Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-02 10:35:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Move PCR[8] -> PCR[12]

Browse Source
This commit is contained in:
Malte Poll 2022-11-17 15:37:39 +01:00 committed by Malte Poll
parent 239b9f6c26
commit 74aabe86fa
5 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build-os-image.yml vendored
View File

@ -481,8 +481,8 @@ jobs:
echo "::group::Calculate expected PCRs"
{
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json
./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }}
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json
./precalculate_pcr_12.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-12-${{ matrix.csp }}.json ${{ matrix.csp }}
} >> "$GITHUB_STEP_SUMMARY"
cp pcr-stable.json ${{ github.workspace }}/
jq -sSc '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json

8
cli/internal/cmd/init_test.go
View File

@ -395,8 +395,8 @@ func TestAttestation(t *testing.T) {
cfg.Provider.QEMU.Measurements[2] = measurements.PCRWithAllBytes(0x22)
cfg.Provider.QEMU.Measurements[3] = measurements.PCRWithAllBytes(0x33)
cfg.Provider.QEMU.Measurements[4] = measurements.PCRWithAllBytes(0x44)
cfg.Provider.QEMU.Measurements[8] = measurements.PCRWithAllBytes(0x88)
cfg.Provider.QEMU.Measurements[9] = measurements.PCRWithAllBytes(0x99)
cfg.Provider.QEMU.Measurements[12] = measurements.PCRWithAllBytes(0xcc)
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, cfg, file.OptNone))
ctx := context.Background()
@ -474,8 +474,8 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.Azure.AppClientID = "01234567-0123-0123-0123-0123456789ab"
conf.Provider.Azure.ClientSecretValue = "test-client-secret"
conf.Provider.Azure.Measurements[4] = measurements.PCRWithAllBytes(0x44)
conf.Provider.Azure.Measurements[8] = measurements.PCRWithAllBytes(0x00)
conf.Provider.Azure.Measurements[9] = measurements.PCRWithAllBytes(0x11)
conf.Provider.Azure.Measurements[12] = measurements.PCRWithAllBytes(0xcc)
case cloudprovider.GCP:
conf.Provider.GCP.Region = "test-region"
conf.Provider.GCP.Project = "test-project"
@ -483,13 +483,13 @@ func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, cs
conf.Provider.GCP.Zone = "test-zone"
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
conf.Provider.GCP.Measurements[4] = measurements.PCRWithAllBytes(0x44)
conf.Provider.GCP.Measurements[8] = measurements.PCRWithAllBytes(0x00)
conf.Provider.GCP.Measurements[9] = measurements.PCRWithAllBytes(0x11)
conf.Provider.GCP.Measurements[12] = measurements.PCRWithAllBytes(0xcc)
case cloudprovider.QEMU:
conf.Provider.QEMU.Image = "some/image/location"
conf.Provider.QEMU.Measurements[4] = measurements.PCRWithAllBytes(0x44)
conf.Provider.QEMU.Measurements[8] = measurements.PCRWithAllBytes(0x00)
conf.Provider.QEMU.Measurements[9] = measurements.PCRWithAllBytes(0x11)
conf.Provider.QEMU.Measurements[12] = measurements.PCRWithAllBytes(0xcc)
}
conf.RemoveProviderExcept(csp)

12
docs/docs/architecture/attestation.md
View File

@ -142,11 +142,11 @@ The latter means that the value can be generated offline and compared to the one
| 5 | Reserved | Azure | No |
| 6 | VM Unique ID | Azure | No |
| 7 | Secure Boot State | Azure, Constellation Bootloader | No |
| 8 | Kernel command line | Constellation Bootloader | Yes |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Reserved | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
| 14 | Secure Boot State | Constellation Bootloader | No |
| 15 | ClusterID | Constellation Bootstrapper | Yes |
@ -175,11 +175,11 @@ The latter means that the value can be generated offline and compared to the one
| 5 | Disk GUID partition table | GCP | No |
| 6 | Disk GUID partition table | GCP | No |
| 7 | GCP Secure Boot Policy | GCP, Constellation Bootloader | No |
| 8 | Kernel command line | Constellation Bootloader | Yes |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Reserved | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
| 14 | Secure Boot State | Constellation Bootloader | No |
| 15 | ClusterID | Constellation Bootstrapper | Yes |
@ -207,11 +207,11 @@ The latter means that the value can be generated offline and compared to the one
| 5 | Firmware | AWS | No |
| 6 | Firmware | AWS | No |
| 7 | Secure Boot Policy | AWS, Constellation Bootloader | No |
| 8 | Kernel command line | Constellation Bootloader | Yes |
| 8 | - | - | - |
| 9 | initramfs | Linux Kernel | Yes |
| 10 | Reserved | - | No |
| 11 | Reserved for Unified Kernel Image components | (Constellation Bootloader) | Yes |
| 12 | Reserved | (Constellation Bootloader) | Yes |
| 12 | Kernel command line | Constellation Bootloader | Yes |
| 13 | Reserved | (Constellation Bootloader) | Yes |
| 14 | Secure Boot State | Constellation Bootloader | No |
| 15 | ClusterID | Constellation Bootstrapper | Yes |

