From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1carPK-0002WN-7K for mharc-grub-devel@gnu.org; Mon, 06 Feb 2017 17:05:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52581) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1carPE-0002Ob-3h for grub-devel@gnu.org; Mon, 06 Feb 2017 17:05:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1carPD-0006y2-8A for grub-devel@gnu.org; Mon, 06 Feb 2017 17:05:04 -0500 Received: from cavan.codon.org.uk ([2a00:1098:0:80:1000:c:0:1]:58651) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1carPD-0006xm-0b for grub-devel@gnu.org; Mon, 06 Feb 2017 17:05:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=codon.org.uk; s=63138784; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=BRrkuyzi53tY8fauMYPTylk0UVDLx5uvZfzRLYP5oO4=; b=pq8l4IqigToCi1y9TgwjSqq9gcuia5T29Ah9/aGvCPdHXe+W3mb4wWRm2bexN1aGDAs1mWhQsFdFzz2cDR1vB+/48lC/qFb9m7jLn3HELcV3XTSiHFE0Hyv+FepOjv+RiaOuJf/1CTkmcPyhOxk/b41QcJce67EjKoKq5bQOi5M=; Received: from mjg59 by cavan.codon.org.uk with local (Exim 4.80) (envelope-from ) id 1carP9-000483-Ar for grub-devel@gnu.org; Mon, 06 Feb 2017 22:04:59 +0000 Date: Mon, 6 Feb 2017 22:04:59 +0000 From: Matthew Garrett To: The development of GNU GRUB Subject: Re: Support for TPM measurements on UEFI systems Message-ID: <20170206220459.GA15789@srcf.ucam.org> References: <20170204212359.GA11656@srcf.ucam.org> <20170206164338.GA4484@srcf.ucam.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: mjg59@cavan.codon.org.uk X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 2a00:1098:0:80:1000:c:0:1 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2017 22:05:08 -0000 On Mon, Feb 06, 2017 at 09:53:57AM -0800, Jon McCune wrote: > I'm not sure about measuring the commands that GRUB runs. GRUB's config > file is a shell-like language, and measuring that file should give a pretty > good indication of its behavior. In the grey area between "what is code?" > and "what is data?", making the case that grub.cfg is code seems feasible, > which greatly simplifies the work of whatever verifies attestations or > binds/seals data. Although, implementations for these two don't really seem > to be in conflict so maybe GRUB could be configured one way or the other. I'm concerned that the language gives enough flexibility that we don't know that for sure - for instance, if a regularly used command is vulnerable to a buffer overflow, there's no way to determine whether that occurred. Measuring each command before it's executed gives us some further assurance in that respect. Calculating the expected values is still pretty easy, and if they're logged then you can have a regex-based engine for remote validation. -- Matthew Garrett | mjg59@srcf.ucam.org