299c8f016382bba508e56d260cbabb3 [BIOS:EV_EFI_RUNTIME_SERVICES_DRIVER,base=0xdc76e018,len=0x2e40,len=0x180000000,len=0x0]
6 2 0x00000006 ab125862bd8dc852f1d2b5fad7eb8f2847f3943b [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
7 2 0x00000006 7d6f11c82dab57d0ed1b0c0d8a87954899b2b220 [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
8 2 0x00000006 868a1e48243629c8ba950faac0fdf0898d4405d5 [BIOS:EV_EVENT_TAG(EV_PLATFORM_SPECIFIC)]
9 2 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
10 3 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
11 4 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
12 4 0x00000005 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f [BIOS:EV_ACTION, Calling INT 19h]
13 4 0x00000005 38f30a0a967fcf2bfee1e3b2971de540115048c8 [BIOS:EV_ACTION, Returned INT 19h]
14 4 0x00000005 410ec39247963e52793f7047bf2ac5f1eee25574 [BIOS:EV_ACTION, Booting Bcv Device P4: GLS85LS1032A CS 32GBN A101]
15 4 0x0000000d 275d29c63c9b9a95f22be7284939a7990ead49ca [BIOS:EV_IPL]
16 5 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
17 5 0x0000000e 33b2488503f7e1a56bda3a47b607e4d5ec30a51d [BIOS:EV_IPL_PARTITION_DATA]
18 6 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
19 7 0x00000004 d9be6524a5f5047db5866813acf3277892a7a30a [BIOS:EV_SEPARATOR, ffffffff]
20 10 0x00000000 b9e131be993a209f6a97f25559eb1c833bcd21fc [IMA:(TBD)]

I'm trying to complile TrustedGRUB2 on Debian stretch x64. make returns

gcc -Os -Wall -W -Wshadow -Wpointer-arith -Wundef -Wchar-subscripts -Wcomment -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wfloat-equal -Wformat-extra-args -Wformat-security -Wformat-y2k -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Wmain -Wmissing-braces -Wmissing-format-attribute -Wmultichar -Wparentheses -Wreturn-type -Wsequence-point -Wshadow -Wsign-compare -Wswitch -Wtrigraphs -Wunknown-pragmas -Wunused -Wunused-function -Wunused-label -Wunused-parameter -Wunused-value -Wunused-variable -Wwrite-strings -Wnested-externs -Wstrict-prototypes -g -Wredundant-decls -Wmissing-prototypes -Wmissing-declarations -Wextra -Wattributes -Wendif-labels -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wmissing-field-initializers -Wnonnull -Woverflow -Wvla -Wpointer-to-int-cast -Wstrict-aliasing -Wvariadic-macros -Wvolatile-register-var -Wpointer-sign -Wmissing-include-dirs -Wmissing-prototypes -Wmissing-declarations -Wformat=2 -march=i386 -m32 -mrtd -mregparm=3 -falign-jumps=1 -falign-loops=1 -falign-functions=1 -freg-struct-return -mno-mmx -mno-sse -mno-sse2 -mno-sse3 -mno-3dnow -msoft-float -fno-dwarf2-cfi-asm -fno-asynchronous-unwind-tables -Qn -fno-PIE -fno-stack-protector -Wtrampolines -Werror -ffreestanding -m32 -Wl,-melf_i386 -Wl,--build-id=none -nostdlib -Wl,-N -Wl,-r,-d -o disk.module lib/disk_module-disk.o
/usr/bin/ld: -r and -pie may not be used together
collect2: error: ld returned 1 exit status
Makefile:24266: recipe for target 'disk.module' failed
make[3]: *** [disk.module] Error 1

gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 6.2.1-5' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc=auto --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.2.1 20161124 (Debian 6.2.1-5)

ld -version
GNU ld (GNU Binutils for Debian) 2.27.51.20161127