20
image/measured-boot/precalculate_pcr_8.sh → image/measured-boot/precalculate_pcr_12.sh
View File

@ -3,11 +3,11 @@
#
# SPDX-License-Identifier: AGPL-3.0-only
# This script is used to precalculate the PCR[8] value for a Constellation OS image.
# PCR[8] contains the hash of the kernel command line and is measured by systemd-boot.
# This value is deprecated and will be moved to PCR[12] in the future.
# This script may produce wrong results after 2023 (when the kernel command line is only measured in PCR[12]).
# Usage: precalculate_pcr_8.sh <path to image> <path to output file> <csp>
# This script is used to precalculate the PCR[12] value for a Constellation OS image.
# PCR[12] contains the hash of the kernel command line and is measured by systemd-boot.
# This value was previously measured into PCR[8].
# This script may produce wrong results for systemd-boot versions < 251.
# Usage: precalculate_pcr_12.sh <path to image> <path to output file> <csp>
set -euo pipefail
shopt -s inherit_errexit
@ -35,7 +35,7 @@ write_output() {
cat > "${out}" << EOF
{
"measurements": {
"8": "${expected_pcr_8}"
"12": "${expected_pcr_12}"
},
"cmdline": "${cmdline}",
"cmdline-sha256": "${cmdline_hash}"
@ -59,18 +59,18 @@ cmdline=$(cat "${DIR}/cmdline")
cmdline_hash=$(cmdline_measure "${DIR}/cmdline")
cleanup "${DIR}"
expected_pcr_8=0000000000000000000000000000000000000000000000000000000000000000
expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum")
expected_pcr_12=0000000000000000000000000000000000000000000000000000000000000000
expected_pcr_12=$(pcr_extend "${expected_pcr_12}" "${cmdline_hash}" "sha256sum")
if [[ ${CSP} == "azure" ]]; then
# Azure displays the boot menu
# triggering an extra measurement of the kernel command line.
expected_pcr_8=$(pcr_extend "${expected_pcr_8}" "${cmdline_hash}" "sha256sum")
expected_pcr_12=$(pcr_extend "${expected_pcr_12}" "${cmdline_hash}" "sha256sum")
fi
echo "Kernel commandline: ${cmdline}"
echo "Kernel Commandline measurement ${cmdline_hash}"
echo ""
echo "Expected PCR[8]: ${expected_pcr_8}"
echo "Expected PCR[12]: ${expected_pcr_12}"
echo ""
write_output "${OUT}"

8
internal/attestation/measurements/measurements.go
View File

@ -36,30 +36,30 @@ func DefaultsFor(provider cloudprovider.Provider) M {
switch provider {
case cloudprovider.AWS:
return M{
8: PCRWithAllBytes(0x00),
11: PCRWithAllBytes(0x00),
12: PCRWithAllBytes(0x00),
13: PCRWithAllBytes(0x00),
uint32(vtpm.PCRIndexClusterID): PCRWithAllBytes(0x00),
}
case cloudprovider.Azure:
return M{
8: PCRWithAllBytes(0x00),
11: PCRWithAllBytes(0x00),
12: PCRWithAllBytes(0x00),
13: PCRWithAllBytes(0x00),
uint32(vtpm.PCRIndexClusterID): PCRWithAllBytes(0x00),
}
case cloudprovider.GCP:
return M{
0: {0x0F, 0x35, 0xC2, 0x14, 0x60, 0x8D, 0x93, 0xC7, 0xA6, 0xE6, 0x8A, 0xE7, 0x35, 0x9B, 0x4A, 0x8B, 0xE5, 0xA0, 0xE9, 0x9E, 0xEA, 0x91, 0x07, 0xEC, 0xE4, 0x27, 0xC4, 0xDE, 0xA4, 0xE4, 0x39, 0xCF},
8: PCRWithAllBytes(0x00),
11: PCRWithAllBytes(0x00),
12: PCRWithAllBytes(0x00),
13: PCRWithAllBytes(0x00),
uint32(vtpm.PCRIndexClusterID): PCRWithAllBytes(0x00),
}
case cloudprovider.QEMU:
return M{
8: PCRWithAllBytes(0x00),
11: PCRWithAllBytes(0x00),
12: PCRWithAllBytes(0x00),
13: PCRWithAllBytes(0x00),
uint32(vtpm.PCRIndexClusterID): PCRWithAllBytes(0x00),
}