I generally got accustomed to using English for writing. It is like more convenient for you do not need any additional software as assistance. And in most cases you will not worry about how to translate some terminology in English into Chinese . Yeah. I am just looking for some excuse for my laziness....
As an important part of my undergraduate thesis, UEFI System based Firmware IMA and Remote Attestation is supposed to be first stage of my study. for the next phase, I am looking forward to applying the machine learning based technology into the attack detection of firmware security.
(1) Enabling Secure Boot in OVMF
OK, we are to resolve the problems remained unresolved in the previous chapter.
// Guidance for Secure Boot in OVMF
* https://wiki.ubuntu.com/UEFI/EDK2
* $EDKII_HOME/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
change path to the edk2 root path
git submodule update --init --recursive
git pull --recurse-submodules && git submodule update --recursive --remote
cd CryptoPkg/Library/OpensslLib/openssl/
git tag // Change to the version required
git checkout b2758a2292aceda93e9f44c219b94fe21bb9a650
And build OVMF with SECURE_BOOT_ENABLE tag of TRUE
build -p OvmfPkg/OvmfPkgIa32X64.dsc -t GCC5 -b RELEASE -a IA32 -a X64 -D SECURE_BOOT_ENABLE
We can successfully get a firmware device then.
(2) Install Software TPM and enable vTPM Support
If we simply run the OVMF without passing tpm device to QEMU, the output of TPM testing application:
Still cannot find EFI_TCG_PROTOCOL with TPM support. Refer to the DSC file of Ovmf
!if $(SECURE_BOOT_ENABLE) == TRUE
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
!else
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
!endif
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
------------------------------------------------------
!if $(SECURE_BOOT_ENABLE) == TRUE
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
<LibraryClasses>
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
}
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
---------------------------------------------------
!if $(SECURE_BOOT_ENABLE) == TRUE
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
!endif
I have got a TPM 2.0 chip on my host machine. But the VirtualBox might not be able to virtualize it
Also see an interesting software suite named Vagrant at
Difference between Docker and VagrantL: https://www.zhihu.com/question/32324376
It is a suite based on virtualization techniques that configure the development environment (While Docker is for configuring execution environment).
OK. Here we are to install vTPM in the Ubuntu 16.04 LTS in VirtualBox.
- install libtpms
cd libtpms
./bootstrap.sh
./configure --prefix=/usr --with-openssl
make
make install
- Install swtpm
cd swtpm
./bootstrap.sh
./configure --prefix=/usr --with-openssl
make
make check
sudo make install
cp /usr/etc/swtpm_setup.conf /etc/swtpm_setup.conf
- Startup vTPM
sudo modprobe cuse
mkdir /tmp/myvtpm0
sudo chown -R tss:root /tmp/myvtpm0
sudo swtpm_setup --tpm-state /tmp/myvtpm0 --createek
then we got outpit like
Starting vTPM manufacturing as tss:tss @ 2018年01月28日 星期日 12時(shí)43分46秒
TPM is listening on TCP port 48173.
Successfully created EK.
Successfully authored TPM state.
Ending vTPM manufacturing @ 2018年01月28日 星期日 12時(shí)43分47秒
The SWTPM should be similar to the TPM emulator provided by TCG Group, which enables the application to communicate with the TPM with Socket model via certain TCP port.
- Map the TPM to /dev/vtpm0
sudo env TPM_PATH=/tmp/myvtpm0/ swtpm_cuse -n vtpm0
After finishing steps shown above, we can locate vtpm in /dev/ path.
(3) Run QEMU with TPM Support
To note that the QEMU install by running "sudo apt-get install qemu" cannot support vTPM.
// sse the QEMU-TPM version
git clone https://github.com/Hecmay/vtpm-support.git
cd qemu-tpm
./configure --enable-kvm --enable-tpm --enable-sdl
make
make install
And then
qemu-system-x86_64 -display sdl -m 1024 \
-boot c -bios Build/Ovmf3264/RELEASE_GCC5/FV/OVMF.fd \
-boot menu=on -tpmdev cuse-tpm,id=tpm0,path=/dev/vtpm0 \
-device tpm-tis,tpmdev=tpm0 Build/test.img
(4) Further Modification with OVMF.dsc
Unfortunately the TPM Application still cannot locate EFI_TCG_PROTOCOL. Follow the steps:
https://github.com/tianocore/tianocore.github.io/wiki/How-to-Enable-Security#Enabling_Trusted_Compute_Module_TPM
Some tips from the debugging process
- INF file of certain module specifies the TYPE (e.g. PEIM) and the lib required by the UEFI module must be included in the [LibraryClass.PEIM] of the Pkg's DSC file.
- Please make sure the Lib with same name for different phase is different (Otherwise "error 1001 not supported")
- Modification mainly focused on [Components] && [LibraryClasses.common] of OVMF.dsc (including Lib Tpm12CommandLib/Tpm12DeviceLib/Tpm12CommLib.....etc)
After getting the OVMF with TPM driver built-in, the Shell still cannot locate EFI_TCG_PROTOCOL
(5) Whether a GRUB2 Boot Loader is compulsory
I noticed that BootManager is a built-in component of Tianocore, the functionality of which is similar to common Boot loader. So if we want to load a OS, do we still need to add additional bootloader.efi to load our OS?
Let us have a try:
sudo ../vtpm-support/qemu-tpm/x86_64-softmmu/qemu-system-x86_64 -display sdl \
-cdrom /home/hecmay/Downloads/ubuntu-16.04.3-server-amd64.iso -m 1024 \
-boot c -bios Build/Ovmf3264/RELEASE_GCC5/FV/OVMF.fd -boot menu=on -tpmdev \
cuse-tpm,id=tpm0,path=/dev/vtpm0 -device tpm-tis,tpmdev=tpm0 Build/server.img
It seems that Bootmanager can be used as a boot loader to load Ubuntu Server.iso in the CDROM. And after the ISO file is loaded, the built-in GRUB in Ubuntu will appear.
But the Ubuntu will also install GRUB boot loader afterwards. This GRUB should be the one installed on the hard disk drive rather then the previous one built-in with original Ubuntu ISO.
After installing and entering the Ubuntu server with basic LAMP built-in, we can see the TPM device is actually installed. So the problem is still lied in the OVMF setting.
links might be helpful:
