DOCSLIB.ORG

Work Package 5: TPM and "UEFI Secure Boot"

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Work Package 5: TPM and Work Package 5: Trusted Platform Module and Unified Extensible Firmware Interface “Secure Boot” Version: 1.0 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Federal Office for Information Security 2018 Table of Contents Table of Contents 1 Introduction.......................................................................................................................................................................................... 7 1.1 Zusammenfassung...................................................................................................................................................................... 7 1.2 Executive Summary................................................................................................................................................................. 11 1.3 General Concepts and Terminology.................................................................................................................................13 2 Technical Analysis of Functionalities..................................................................................................................................... 16 2.1 TPM Communication Interfaces....................................................................................................................................... 16 2.1.1 TPM Communication: User-land...............................................................................................................................17 2.1.2 TPM Communication: Kernel-land...........................................................................................................................22 2.1.3 TPM Usage Profiles............................................................................................................................................................ 22 2.2 Windows Boot............................................................................................................................................................................ 23 2.2.1 Boot Manager....................................................................................................................................................................... 24 2.2.2 Windows Loader................................................................................................................................................................. 27 2.2.3 Windows Kernel.................................................................................................................................................................. 29 2.3 The Windows Defender ELAM Driver............................................................................................................................. 36 2.4 Integrity Measurement........................................................................................................................................................... 40 2.5 TPM Provisioning..................................................................................................................................................................... 46 2.5.1 Manual Provisioning......................................................................................................................................................... 47 2.5.2 Auto-provisioning.............................................................................................................................................................. 51 2.6 Security Aspects......................................................................................................................................................................... 53 3 Configuration and Logging Capabilities...............................................................................................................................56 3.1 Configuration Capabilities.................................................................................................................................................... 56 3.1.1 Programmatic Configuration Capabilities.............................................................................................................57 3.1.2 Non-programmatic Configuration Capabilities..................................................................................................58 3.1.3 Recommended Configuration Settings....................................................................................................................63 3.2 Logging Capabilities................................................................................................................................................................. 64 Appendix.............................................................................................................................................................................................. 69 Tools................................................................................................................................................................................................ 69 TPM Usage Profiler................................................................................................................................................................... 70 TPM Usage.................................................................................................................................................................................... 71 ELAM Database Parser............................................................................................................................................................ 71 WBCL Parser................................................................................................................................................................................ 