-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Chris,
> On 06/22/2016 02:10 PM, Rusty Bird wrote:
>> Hi Marcin,
>>
>>> How would Anti Evil Maid detect BIOS/hardware modifications
>>> without sealing to PCR 0-3? By default it seals only to PCR
>>> 13,17,18,19.
>> PCRs 17-19 come from tboot, which uses Intel TXT to protect BIOS
>> etc.
> Based on what I've seen from BIOS updates not triggering AEM, I
> think this is a valid concern. It should at least be explained.
I'm out of my depth here -- maybe Joanna can provide an authoritative
response? -- but AFAIK a more correct phrasing would have been that
TXT is supposed to protect *from* the BIOS, i.e. to sanitize the early
boot state so as to remove the BIOS from the TCB. Which ITL have shown
it fails to really do; a malicous BIOS can circumvent AEM no matter if
the old approach (TrustedGRUB) or the new approach (TXT) is used. But
this might explain why a legit BIOS update does not necessarily change
the PCR measurements?
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJXavgOXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfadYQAJBDbhGfNGDmFavI/wfZHRVQ
DFgwm7Rf62qN4j71XgiM2VVuPCz80QHmTJlYmGnd+xoY2hfksvkB5jiE4og+qwt9
/owOqdqP7vSXS/+JvcU06a520YEBDSGeN3zXdQfNCTF31w0y8QORH2UuglNltSS6
/Jzq/IIjHMY/qeApihCDBA3yKsRfcf6SrJRkfnxYCyXXBUA/GWtyzImHlpOR/Bxr
T+N5g/dzTMcCfymcrepbX61Q447zayYCNKZbKOaW/AOWA4abUwa7ZqNa8iqjcwkH
znzKcrZc/Nj7t1O7ObSUGjQ+dJMHQqAoEiI00d68t5+ACMjF3RTyAa00tgF2hj0/
HgevSG3VHu3W6XpzCm+aglnuv7nst3CA+QpQ8llhNOYwZyJUPwcJTYzNydXFQBi+
q5a/LouFsFxu3e0MHSD0SgQxDf3K0kvQyiTdPA2EiB65PyMMSEerjY3m6uy0u3eW
WlR5WLbEV/ity2CpokLkqeOMIU7YTqb256l3gO64AqYowVOTjgWuJ0jUNwyHabKv
ynfzvPI3bZRzLRLkE4v4fOqAXuX3sWkBJjOz9hhJJ07MvyPV0grOfuqAIaALpBBq
SMR2y1znxgLpPlt1Z0nFC++Qc8oCP6AGykwcvnCMiKsgZNvOvIY4Qw/fJjjFgbry
K9x7SLG+XhrTIB/ooHvs
=iVmy
-----END PGP SIGNATURE-----