Draft: Adding TPM support to live-boot (!41) · Merge requests · Debian Live Team / live-boot

Thore Sommer requested to merge TS/live-boot:tpm into master Sep 28, 2021

Currently there is a measurement gap between the UEFI event log and what IMA measures.
IMA does not measure on how the mount points were created but we want to make sure that the layers were created correctly and that dm-verity was setup as expected.

This PR introduces support for TPM measurements in live-boot.

When the option tpm is set on the kernel command line an event log is generated and measured into PCR 11.

The format of an event:
PCR_NUM SHA_256_HASH EVENT_NAME DATA

PCR_NUM := PCR where the entry was measured into
SHA_256_HASH := The sha256 hash of "EVENT_NAME DATA"
EVENT_NAME := Type of data measured
DATA := Data depending on type hex encoded

Currently we support events:

mount
setup_loop
do_union

The log can be found at /var/log/live/tpm-events.log

Example event log

11 52847592fba4bd74c53a463769c6294ec045913872d92c19d4b7f2918a30fd03 setup_loop 6673706174683d2f72756e2f6c6976652f6d656469756d2f6c6976652f66696c6573797374656d2e73717561736866733b6d6f64756c653d6c6f6f703b7061747465726e3d2f7379732f626c6f636b2f6c6f6f702a3b6f66667365743d303b726561646f6e6c793d2d723b6465763d2f6465762f6c6f6f7030                                                          
11 723616e042d975be89205843e65b2c3e2261ccdf33ba2af6f8032e5b0ea730ba setup_loop 6673706174683d2f72756e2f6c6976652f6d656469756d2f6c6976652f66696c6573797374656d2e73717561736866732e7665726974793b6d6f64756c653d6c6f6f703b7061747465726e3d2f7379732f626c6f636b2f6c6f6f702a3b6f66667365743d303b726561646f6e6c793d3b6465763d2f6465762f6c6f6f7031                                                
11 d576a82cc8ed1b925629aba94f6c70c7bb595c6aa9c0657833f255909b0cb99d mount 7372633d2f6465762f6c6f6f70303b646573743d2f72756e2f6c6976652f726f6f7466732f66696c6573797374656d2e73717561736866733b66733d73717561736866733b6f7074696f6e733d2d6f20726f2c6e6f6174696d65
11 3097242617fc962d37d3879ccec47f44c0811beea9fdf50cd189132bbc3d066a do_union 747970653d6f7665726c61793b646573743d2f726f6f743b6f7074696f6e733d2d6f206e6f6174696d652c6c6f7765726469723d2f72756e2f6c6976652f726f6f7466732f66696c6573797374656d2e73717561736866732f2c75707065726469723d2f72756e2f6c6976652f6f7665726c61792f72772c776f726b6469723d2f72756e2f6c6976652f6f7665726c61792f776f726b

Example decoded event log

11 52847592fba4bd74c53a463769c6294ec045913872d92c19d4b7f2918a30fd03 setup_loop fspath=/run/live/medium/live/filesystem.squashfs;module=loop;pattern=/sys/block/loop*;offset=0;readonly=-r;dev=/dev/loop0
11 723616e042d975be89205843e65b2c3e2261ccdf33ba2af6f8032e5b0ea730ba setup_loop fspath=/run/live/medium/live/filesystem.squashfs.verity;module=loop;pattern=/sys/block/loop*;offset=0;readonly=;dev=/dev/loop1
11 d576a82cc8ed1b925629aba94f6c70c7bb595c6aa9c0657833f255909b0cb99d mount src=/dev/loop0;dest=/run/live/rootfs/filesystem.squashfs;fs=squashfs;options=-o ro,noatime
11 3097242617fc962d37d3879ccec47f44c0811beea9fdf50cd189132bbc3d066a do_union type=overlay;dest=/root;options=-o noatime,lowerdir=/run/live/rootfs/filesystem.squashfs/,upperdir=/run/live/overlay/rw,workdir=/run/live/overlay/work

Edited May 15, 2022 by Thore Sommer

Draft: Adding TPM support to live-boot

Merge request reports