For personnal use only

Transcription

1 UEFI Utility to Read TPM 1.2 PCRs Finnbarr P. Murphy A Trusted Platform Module (TPM) supports many security functions including a number of special registers called Platform Configuration Registers (PCRs) which can hold data in a shielded location in a manner that prevents tampering or spoofing. A PCR is a 20-byte register. which incidentally is the length of a SHA-1 (Secure Hash Algorithm) hash. Most modern TPMs have 24 or even more PCRs; older ones have 16 PCRs. The TPM 1.2 specification, developed by the Trusted Computing Group (TCG) only requires 16 PCRs. Typically PCRs are used to store measurements. Measurements can be of code, data structures, configuration, information, or anything that can be loaded into memory with code measurement being the most common use case. The idea is that no code is executed until it has been measured. Measurements consist of a cryptographic hash using SHA-1. To further protect the integrity of the measurements, hashes are not written directly to PCRs; instead a PCR is extended with a measurement. This means that the TPM takes the current value of the PCR and the measurement to be extended, hashes them together, and replaces the content of the PCR with that hash result. Note that a TPM is not responsible for actually measuring anything; only for securely storing the measurement. Extend works like this: New PCR value = SHA-1 hash (Current PCR value new SHA-I hash) The TPM retrieves the current value of a PCR, concatenates the new SHA-1 hash to the end of the retrieved value in order to obtain a 40-byte value, calculates the SHA-1 of this 40-byte value to obtain a 20-byte hash and sets the PCR value to this SHA-1. The result is that the only way to arrive at a particular measurement in a PCR is to extend exactly the same measurements in exactly the same order. Therefore, if any module being measured has been modified, the resulting PCR measurement will be different and thus it is easy to detect if any code, configuration, data, etc. that has been measured was been modified or corrupted as it is computationally infeasible to forge the resulting PCR value. PCRs can never be arbitrarily overwritten but many can be reset while the platform is powered on to a known value, either all zero bits or all one bits, using the TPM PCR_Reset command. Whether a specific PCR can be reset or not is defined by various platform specifications and requires appropriate permissions. All PCRs can be reset at power on. Before I go any further, here is the source code for my ShowPCR12 utility: // // Copyright (c) 2017 Finnbarr P. Murphy. All rights reserved. // // Retrieve and print TPMi 1.2 PCR digests // // License: BSD License // #include <uefi.h> #include <library /UefiLib.h> #include </library><library /ShellCEntryLib.h> #include </library><library /ShellLib.h> Copyright Finnbarr P. Murphy. All rights reserved. 1/8

2 #include </library><library /BaseMemoryLib.h> #include </library><library /UefiBootServicesTableLib.h> #include <protocol /EfiShell.h> #include </protocol><protocol /LoadedImage.h> #include </protocol><protocol /TcgService.h> #include </protocol><protocol /Tcg2Protocol.h> #include <industrystandard /UefiTcgPlatform.h> #define UTILITY_VERSION L"0.8" #define EFI_TCG2_PROTOCOL_GUID \ {0x607f766c, 0x7455, 0x42be, { 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f VOID Print_PcrDigest(TPM_PCRINDEX PcrIndex, TPM_PCRVALUE *PcrValue) { int size = sizeof(tpm_pcrvalue); UINT8 *buf = (UINT8 *)PcrValue; Print(L"[%02d] ", PcrIndex); for (int i = 0; i < size; i++) { Print(L"%02x ", 0xff & buf[i]); Print(L"\n"); BOOLEAN CheckForTpm20() { EFI_STATUS Status = EFI_SUCCESS; EFI_TCG2_PROTOCOL *Tcg2Protocol; EFI_GUID gefitcg2protocolguid = EFI_TCG2_PROTOCOL_GUID; Status = gbs->locateprotocol( &gefitcg2protocolguid, NULL, (VOID **) &Tcg2Protocol); if (EFI_ERROR (Status)) { return FALSE; return TRUE; VOID Usage(CHAR16 *Str) { Print(L"Usage: %s [--version]\n", Str); INTN EFIAPI ShellAppMain(UINTN Argc, CHAR16 **Argv) { EFI_STATUS Status = EFI_SUCCESS; EFI_TCG_PROTOCOL *TcgProtocol; EFI_GUID gefitcgprotocolguid = EFI_TCG_PROTOCOL_GUID; TPM_RSP_COMMAND_HDR *TpmRsp; UINT32 TpmSendSize; UINT8 CmdBuf[64]; TPM_PCRINDEX PcrIndex; TPM_PCRVALUE *PcrValue; if (Argc >= 2) { if (!StrCmp(Argv[1], L"--version")) { Print(L"Version: %s\n", UTILITY_VERSION); else { Usage(Argv[0]); return Status; Status = gbs->locateprotocol( &gefitcgprotocolguid, NULL, (VOID **) &TcgProtocol); if (EFI_ERROR (Status)) { if (CheckForTpm20()) { Print(L"ERROR: Platform configured for TPM 2.0, not TPM 1.2\n"); else { Print(L"ERROR: Failed to locate EFI_TCG_PROTOCOL [%d]\n", Status); Copyright Finnbarr P. Murphy. All rights reserved. 2/8

