On Fri, Jul 15, 2022 at 10:33:03AM -0000, Francois Rigault wrote:
Another idea is to measure the initrd and the boot configuration,
for
example taking a hash of the grub configuration and initrd and
extending a PCR register.
That is already happening.
Problem with measuring the initrd is that we don't have fixed hashes for
a given kernel version (due to generating the initrd on the installed
system).
Problem with grub config measurements is that grub measures every config
file line it processes, which is quite messy:
root@fedora ~# tpm2 eventlog /sys/kernel/security/tpm0/binary_bios_measurements | grep
grub_cmd
grub_cmd: search --no-floppy --fs-uuid --set=dev
5cc83bf9-c040-42d9-819e-99a16462d518
grub_cmd: set prefix=(hd0,gpt2)/grub2
grub_cmd: export (hd0,gpt2)/grub2
grub_cmd: configfile (hd0,gpt2)/grub2/grub.cfg
grub_cmd: set pager=1
grub_cmd: [ -f (hd0,gpt2)/grub2/grubenv ]
grub_cmd: load_env -f (hd0,gpt2)/grub2/grubenv
grub_cmd: [ ]
grub_cmd: set
default=47c4701d41c0470992ce27741da89d4a-5.19.0-0.rc6.20220714git4a57a8400075.49.kraxel.4.fc36.x86_64
grub_cmd: [ xy = xy ]
grub_cmd: menuentry_id_option=--id
grub_cmd: export menuentry_id_option
grub_cmd: [ ]
grub_cmd: serial --speed=115200
grub_cmd: terminal_input serial console
grub_cmd: terminal_output serial console
grub_cmd: [ xy = xy ]
grub_cmd: set timeout_style=menu
grub_cmd: set timeout=5
grub_cmd: [ -f (hd0,gpt2)/grub2/user.cfg ]
grub_cmd: insmod increment
grub_cmd: [ -n -a 1 = 0 ]
grub_cmd: insmod part_gpt
grub_cmd: insmod xfs
grub_cmd: set root=hd0,gpt2
grub_cmd: [ xy = xy ]
grub_cmd: search --no-floppy --fs-uuid --set=root --hint-bios=hd0,gpt2
--hint-efi=hd0,gpt2 --hint-baremetal=ahci0,gpt2 5cc83bf9-c040-42d9-819e-99a16462d518
grub_cmd: insmod part_gpt
grub_cmd: insmod fat
grub_cmd: set boot=hd0,gpt1
grub_cmd: [ xy = xy ]
grub_cmd: search --no-floppy --fs-uuid --set=boot --hint-bios=hd0,gpt1
--hint-efi=hd0,gpt1 --hint-baremetal=ahci0,gpt1 8C55-9DE2
grub_cmd: [ -z ]
grub_cmd: set kernelopts=root=UUID=cb3e8fe8-2e6c-4f12-bd3b-f76fc1448bd8 ro
rootflags=subvol=root console=ttyS0,115200
grub_cmd: insmod blscfg
grub_cmd: blscfg
grub_cmd: [ 1 = 1 -o 0 = 1 ]
grub_cmd: set menu_hide_ok=1
grub_cmd: [ 1 = 1 ]
grub_cmd: set boot_indeterminate=0
grub_cmd: set boot_success=0
grub_cmd: save_env boot_success boot_indeterminate
grub_cmd: [ xy = xy ]
grub_cmd: [ ]
grub_cmd: [ efi = efi ]
grub_cmd: menuentry UEFI Firmware Settings --id uefi-firmware {
grub_cmd: [ -f (hd0,gpt2)/grub2/custom.cfg ]
grub_cmd: source (hd0,gpt2)/grub2/custom.cfg
grub_cmd: [ efi = efi ]
grub_cmd: menuentry systemd boot loader {
grub_cmd: load_video
grub_cmd: [ xy = xy ]
grub_cmd: insmod all_video
grub_cmd: set gfxpayload=keep
grub_cmd: insmod gzio
grub_cmd: linux
(hd0,gpt2)/vmlinuz-5.19.0-0.rc6.20220714git4a57a8400075.49.kraxel.4.fc36.x86_64
root=UUID=cb3e8fe8-2e6c-4f12-bd3b-f76fc1448bd8 ro rootflags=subvol=root
console=ttyS0,115200
grub_cmd: initrd
(hd0,gpt2)/initramfs-5.19.0-0.rc6.20220714git4a57a8400075.49.kraxel.4.fc36.x86_64.img
root@fedora ~#
take care,
Gerd