Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-22 06:50:43 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: explain the role of PCR[10] and why it is not reproducible (#2011)

Browse source
This commit is contained in:
Malte Poll 2023-07-04 16:41:01 +02:00 committed by GitHub
parent 8ba0179137
commit 06909f8aca
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/docs/architecture/attestation.md
View file

@ -144,7 +144,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | Secure Boot State | Azure, Constellation Bootloader | No | | 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | - | - | - | | 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No | | 10 | Userspace[^1] | Linux IMA[^1] | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes | | 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes | | 13 | Reserved | (Constellation Bootloader) | Yes |
@ -177,7 +177,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No | | 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | - | - | - | | 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No | | 10 | Userspace[^1] | Linux IMA[^1] | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes | | 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes | | 13 | Reserved | (Constellation Bootloader) | Yes |
@ -209,7 +209,7 @@ The latter means that the value can be generated offline and compared to the one
| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No | | 7 | Secure Boot Policy | AWS, Constellation Bootloader | No |
| 8 | - | - | - | | 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes | | 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No | | 10 | User space | Linux IMA | No[^1] |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes | | 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes | | 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes | | 13 | Reserved | (Constellation Bootloader) | Yes |
@ -308,3 +308,9 @@ flowchart LR
D["Public key"]-- "verifies" -->E["Runtime measurements"] D["Public key"]-- "verifies" -->E["Runtime measurements"]
E["Runtime measurements"]-- "verify" -->F["Constellation cluster"] E["Runtime measurements"]-- "verify" -->F["Constellation cluster"]
``` ```
## References
[^1]: Linux IMA produces runtime measurements of user space binaries.
However, these measurements aren't deterministic and thus, PCR\[10] can't be compared to a constant value.
Instead, a policy engine must be used to verify the TPM event log against a policy.