3 ) { UEFI Utility to Read TPM 1.2 PCRs return Status; // Loop through all the PCRs and print each digest for (PcrIndex = 1; PcrIndex < = TPM_NUM_PCR; PcrIndex++) { TpmSendSize = sizeof (TPM_RQU_COMMAND_HDR) + sizeof (UINT32); *(UINT16*)&CmdBuf[0] = SwapBytes16 (TPM_TAG_RQU_COMMAND); *(UINT32*)&CmdBuf[2] = SwapBytes32 (TpmSendSize); *(UINT32*)&CmdBuf[6] = SwapBytes32 (TPM_ORD_PcrRead); *(UINT32*)&CmdBuf[10] = SwapBytes32 (PcrIndex); Status = TcgProtocol->PassThroughToTpm( TcgProtocol, TpmSendSize, CmdBuf, sizeof (CmdBuf), CmdBuf); if (EFI_ERROR (Status)) { if (CheckForTpm20()) { Print(L"ERROR: Platform configured for TPM 2.0, not TPM 1.2\n"); else { Print(L"ERROR: PassThroughToTpm failed [%d]\n", Status); return Status; TpmRsp = (TPM_RSP_COMMAND_HDR *) &CmdBuf[0]; if ((TpmRsp->tag!= SwapBytes16(TPM_TAG_RSP_COMMAND)) (TpmRsp->returnCode!= 0) Print(L"ERROR: TPM command result [%d]\n", SwapBytes16(TpmRsp->returnCode)); return EFI_DEVICE_ERROR; PcrValue = (TPM_PCRVALUE *) &CmdBuf[sizeof (TPM_RSP_COMMAND_HDR)]; Print_PcrDigest(PcrIndex, PcrValue); return Status; I developed it using the Tianocore UDK2015 (UEFI Development Kit, 2015 release). UDK2017 is not yet released; it is scheduled for early 2017Q1. Here is my build configuration file: [Defines] INF_VERSION = 0x BASE_NAME = ShowPCR12 FILE_GUID = 4ea87c ccd f3ce51 MODULE_TYPE = UEFI_APPLICATION VERSION_STRING = 0.1 ENTRY_POINT = ShellCEntryLib VALID_ARCHITECTURES = X64 [Sources] ShowPCR12.c [Packages] MdePkg/MdePkg.dec ShellPkg/ShellPkg.dec [LibraryClasses] ShellCEntryLib ShellLib BaseLib BaseMemoryLib UefiLib [Protocols] Copyright Finnbarr P. Murphy. All rights reserved. 3/8