74 Measured Executables............................................................................................................................................................. 74 Reference Documentation........................................................................................................................................................... 77 Keywords and Abbreviations...................................................................................................................................................... 78 Federal Office for Information Security 3 Table of Contents eeeeeeeeeee Figures Figure 1: A TPM key hierarchy................................................................................................................................................................. 14 Figure 2: Interfaces for communicating with the TPM...............................................................................................................16 Figure 3: Submitting a TPM command using Tbsip_Submit_Command...........................................................................18 Figure 4: Execution of Tbsip_Submit_Command........................................................................................................................... 19 Figure 5: Submission of TPM commands..........................................................................................................................................20 Figure 6: The ACPI TPM2 table................................................................................................................................................................ 20 Figure 7: Loading and initializing the Platform Cryptographic Provider...........................................................................21 Figure 8: Dynamic loading of TPM-related library files..............................................................................................................21 Figure 9: The booting process of a Windows-based platform..................................................................................................23 Figure 10: Public keys stored in the boot manager and the UEFI firmware......................................................................25 Figure 11: Function stack: Image loading and integrity verification by the boot manager........................................26 Figure 12: A public key of a root certificate stored in the boot manager.............................................................................27 Figure 13: Function stack: Image loading and integrity verification by the Windows loader...................................28 Figure 14: Function stack: Image loading and integrity verification by the Windows kernel...................................29 Figure 15: Snippet of a Windows compatibility database file...................................................................................................31 Figure 16: Pseudo-code of CipValidateFileHash and functions it invokes.........................................................................32 Figure 17: An Authenticode signature and a PE hash value......................................................................................................33 Figure 18: A hash code and a list of signers.......................................................................................................................................34 Figure 19: crashdmp.sys: The ContentInfo section and the PE hash value........................................................................35 Figure 20: A public key of a root certificate
Load more

Recommended publications
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • Ebook - Informations About Operating Systems Version: August 15, 2006 | Download
    eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org AIX Internet: AIX AmigaOS Internet: AmigaOS AtheOS Internet: AtheOS BeIA Internet: BeIA BeOS Internet: BeOS BSDi Internet: BSDi CP/M Internet: CP/M Darwin Internet: Darwin EPOC Internet: EPOC FreeBSD Internet: FreeBSD HP-UX Internet: HP-UX Hurd Internet: Hurd Inferno Internet: Inferno IRIX Internet: IRIX JavaOS Internet: JavaOS LFS Internet: LFS Linspire Internet: Linspire Linux Internet: Linux MacOS Internet: MacOS Minix Internet: Minix MorphOS Internet: MorphOS MS-DOS Internet: MS-DOS MVS Internet: MVS NetBSD Internet: NetBSD NetWare Internet: NetWare Newdeal Internet: Newdeal NEXTSTEP Internet: NEXTSTEP OpenBSD Internet: OpenBSD OS/2 Internet: OS/2 Further operating systems Internet: Further operating systems PalmOS Internet: PalmOS Plan9 Internet: Plan9 QNX Internet: QNX RiscOS Internet: RiscOS Solaris Internet: Solaris SuSE Linux Internet: SuSE Linux Unicos Internet: Unicos Unix Internet: Unix Unixware Internet: Unixware Windows 2000 Internet: Windows 2000 Windows 3.11 Internet: Windows 3.11 Windows 95 Internet: Windows 95 Windows 98 Internet: Windows 98 Windows CE Internet: Windows CE Windows Family Internet: Windows Family Windows ME Internet: Windows ME Seite 1 von 138 eBook - Informations about Operating Systems Version: August 15, 2006 | Download: www.operating-system.org Windows NT 3.1 Internet: Windows NT 3.1 Windows NT 4.0 Internet: Windows NT 4.0 Windows Server 2003 Internet: Windows Server 2003 Windows Vista Internet: Windows Vista Windows XP Internet: Windows XP Apple - Company Internet: Apple - Company AT&T - Company Internet: AT&T - Company Be Inc. - Company Internet: Be Inc. - Company BSD Family Internet: BSD Family Cray Inc.
    [Show full text]
  • 1 Installation and Brief Overview 1.1 System Requirements
