PCR0 measurements tool

[xaionaro]

Hello.

I'm thinking about to try to implement two tools:

• A tool to calculate expected PCR0 value of a binary.
• A tool to compare measurements between two binaries (to explain which bits causes the difference).

And it seems right to me to implement it as part of this project "fiano". I suppose these tools should be implemented as:

• github.com/linuxboot/fiano/cmds/pcr0sum
• and github.com/linuxboot/fiano/cmds/pcr0diff

So the question is: would you agree to merge such code into "fiano" (after codereview&fixes of course)? :)

[insomniacslk]

CC @zaolin , don't we have something like that already?

[zaolin]

It's already done by go-attestation attest tooling and my 9elements/tpmtool

[xaionaro]

@zaolin:

9elements/tpmtool is a very interesting tool, thank you for pointing this out.
Could you please give an advice how to calculate a PCR0 value of a firmware binary? Sorry if I explained myself unclear above, but we need to predict/calculate a PCR0 value which would a firmware produce if it will boot on a real system.

[zaolin]

@xaionaro PCR0 is tricky because of technologies like Intel Boot Guard / TXT. The easiest way would be to write a FIT, Boot Guard Manifest and Key Manifest parser for the firmware image. We didn't implement it yet. If you are interested in consulting services let us know (9esec.io). Otherwise, feel free to look into the slimmbootloader repository in order to understand the Boot Guard and FIT data structures.

Keep in mind that it might be not enough. There is some effort of Matthew Garret but it's not ready yet. https://github.com/google/go-attestation/pull/108/files
I hope that helps.

[xaionaro]

Otherwise, feel free to look into the slimmbootloader repository in order to understand the Boot Guard and FIT data structures.

We've managed to create a proof of concept, but still thank you -- it may be useful.