Bug#846383: grub2: add TPM support

Urquiza, Fabio fabio.urquiza at hpe.com
Wed Nov 30 20:11:03 UTC 2016 

Package: grub2
Version: 2.02~beta3-3
Severity: wishlist
Tags: patch 
Acked-by: Linn Crosetto <linn at hpe.com>

### Overview ###

The Measured or Trusted Boot feature provides Anti-Malware (AM) software with a
trusted (resistant to spoofing and tampering) log of all boot components that
started before AM software. AM software can use the log to determine whether
components that ran before it are trustworthy or if they have been tampered
with. The AM software on the local machine can send the log to a remote server
for evaluation. The remote server may initiate remediation actions either by
interacting with software on the client or through out-of-band mechanisms, as
appropriate.

We think that TPM support is a good addition to Debian because it can increase
its adoption in environments where a more secure approach to the booting is
needed, by being able to securely measure if any component has been tampered.

### Patches origin and submission to upstream ###

TPM support for architectures i386 and x86_64 have been submitted to CoreOS by
Matthew Garrett from its private GRUB repository. The patches submitted allow
GRUB to measure all loaded files (Linux kernel, initrd and Grub modules) and
all command executed. They have not been submitted to GRUB upstream for
political and philosophic reasons. More detail about that on the links below:

https://www.gnu.org/philosophy/can-you-trust.html
http://lists.gnu.org/archive/html/grub-devel/2013-09/msg00070.html

### Removal of floppy probe ###

Although EFI does not have the MBR size constraints, the grub-pc first stage
must be 512 bytes. The addition of the TPM code to measure the MBR on boot,
made the image size increased to 553 bytes (with some adjustments to keep both
TPM and floppy code at the same time). The Debian build process fails when
executing the tests for floppy and HDD boot if both TPM and Floppy code
co-exists, not generating the images and packages.

If the floppy support is needed, all the user needed to do is to disable TPM
support during the build. More details about how to disable its support below.

### Tests ###

We tested the feature in a HPE ProLiant DL180 Generation9 with TPM hardware and
secure boot enabled. To check the feature, please execute the following
procedure:

Check the values of the PCR registers:

$ sudo cat /sys/devices/pnp0/00:00/pcrs | grep -C1 PCR-08
PCR-07: F3 56 28 7E E4 09 02 0E A1 11 7B 90 49 09 3D DD FF 0D 60 23
PCR-08: 7B F7 E5 4C 38 D7 29 E7 5D B9 85 88 E4 C0 AF 07 04 4B D7 2E
PCR-09: 0A BC 8E E7 D3 7D 21 72 01 11 C9 D4 E4 7E E7 C3 A5 D7 21 48

Change something in the /boot/efi/EFI/debian/grub.cfg file (for instance, add
a directory slash in the command linux /boot/vmlinuz-4.4.19-1-amd64-hpelinux).

>> linux   /boot//vmlinuz-4.4.19-1-amd64-hpelinux <<

Restart the server and check the PCR-08 again. It should have a different value
from the former boot.

$ sudo cat /sys/devices/pnp0/00:00/pcrs | grep -C1 PCR-08
PCR-07: F3 56 28 7E E4 09 02 0E A1 11 7B 90 49 09 3D DD FF 0D 60 23
PCR-08: 64 3A 96 3E 02 45 5B 26 83 8B 9A 4F 77 AF E5 39 80 71 DF 66
PCR-09: 0A BC 8E E7 D3 7D 21 72 01 11 C9 D4 E4 7E E7 C3 A5 D7 21 48

Remove the change that was made in /boot/grub/grub.cfg and restart the server.
The PCR-08 should return to it's former value.

### Application of the patches ###

The patches have been divided into two patch sets that are attached to the
message as compressed tarballs:

1. grub-tpm-support.tar.xz - contains all patches related to the
functionality itself.
2. grub-tpm-enable.tar.xz - contains the patches that modifies de debian/
directory in order to enable the feature during the build.

The last patch set enable to TPM support by exporting a environment variable in
the debian/rules file

>> export TPM := 1 <<

To disable the TPM (and get the floppy support back) simply remove that line.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grub-tpm-support.tar.xz
Type: application/octet-stream
Size: 15060 bytes
Desc: grub-tpm-support.tar.xz
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20161130/e84e6ba6/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grub-tpm-enable.tar.xz
Type: application/octet-stream
Size: 780 bytes
Desc: grub-tpm-enable.tar.xz
URL: <http://lists.alioth.debian.org/pipermail/pkg-grub-devel/attachments/20161130/e84e6ba6/attachment-0003.obj>

More information about the Pkg-grub-devel mailing list