    1 Installation and brief overview .................................................................................................................................1 1.1 System requirements ........................................................................................................................................1 1.2 Installation of BootManager ..............................................................................................................................2 1.2.1 Windows Installation of BootManager........................................................................................................2 1.2.2 DOS Installation of BootManager...............................................................................................................3 1.3 After the Installation..................................................................................................................................3 1. 4 BootManager modules and functions ..............................................................................................................3 1.5 Partition Manager..............................................................................................................................................3 2 The BootManager configuration program................................................................................................................4 2.1 Program windows and command push buttons................................................................................................4 2.2 Pull
    [Show full text]
  • Győzze Le a Kémeket PC-Jén
    IT-trend 2012 Minden újdonságLTE, NFC, bemutatva! OLED... DVD DVD 2012 legjobb vételei 4 Friss 9 GB 2012 A LEGÚJABB DRIVEREK, HASZNOS PROGRAMOK, Hardvervásárlási útmutató. Okos döntések az olcsó átverések helyett A HÓNAP JÁTÉKAI, EXKLUZÍV CSOMAgok… Abylon ajándékcsomag 4 teljes verzió az adattolvajok ellen. Mind a DVD-n! GO DIGITAL! R 82 2012/04 _ CHIPONLINE.HU Best of Extra DVD + nyereményjáték open source Windows 8: A nyílt forráskód legjobbjai 104 top eszköz 9 kategóriában tesztelje Ön is! + 9 teljes verziós program + egy exkluzív csomag a kémkedés ellen Útmutató: így telepítse virtuális HDD-re az új Windowst – a régi rendszer kockáztatása nélkül R 44 Győzze le a 9 teljes verzió a CHIP DVD-jén Olvasóinknak most ingyen! Registry Washer, kémeket PC-jén AppBlocker, KeySafe... A saját fegyvereikkel vagy a legújabb biztonsági eszközökkel – minden program a DVD-n! R 90 Notebook-felújítás Új gép vásárlása helyett: memóriabővítés, SSD-csere, HD... 104 Eraser 2011 R & File Washer 5 Ezek végre valóban törlik kényes képeit, iratait, internetezésének nyomait Terabájtos SDD? A legjobb módszer: SSD-sebesség, HDD- 1995 Ft, előfizetéssel 1395 Ft kapacitás és megfizethető ár – eláruljuk, hogyan R 52 XXIV. évfolyam, 4. szám, 2012. április A Windows 8 biztonságos tesztelése A >> legjobb Open Source programok Régi >> noteszgép felújítása 2012 >> legjobb vételei Terabájtos >> SSD? Forradalom >> a fényképezésben Mindenkit >> megfigyelnek Kiadja a MediaCity Magyarország Kft. IPM_1/1_to_CHIP:DFM_image 2012.03.19. 10:34 Page 1 TREND // TEST // TECHNIK CHIP
    [Show full text]
  • Your Embedded Distributor
    Your Embedded Distributor Wolfgang Unger Wolfgang Unger - MVP Windows 7 is getting Embedded Wolfgang Unger Technical Support MVP for Windows Embedded Wolfgang Unger Wolfgang Unger • Windows Management Instrumentation (WMI) Providers for Write Filters • Write Filter Management Tools • Windows® Internet Explorer 9 • .NET Framework 4.0 • Silverlight 4 Wolfgang Unger Wolfgang Unger Wolfgang Unger • Windows 7 Ultimate based • Installs a pre-configured OS • Supports x86 and x64 architectures • No Windows Activation needed • Setup directly on the target device • Unattended Setup – Setup Image Manager Wolfgang Unger Windows Embedded Support Availability2026 POSReady 7 Windows Embedded Support Availability2025 Standard 7 Windows 7 Support Availability2024 for Embedded Systems Windows Embedded Support Availability2024 POSReady 2009 xp 2001 Windows Professional Support Availability for Embedded Systems Support Availability 2003 Support Availability 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 Wolfgang Unger Language Packs Bitlocker Bitlocker To Go DirectAccess AppLocker BranchCache MultiTouch TabletPC VHD Boot DISM Windows Update Speech API Wolfgang Unger more than 30 Language Packs – Latvian – Arabic – Bulgarian – Lithuanian – Chinese (traditional) – Polish – Chinese (simplified) – Portuguese (Brasilian) – Croatian – Portuguese (Portugal) – Czech – Romanian – Danish – Dutch – Russian – Estonian – Swedish – Finish – Serbian – French – Slovak – German – Slovenian
    [Show full text]
  • Module 05 Understanding Storage Media and File System
    Understanding Storage Media MODULE 5 Page 1 of 29 Contents 5.1 LEARNING OBJECTIVES ...................................................................................................................... 3 5.2 Hard Disk Drive .................................................................................................................................. 3 5.2.1 Working of HDD .......................................................................................................................... 3 5.2.2 Interface ..................................................................................................................................... 5 5.3 Details of Internal structure of HDD .................................................................................................. 7 5.3.1 Low-Level Formatting ................................................................................................................. 7 5.3.2 High-level formatting ................................................................................................................. 9 5.3.3 Glossary of some important terms ........................................................................................... 10 5.3.3.1 Slack space ......................................................................................................................... 10 5.3.3.2 Lost Cluster ........................................................................................................................ 10 5.3.3.3 Bad Sector.........................................................................................................................
