如何将正在运行的应用程序扩展到PCR?
如何将正在运行的应用程序扩展到PCR?可以使用哪种PCR?
How to extend the running application into PCR? and Which PCR can be used for it?
我假设您的意思是PC平台上的TPM版本1.2,所以您会感兴趣以下规范文档:
I assume you mean a TPM version 1.2 on a PC platform, so the following specification documents are of interest for you:
- TPM Main Part 2 TPM Structures
- TCG PC Client Specific TPM Interface Specification (TIS)
现在您的问题是
-
如何将正在运行的应用程序扩展到PCR?"
"How to extend the running application into PCR?"
您需要一些用于识别"正在运行的应用程序"(= 措施)的软件
并向TPM发出TPM_Extend
命令.通常,这是通过TSS完成的,但是
您也可以使用自己编写的程序来执行此操作,TPM_Extend
命令不是
复杂.
You need some piece of software that identifies "the running application" (=measure)
and issue a TPM_Extend
command to the TPM. Usually this is done through a TSS, but
you can also do that with a self written program, the TPM_Extend
command is not that
complex.
识别表示在大多数情况下计算SHA-1哈希,但是TPM不在乎.这 您提供的数据的说明是:
Identifying means calculating a SHA-1 hash in most cases, but the TPM does not care. The description of the data you provide is:
The 160 bit value representing the event to be recorded.
可以使用哪种PCR?"
"Which PCR can be used for it?"
这取决于您的实际环境.通过位置控制对PCR的访问. 下表显示了可以在哪个位置扩展哪个PCR:
This depends on your actual environment. Access to PCRs are controlled by localities. Here is a table showing which PCR can be extended in which locality:
PCR Alias (description) Extendable in localities
-----------------------------------------------------------------
0-15 Static RTM 4,3,2,1,0
16 Debug 4,3,2,1,0
17 Locality 4 4,3,2
18 Locality 3 4,3,2
19 Locality 2 3,2
20 Locality 1 3,2,1
21 Dynamic OS controlled 2
22 Dynamic OS controlled 2
23 Application Specific 4,3,2,1,0
您所处的位置取决于您的环境.如果您在Linux用户空间中, 例如,您的地区为0.
Which locality you are in depends on your environment. If you are in a Linux userspace, for exmaple, you have locality 0.
如果您要设计一个受信任的体系结构,则还必须考虑PCR的方式 可以重置(在哪个位置).
If you are designing a trusted architecture you will also have to consider how the PCRs can be reset (in which localities).
TCG PC客户端特定的TPM接口中描述了位置. 规范(TIS) :
The localities are described in TCG PC Client Specific TPM Interface Specification (TIS):
-
位置4:受信任的硬件组件. D-CRTM使用它来建立 动态RTM.
Locality 4: Trusted hardware component. This is used by the D-CRTM to establish the Dynamic RTM.
位置3:辅助组件.使用此为可选,如果使用,则为 取决于实现.
Locality 3: Auxiliary components. Use of this is optional and, if used, it is implementation dependent.
位置2:动态启动的OS(动态OS)运行时"环境.
Locality 2: Dynamically Launched OS (Dynamic OS) "runtime" environment.
位置1:动态OS使用的环境.
Locality 1: An environment for use by the Dynamic OS.
位置0:静态RTM,其信任链和环境.
Locality 0: The Static RTM, its chain of trust and its environment.