[tpm2] Re: Save Hash to TPM Memory

[tpm2] Re: Save Hash to TPM Memory

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 1910 bytes --]



> -----Original Message-----
> From: nicolasoliver03(a)gmail.com [mailto:nicolasoliver03(a)gmail.com]
> Sent: Monday, February 10, 2020 9:43 AM
> To: tpm2(a)lists.01.org
> Subject: [tpm2] Re: Save Hash to TPM Memory
> 
> Hello Ben,
> 
> The Linux Kernel has a feature that do exactly that, but for the entire user space
> files.
> 
> https://sourceforge.net/p/linux-ima/wiki/Home/
> 
> The goals of the kernel integrity subsystem are to detect if files have been
> accidentally or maliciously altered, both remotely and locally, appraise a file's
> measurement against a "good" value stored as an extended attribute, and
> enforce local file integrity. These goals are complementary to Mandatory Access
> Control(MAC) protections provided by LSM modules, such as SElinux and Smack,
> which, depending on policy, can attempt to protect file integrity.

I just want to clarify the role of SE Linux here. It can protect integrity by controlling
who has access, however any assumptions of file integrity shouldn't be made by
the use of something like SE Linux; it is just access controls. A myriad of attacks
and/or bugs could always alter/corrupt the file in unexpected ways.

Always assume input is untrusted when you consume it.

> 
> IMA-measurement use the TPM PCR 10 registry and the ima measurement log
> located in /sys/kernel/security/ima/ascii_runtime_measurements to record the
> digest of the interesting files, and then you can use those in a remote attestation
> scenario,  using a PCR Quote that contains the PCR 10 value, and using the
> ascii_runtime_measurement file to reproduce the PCR 10 measurement.
> 
> Hope this is relevant for your case!
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: Save Hash to TPM Memory

[nicolasoliver03]

[-- Attachment #1: Type: text/plain, Size: 1034 bytes --]

Hello Ben,

The Linux Kernel has a feature that do exactly that, but for the entire user space files.

https://sourceforge.net/p/linux-ima/wiki/Home/

The goals of the kernel integrity subsystem are to detect if files have been accidentally or maliciously altered, both remotely and locally,
appraise a file's measurement against a "good" value stored as an extended attribute, and enforce local file integrity. These goals are
complementary to Mandatory Access Control(MAC) protections provided by LSM modules, such as SElinux and Smack, which, 
depending on policy, can attempt to protect file integrity.

IMA-measurement use the TPM PCR 10 registry and the ima measurement log located in /sys/kernel/security/ima/ascii_runtime_measurements to record the digest of the interesting files, and then you can use those in a remote attestation scenario,  using a PCR Quote that contains the PCR 10 value, and using the ascii_runtime_measurement file to reproduce the PCR 10 measurement.

Hope this is relevant for your case!

[tpm2] Re: Save Hash to TPM Memory

[s.schwebel]

[-- Attachment #1: Type: text/plain, Size: 131 bytes --]

Also, there was a recent conversation on gitter about that

https://gitter.im/tpm2-software/community?at=5e319439f301780b83451f3e

[tpm2] Re: Save Hash to TPM Memory

[Steffen Schwebel]

[-- Attachment #1: Type: text/plain, Size: 2339 bytes --]

Hello,

take a look at nvwrite. you might need to define the nv first with nvdefine.

https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvdefine.1.md
https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_nvwrite.1.md

Chapter 11 from the Guide should also be helpful

https://link.springer.com/content/pdf/10.1007%2F978-1-4302-6584-9.pdf

regards,
Steffen Schwebel


On 2/9/20 11:29 PM, Ben Saunders wrote:
> Hi guys,
>
> I would like some help if at all possible. I'm fairly new to the TPM
> but have been able to get some stuff working like the
> following:https://gist.github.com/dnoliver/04364e72d8b81368f72ad4e6896f688d
>
> I want to save and load an sha256sum of an important file to check if
> its been modified
>
> If I run: sha256sum importantfile.txt i get:
> aea86e3c73495f205929cfebba0d63f1382c8ac59be081b6351681415f4063cf
>  importantfile.txt
>
> I would like to save the sum into the TPM and quickly retrieve it and
> update it when necessary.I think with a session would be appropriate. 
>
> Any help would be appreciated, thankyou so much
>
> Ben
>
>
> -- 
> Ben Saunders
> 0421 935 776
>
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

-- 
Steffen Schwebel
Mail: s.schwebel(a)uvensys.de
uvensys GmbH

Firmensitz und Sitz der Gesellschaft:
uvensys GmbH
Schorbachstraße 11
35510 Butzbach

HRB: AG Friedberg, 7780
USt-Id: DE282879294

Geschäftsführer:
Dr. Thomas Licht, t.licht(a)uvensys.de
Volker Lieder, v.lieder(a)uvensys.de

Mail: info(a)uvensys.de
Internet: www.uvensys.de

Durchwahl: 06033 - 18 19 225
Hotline: 06033 - 18 19 288
Zentrale: 06033 - 18 19 20
Fax: 06033 - 18 19 299
==========================================================

Jegliche Stellungnahmen und Meinungen dieser E-Mail sind
alleine die des Autors und nicht notwendigerweise die der
Firma. Falls erforderlich, können Sie eine gesonderte
schriftliche Bestätigung anfordern.

Any views or opinions presented in this email are solely
those of the author and do not necessarily represent those
of the company. If verification is required please request
a hard-copy version.