    [Show full text]
  • XC™ Series Boot Troubleshooting Guide (CLE 6.0.UP01) Contents
    XC™ Series Boot Troubleshooting Guide (CLE 6.0.UP01) Contents Contents About the XC™ Series Boot Troubleshooting Guide.................................................................................................5 Introduction to Troubleshooting a Boot of an XC™ Series System...........................................................................8 SMW and CLE Hardware Configuration and Cabling Concepts................................................................................9 SMW Daemons, Processes, and Logs....................................................................................................................13 Daemons on a Stand-alone SMW.................................................................................................................13 Daemons on an SMW HA System................................................................................................................17 SMW Log File Locations................................................................................................................................19 Time Synchronization Among XC™ Series System Components.................................................................21 Anatomy of an XC System Boot with xtbootsys.......................................................................................................25 The Booting Process from the CLE Node View.......................................................................................................40 Booting with PXE Boot for Boot and SDB Nodes..........................................................................................41
    [Show full text]
  • Bootmanager BOOTMENU Manual
    Bootmanager BOOTMENU Manual Copyright © 1997-1998 by Ingenieurbüro Hoyer http://www.bootmenu.com/ 1 Overview 1.1 Contents 1 Overview..................................................................................................................................................................... 2 1.1 Contents................................................................................................................................................................ 2 1.2 Short Overview..................................................................................................................................................... 4 1.3 System Requirements ........................................................................................................................................... 4 1.4 How it works ........................................................................................................................................................ 5 1.4.1 Master Boot Record ...................................................................................................................................... 5 1.4.2 Bootmanager BOOTMENU.......................................................................................................................... 6 1.4.3 Boot Images .................................................................................................................................................. 6 1.5 Security Features .................................................................................................................................................
    [Show full text]
  • XC™ Series Boot Troubleshooting Guide
    XC™ Series Boot Troubleshooting Guide (CLE 6.0.UP07) S-2565 Contents Contents 1 About the XC™ Series Boot Troubleshooting Guide..............................................................................................5 2 Introduction to Troubleshooting a Boot of an XC™ Series System........................................................................ 8 2.1 An Overview of the Boot Process..............................................................................................................8 3 SMW and CLE Hardware Configuration and Cabling Concepts...........................................................................11 4 SMW Daemons, Processes, and Logs................................................................................................................. 15 4.1 Daemons on a Stand-alone SMW........................................................................................................... 15 4.2 Daemons on an SMW HA System.......................................................................................................... 19 4.3 SMW Log File Locations..........................................................................................................................22 4.4 Time Synchronization Among XC™ Series System Components...........................................................23 5 Use the Bootlog Profiler Tool to Analyze Boot Events.......................................................................................... 29 6 About Cray Scalable Services.............................................................................................................................
    [Show full text]
  • Multibooters - Cloning Vista
    Multibooters - Cloning Vista http://www.multibooters.co.uk/cloning.html Home Multibooters - Dual/Multi Booting With Vista Cloning Vista Possible partition issues - Preparing the BCD. Curing drive letter allocation problems. Fix the BCD while working from another OS or the Vista DVD. Hibernation issues - Backup the BCD - Whole drive cloning. Cloning Vista is similar enough to previous versions of the NT operating system that many cloning tools that worked with 2K/XP/2K3 can be used for Vista. The problems arise mostly from the new Vista boot files bootmgr and BCD, the way they use the Disk Signature, and the new Vista partitioning rules. If these factors are taken into account and adjusted for then many current cloning or imaging tools are perfectly capable of working with Vista. Of course most cannot be installed inside Vista, but they can be run from another OS or boot disk. Third party vendors of such tools are releasing Vista compatible versions, but some still have issues that have not been fully addressed. Cloning any WinNT OS requires adherence to certain rules to get a clean booting and independent clone that is not in some way cross-linked with the parent install. When using the Microsoft bootmanager with its reliance on separate system and boot partitions and non-default drive letters there are extra variables that can make successful cloning more tricky. I have tried to provide some information relevant to the MS bootmanager, but please be aware that the information here is mainly aimed at systems where the Windows installs are independent with all their boot files on there own partition and see themselves as the C: drive and their partition as both system and boot.
