Anti Evil Maid PCRs

szymo...@gmail.com

unread,

Jun 19, 2016, 7:24:16 PM6/19/16

to qubes-devel

Hi,

How would Anti Evil Maid detect BIOS/hardware modifications without sealing to PCR 0-3?

By default it seals only to PCR 13,17,18,19.

Marcin

Rusty Bird

unread,

Jun 22, 2016, 2:09:21 PM6/22/16

to qubes-devel, szymo...@gmail.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Marcin,

> How would Anti Evil Maid detect BIOS/hardware modifications without
> sealing to PCR 0-3? By default it seals only to PCR 13,17,18,19.

PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS etc.

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXatR7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfTy0P/3nbY9LEpKSet0C+NQG8E+9f
dlur+rZ+oa/zkXY0PJ2omUt8beMu21v9Y0jbXKQaXBwOSByKhQJ0BW3oOvQTbZ/E
OorxYVxklOm+vijS5zf2CdSIPd8TeAlRDyvhap3G3zFLH6be3oFNzqzBFzzQbO0g
i7KUKRClNnzu3sWsVfFBBQ/5uEHyAh51FGVEKQMx8eZ17snDLOniajESu66YCx2F
vCc0yi2788X9YnfM3ZviSt0JS/BWaPNKh/fndgdUA35uEOiUe5EFK+qiwg5p8VO7
D5Ad0T8hTnB14tKAbaxjJZr51SsY6Ga42UF+iD0oDgeOcXqEg0LD6NfQCisuZrcd
gCipzkqLRkvIlcgLv3cff3HvE4GUO+FZu4WCFfGSUA9l96t/SpzUcmfFWX/FcDPE
9lwxaDFxpyt9Zm6dwvg7vKWzfpC5Hs/yQjzeVftftw/WkYyzjevrRgYPjqul2Ysf
PAjvxHRo3lvRvzJ0pI0By+10TadRHhEt4XydBILPE/dlwMbCww9s2tbdgnZRNeid
+DF5TVMtM4x+tKE2ixdCPnCOYvnA44j/yoSWlHXbo/hM0Bs4DzPgHtGmnhwpzGw7
QvAN3KoXL6VYVt/N87xHzGrhrYjfpVJPTidzcvftQcK7DjTWRFQJNB141SYG7iwe
3CylD9RJa+enXsAWcwqG
=58dM
-----END PGP SIGNATURE-----

Chris Laprise

unread,

Jun 22, 2016, 4:06:23 PM6/22/16

to Rusty Bird, qubes-devel, szymo...@gmail.com

On 06/22/2016 02:10 PM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Marcin,
>
>> How would Anti Evil Maid detect BIOS/hardware modifications without
>> sealing to PCR 0-3? By default it seals only to PCR 13,17,18,19.
> PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS etc.
>
> Rusty

Based on what I've seen from BIOS updates not triggering AEM, I think
this is a valid concern. It should at least be explained.

Chris

Rusty Bird

unread,

Jun 22, 2016, 4:41:05 PM6/22/16

to qubes-devel, Chris Laprise, szymo...@gmail.com, Joanna Rutkowska

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Chris,

> On 06/22/2016 02:10 PM, Rusty Bird wrote:

>> Hi Marcin,
>>
>>> How would Anti Evil Maid detect BIOS/hardware modifications
>>> without sealing to PCR 0-3? By default it seals only to PCR
>>> 13,17,18,19.
>> PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS
>> etc.

> Based on what I've seen from BIOS updates not triggering AEM, I
> think this is a valid concern. It should at least be explained.

I'm out of my depth here -- maybe Joanna can provide an authoritative
response? -- but AFAIK a more correct phrasing would have been that
TXT is supposed to protect *from* the BIOS, i.e. to sanitize the early
boot state so as to remove the BIOS from the TCB. Which ITL have shown
it fails to really do; a malicous BIOS can circumvent AEM no matter if
the old approach (TrustedGRUB) or the new approach (TXT) is used. But
this might explain why a legit BIOS update does not necessarily change
the PCR measurements?

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXavgOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfadYQAJBDbhGfNGDmFavI/wfZHRVQ
DFgwm7Rf62qN4j71XgiM2VVuPCz80QHmTJlYmGnd+xoY2hfksvkB5jiE4og+qwt9
/owOqdqP7vSXS/+JvcU06a520YEBDSGeN3zXdQfNCTF31w0y8QORH2UuglNltSS6
/Jzq/IIjHMY/qeApihCDBA3yKsRfcf6SrJRkfnxYCyXXBUA/GWtyzImHlpOR/Bxr
T+N5g/dzTMcCfymcrepbX61Q447zayYCNKZbKOaW/AOWA4abUwa7ZqNa8iqjcwkH
znzKcrZc/Nj7t1O7ObSUGjQ+dJMHQqAoEiI00d68t5+ACMjF3RTyAa00tgF2hj0/
HgevSG3VHu3W6XpzCm+aglnuv7nst3CA+QpQ8llhNOYwZyJUPwcJTYzNydXFQBi+
q5a/LouFsFxu3e0MHSD0SgQxDf3K0kvQyiTdPA2EiB65PyMMSEerjY3m6uy0u3eW
WlR5WLbEV/ity2CpokLkqeOMIU7YTqb256l3gO64AqYowVOTjgWuJ0jUNwyHabKv
ynfzvPI3bZRzLRLkE4v4fOqAXuX3sWkBJjOz9hhJJ07MvyPV0grOfuqAIaALpBBq
SMR2y1znxgLpPlt1Z0nFC++Qc8oCP6AGykwcvnCMiKsgZNvOvIY4Qw/fJjjFgbry
K9x7SLG+XhrTIB/ooHvs
=iVmy
-----END PGP SIGNATURE-----

szymo...@gmail.com

unread,

Jun 24, 2016, 7:24:44 AM6/24/16

to qubes-devel, tas...@openmailbox.org, szymo...@gmail.com, joa...@invisiblethingslab.com, rust...@openmailbox.org

Hi Chris,

> On 06/22/2016 02:10 PM, Rusty Bird wrote:

>> Hi Marcin,
>>
>>> How would Anti Evil Maid detect BIOS/hardware modifications
>>> without sealing to PCR 0-3? By default it seals only to PCR
>>> 13,17,18,19.
>> PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS
>> etc.

> Based on what I've seen from BIOS updates not triggering AEM, I
> think this is a valid concern. It should at least be explained.

I'm out of my depth here -- maybe Joanna can provide an authoritative
response? -- but AFAIK a more correct phrasing would have been that
TXT is supposed to protect *from* the BIOS, i.e. to sanitize the early
boot state so as to remove the BIOS from the TCB. Which ITL have shown
it fails to really do; a malicous BIOS can circumvent AEM no matter if
the old approach (TrustedGRUB) or the new approach (TXT) is used. But
this might explain why a legit BIOS update does not necessarily change
the PCR measurements?

Rusty

Isn't malicious BIOS a threat even if you remove BIOS from the TCB and don't use it to assure bootloader and OS integrity?

For example can't malicious BIOS capture keystrokes even if you protected your bootloader and OS with TXT?

Also note

https://www.qubes-os.org/doc/security-guidelines/

states "AEM will inform you of any unauthorized modifications to your BIOS or boot partition".

I'm not sure AEM will inform you of modifications to BIOS indeed and if not then Security Guidelines are misleading what is bad.

Marcin

Reply all

Reply to author

Forward