4 [BuildOptions] [Pcd] To assist you in understanding the code I have included a copy of the TPM_PCRRead specification from Part 3 of the TPM 1.2 specification. In UDK2015, the assigned ordinal for TPM_PCRRead is TPM_ORD_PcrRead and that is what you will see in the above code. I also include a copy of the relevant section of the TPM 1.2 EFI specification detailing the PassThroughToTpm API which is exposed via the EFI_TCG_PROTOCOL_GUID guid Copyright Finnbarr P. Murphy. All rights reserved. 4/8

5 Note this utility interacts with a TPM at a very low level, i.e. what Will Arthur et al in their excellent book A Practical Guide to TPM 2.0 in Figure 7.1 call the System API (SAPI) layer. Could I have used one of the two other higher levels API layers? Yes, but frankly SAPI is easier for me to use when coding a UEFI shell utility as I am quite familiar with it. Here is the output of this utility when run against the hardware TPM on my Lenovo T450: fs1> ShowPCR12.EFI [01] 11 EE 11 E D7 88 EC 99 BE D D D2 [02] B2 A8 3B 0E BF 2F A 5B 2B DF C3 1E A9 55 AD [03] B2 A8 3B 0E BF 2F A 5B 2B DF C3 1E A9 55 AD [04] A4 32 BC 6C 7F CC 7F CB AD 41 0A 6E [05] 45 A B D9 33 F0 8E 7F 0E 25 6B C8 24 9E B1 EC [06] A9 CD BE 97 0A A5 DD AA A8 C A0 EB DC 4D 50 FE [07] DD 38 9D FA 9A D1 D9 D9 CF 41 B4 94 8E DD 7D BC [08] [09] [10] [11] [12] [13] Copyright Finnbarr P. Murphy. All rights reserved. 5/8

6 [14] [15] [16] fs1> As you can see the first eight PCRs have non-zero values. The Trusted Computing Group only defined a Static Chain of Trust for TPM 1.2 starting from a Static Core Root of Trust for Measurements (S-CRTM) and assigns the following meanings to measurements in the first 8 PCRs: PCR0 CRTM, BIOS code, and Platform Extensions PCR1 Platform Configuration PCR2 Option ROM Code PCR3 Option ROM Configuration and Data PCR4 IPL (Initial Program Loader) Code PCR5 IPL Code Configuration and Data PCR6 State Transition and Wake Events PCR7 Platform Manufacturer Control PCRs 8 to 15 are assigned for use by the operating system. For example, a trusted boot loader typically uses PCR8 and PCR9. The following diagram shows the difference between a Static Chain of Trust which I have discussed and a Dynamic Chain of Trust which I am about to briefly introduce Copyright Finnbarr P. Murphy. All rights reserved. 6/8

7 TPM 1.2 only supports a Static Chain of Trust. Here, the first thing measured at boot is called the Core Root of Trust for Measurements (CRTM) whereby the firmware (AKA BIOS) boot block will measure the firmware and store the resultant value in PCR0 before executing it. On Intel platforms, it does this by invoking an Intel-supplied chunk of code called Authenticated Code Module (BIOS ACM) which is embedded in the firmware and can authenticate and validate the firmware. Then the firmware will measure the next thing in the boot chain before executing it and store the value in PCR1. This process continues for each component in the boot sequence. On the other hand, Dynamic Root of Trust for Measurements DRTM) is quite different as you can see from the above diagram. The goal of DRTM is to create a trusted environment from an initially untrusted state. Intel calls their implementation Trusted Execution Technology (TXT) and AMD uses the name Secure Virtual Machine (SVM). A detailed discussion of the differences between SRTM and DRTM is outside the scope of this post. Do a search, SRTM versus DRTM, on StackExchange for more information. By the way, if you have access to the Intel TXT (Trusted Execution Technology) EFI compliance testing toolkit, the included utility, pcrdump.efi, provides similar functionality to the utility described in this post Copyright Finnbarr P. Murphy. All rights reserved. 7/8

8 Copyright Finnbarr P. Murphy. All rights reserved. 8/8