    [Show full text]
  • EFI Commands
    drvcfg [-c] [-lXXX] [-f] [-v] [-s] [driverhandle [devicehandle [childhandle]]] . EFI Commands Use drvcfg to display available controllers Then use “drvcfg -s drv# ctrl#” to start ROM High-End & Mid-Range Integrity Server (Shell scripting commands have been omitted) Config menu from IO card. Hit “esc” key to exit (can take while to respond). Command Summary Trifold Boot Commands drvdiag [-c] [-lXXX] [-s] [-e] [-m] [driverhandle [devicehandle [childhandle]]- HPUX> Bootloader Commands Runs diags on controllers Output is similar to devtree. autoboot [on|off] | [time [value]] time = 2 - 65535 seconds. Normal Boot: fsx:> hpux.efi ie, go to file system where hpux boot loader hpux.efi is guid [-b] - Displays “Guid” info. “Global Universal ID’s” (See “guid help”) bcfg boot [dump [-v]] | [add # file “desc”] | [rm#] | [mv # #] “bcfg boot dump” then “bcfg located and run this executable.. You must interrupt the automatic boot to get to the Displays mac address of Core Lan boot mv ori new” | “bcfg boot add” or use “boot maintenance mgr.” Type Shell> exit to get lanaddress ‘HPUX >’ prompt before running any other boot method from the the commands below: to boot maintenance mgr menu (see recovering lost boot options). load [-nc] file [file...] - Loads and EFI driver Boot kernel] Boot hpux kernel. hpux vmunix.prev is now “backup” boottest [on|off] | [[test] [on | off] early_cpu, late_cpu, platform, chipset, io_hw, mem_init, map [-r | -v | -d [sname] [handle] [-b] - Displays/defines a mapping between a name help [-d] Show help. “-d” shows debug commands mem_test In hpux use “setboot -v” or setboot -T to change settings. and a device handle.
    [Show full text]
  • Opsi Version 4.0.5 Release Notes
    opsi Version 4.0.5 Release Notes uib gmbh Bonifaziusplatz 1b 55118 Mainz Tel.:+49 6131 275610 www.uib.de Stand: 14. November 2014 [email protected] opsi Version 4.0.5 Release Notes i Inhaltsverzeichnis 1 Copyright 1 2 Übersicht der Neuerungen 2 3 Known Bugs / Known Problems5 4 Samba 4 6 5 Abkündigung 7 5.1 Abkündigung: Windows Versionen......................................7 5.2 Abkündigung: opsi Produkte.........................................7 5.3 Abkündigung der Python 2.5 Unterstützung.................................7 6 Hinweise zur Installation 8 6.1 Hinweise zur Aktualisierung der opsi server vm Version 4.0.4.......................8 6.2 Hinweise zur Aktualisierung unter RHEL / CentOS.............................8 6.3 Hinweise zum Aktualisieren von opsi-Paketen................................9 6.4 Hinweise zum Aktualisieren der Java-Runtime-Umgebung.........................9 7 opsi-configed 4.0.5. 10 7.1 Auswahl der Depot-Server........................................... 10 7.2 Client-Erreichbarkeit.............................................. 10 7.3 Fehlgeschlagene Aktionen........................................... 11 7.4 Produkt-Defaultproperties........................................... 11 8 opsi-linux-bootimage 13 8.1 Fallback für byAudit.............................................. 13 9 opsi Linux Support 14 9.1 Vorbedingungen für den opsi Linux Support................................. 14 9.2 Einführung................................................... 14 9.3 Linux Netboot Produkte...........................................
    [Show full text]