OSLO - Open Secure LOader Bernhard Kauer _kauer@tudos.org_ Introduction ############ OSLO, the Open Secure Loader, is a boot loader which uses the _skinit_ instruction for authenticated booting. With around 1000 lines of code and a binary which is in the order of 4k auditing, bugfixing and in the end trusting OSLO should be possible. Prerequisites ============= To use OSLO a PC platform supporting _skinit_ is needed. There must be a processor supporting the _skinit_ instruction, a v1.2 TPM [TPM] and a chipset which provides memory protection for the secure loader. The _skinit_ instruction is available with newer AMD64 processors [AMD] and used to create a dynamic root of trust for measurement. It is a replacement for the static root of trust provided by the BIOS and subsequent secure boot loaders which are used on machines not supporting skinit. Functionality ============= OSLO is started as kernel from a multi-boot compliant [MBI] loader. It initialize the TPM, calls skinit, hashes [SHA] every module it gets from the parent boot-loader and starts the first module as new kernel in the multi-boot way. Minimal ======= Since OSLO is the root of trust of the secure system it is as minimized as possible. Therefore it neither contain code to load images from network nor hard disk. This can be done by another untrusted multi-boot loader like GRUB or syslinux. Components ########## :asm.S: Initialize the processor on startup and after skinit by e.g. loading the stack pointer and segments. :sha.c: A size optimized Sha1 [SHA] implementation which can hash up to 512 MB. Needs around 512 byte but is nearly 4 times slower than a speed optimized version. Since boot loading is not performance critical and OSLO should not hash large amount of data the speed/size tradeoff is acceptable here. :tis.c: A simple TIS [TIS] driver using the memory mapped interface of version 1.2 TPMs. Tested with TPMs from Infineon, STM, Atmel and Broadcom. :tpm.c: The needed TPM functions, like TPM_Extend. :elf.c: The elf decoding. :osl.c: The main program including hashing the modules and startup of the first one. :util.c asm.h: Helper functions for string output and low level hardware access like _rdmsr_. :mp.c mp.h: Helper functions to start and stop processors on an MP system. :beirut.c: A helper program that hashes the command line of other multiboot modules. :pamplona.c: A helper program that does everything to reverse the steps done by OSLO. For example it removes DEV protection and clears the global interrupt flag. It does allow you to use OSLO but start an unmodified OS in an unsecure way after that. :munich.c: A helper program to start Linux [LBP] from a multiboot compliant loader. The first module is used as linux kernel. The optional second one is used as initrd. FAQ ### : Why is DEV protection not implemented? : Mainly time reasons and the realization that the workaround for the DEV init race has to be implemented. : Why do you extend the PCR for every module? : Previously, OSLO would calc a hash over all multiboot modules. This was a bug since hashing one module or hashing two halves of the same binary with two modules was indistinguishable. The hole between the two halves could be used by an attacker to hide untrusted code. : Why do you implemented Beirut? : There are applications which can be fooled by giving them a faked commandline. Since someone decided not to fix the applications and handle untrusted command lines like untrusted config files (e.g. simple hash them itself), we have to hash the commandline before we pass it to them. Or in other words: Beirut is just a nasty hack for compatibility reasons. : Is OSLO bugfree? : Of course not in this version. Currently at least two bugs are known: The DEV initialization is missing and the famous "type of memory" bug is still present. References ########## :AMD: AMD64 Architecture Programmer's Manual Vol. 2 - http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/24593.pdf :LBP: Linux/I386 Boot Protocol - http://lxr.linux.no/source/Documentation/i386/boot.txt :MBI: multiboot specification - http://www.gnu.org/software/grub/manual/multiboot/multiboot.txt :SHA: US Secure Hash Algorithm 1 (SHA1) - http://www.ietf.org/rfc/rfc3174.txt :TIS: TPM Interface Specification - https://www.trustedcomputinggroup.org/groups/pc_client/TCG_PCClientTPMSpecification_1-20_1-00_FINAL.pdf :TPM: TCG TPM Specification v1.2 rev 5 Part 3 Commands - https://www.trustedcomputinggroup.org/groups/tpm/mainP3Commands_rev85.zip Acknowledgements ################ OSLO was funded by OpenTC. Special thanks go to AMD Dresden for the constant support and Infineon Munich for the help with TPMs.