forked from rzhw/TrustedGRUB
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
107 lines (78 loc) · 4.08 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
This is a fork of TrustedGRUB 1.1.5
TrustedGRUB is a modified version of GRUB Legacy (1.0) that will
extend the chain of trust in the TPM by measuring the boot loader code,
the boot settings, the loaded kernel and the initial RAM disk image
used during the boot process.
The original source of the code can be found at:
http://sourceforge.net/projects/trustedgrub/files/TrustedGRUB-1.1.5/
Unfortunately, the project doesn't seem to be actively maintained anymore
(last update was in 2010).
Reasons for the fork:
- The original project is not actively maintained anymore.
- It doesn't build with the latest autoconf/automake tools.
- The documentation is somewhat lacking.
- The installation wasn't producing consistent measurements.
- Github is a nicer place for continuing development.
Use the 'build.sh' script to configure and build the project.
Use the '-v' option to enable verbose output.
Refer to the file ORIGINAL_TRUSTEDGRUB_README for additional information.
Original source code archive preserved in TrustedGRUB-1.1.5.tar.gz.
Notes about installation:
The chain of trust is only extended by stage1 and stage2. TrustedGRUB doesn't
have stage 1.5 support for extending the chain of measurements in the PCRs.
If we don't embed stage1.5 in the drive, stage1 will need to have embeded in it
the absolute sector of stage2. This will make the measurement of stage1 differ
at each installation. Also, grub will patch the stage1 code depending on
the BIOS version detected on the machine.
To keep the measurements consistent, I suggest another installation aproach:
newer disk partitioning tools leave 1 MB of unused space at the front of the drive,
instead of the previous standard of 32 KB, so we can embed the entire stage2 there.
The script 'trustedgrub_install.sh' implements this method.
Installation instructions:
- Copy the files from bin/ into /boot/grub/
- Partition the disk with a tool that leaves 1 MB of empty space at the beggining of the disk.
- Configure your boot settings in the menu.lst file.
- Execute '/boot/grub/trustedgrub_install.sh /dev/XXX'
Original installation instructions:
If you want to use the original setup method, be sure to delete stage1.5 first.
Please do:
'cp default /boot/grub'
'make install'
To install TrustedGRUB to your local harddisc do:
'rm -rf /boot/grub/stage*'
'rm -rf /boot/grub/*1_5'
'cp default /boot/grub'
'cp stage1/stage1 /boot/grub'
'cp stage2/stage2 /boot/grub'
'./grub/grub --no-floppy'
Then enter:
'root (hdX,Y)'
'setup (hdX)'
'quit'
or alternatively:
'rm -rf /boot/grub/stage*'
'rm -rf /boot/grub/*1_5'
'util/grub-install /dev/XXX --no-floppy'
PCRs measurements:
PCR 04: "Calling INT 19h", separator event, "Returned INT 19h", first 440 bytes of stage1/first sector.
PCR 05: Separator event, last 72 bytes of stage1/first sector that contain the partition table.
PCR 08: First 512 bytes of stage2.
PCR 09: All of stage2 code without first 512 bytes.
PCR 12: Executed commands from menu.lst (root, kernel, initrd, boot).
PCR 13: 'checkfile' option checked files.
PCR 14: Loaded files (kernel and initrd image).
SCRTM vs DCRTM note:
TrustedGRUB implements support for a Static Core Root of Trust Measurement (SCRTM).
This technique is obsoleted by the more recent Dynamic Core Root of Trust Measurement
(DCRTM), implemented by the tboot project (http://sourceforge.net/projects/tboot/),
which is supported by Intel. But SCRTM and DCRTM are not incompatible with each other.
You can use both at the same time. TrustedGRUB can execute first, writing the
measurements into the lower, static PCRs, and then pass control to tboot, which will
write it's measurements into the upper, dynamic PCRs.
Changes:
28/09/2014:
- Renamed GRUB's 'README' file to 'ORIGINAL_GRUB_README'.
- Renamed TrustedGRUB's 'README' file to 'ORIGINAL_TRUSTEDGRUB_README'.
- Renamed TrustedGRUB build script from 'build_tgrub.sh' to 'build.sh'
- Updated project to work with the latest autoconf/automake.
- Updated build script to create the consistent measurements installation binaries.