trusted computing – A good way to visualize mentally TPM PCRs, PCR banks and indexes and their relations

I’m reading about TPMs and I’m currently thinking how to visualize their relationships.

Basically reading from https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12 (and the TPM documents) I gather the following:

PCR: It is a memory register that stores output of a hash algorithm. A PCR can store the output of more than one hash algorithm. An example is the output of 256 bits for SHA-256.

Question: Can a PCR store simultatenously output from multiple types of hash algorithms? Or are PCRs are tied to some specific hash algorithm? I think only the latest hashed value of any given operation is saved (and concatenated with the previous). But I’m not sure if multiple hash algorithms can use the same PCRs simultanously (e.g. like operating shadow registers or a stack).

PCR bank: a PCR bank is a set, or a collection, of PCRs that are used to store the output of the same type of a hash algorithm. As for an example, output of SHA-256 or a SHA-1 algorithm would be disjoint PCR banks. However, I don’t know if the underlying PCRs used by these banks could be the same. So, effectively a PCR bank would be a way to group PCRs together logically but they could use the same underlying PCRs.

PCR Index: Points to some PCR.

PCR Attribute: This is some attribute a PCR has, such as being resettable. If attribute is applicable to some index location in one bank, it is applicable across all PCR banks on the same index.

Not all PCR banks are required to have the same number of PCRs, so they need to not to be equally large.

The main reason I’m considering visualization is that I’m not sure how should one understand PCR indexing and attributes. The usual images online are like

PCR(0)  = (what's in this this cell?)
PCR(1)  = 
.
.
.
PCR(23) = (what's in this scell)

But if the idea is like PCR(Index), then what is the size and number of each of the cells? Is there only one cell width of which is the maximum width needed to store output of the hash algorithm that produces the longest output? Or does it mean there are multiple cells of some fixed with?

That is, if there’s both SHA-1 and SHA-256, then PCR(23).length = 256 bits or PCR(23)(0).length = 256 bits?

I also think the case of attribute confuse me here. I.e. is it so that for each of those indexes PCR(n) there are multiple cells of length denoted by the hashing algorithm? It makes me feel there should be a concept of attribute index, which would index this system like matrix:

          (Attr1)   (Attr2)
PCR(0)  = (pcr0-0), (pcr0-1), ... (???)
PCR(1)  = (pcr1-0), (pcr1-1), ... (???)
.
.
.
PCR(23) = (pcr23-0), (pcr23-1), ... (???)

So I’m trying to understand how PCRs related to indexes and attributes. I may come across unclear as this feels a bit confusing.

covid 19 – PCR test at Tirana International Airport

My partner and I will be visiting Albania in a month. On the way back, we’ll need to do PCR tests. I found information about the testing center at the airport. If someone used the services of this center, could you please tell me about your experience? How reliable their information is (that they are open 24 hours and that the results are returned in 90 minutes)? Is it the same on the weekends (our flight back is on Sunday morning)?

covid 19 – Can I enter Denmark by car without a PCR test?

From https://en.coronasmitte.dk/rules-and-regulations/entry-into-denmark/categorization-of-countries

If you live in Netherlands, that is an orange country (yes I know, but now also according to the Danish classification) you need:

  • Test before arriving in Denmark
  • Test after arrival
  • Isolation after arrival

The tests could be PCR or quick antigen tests.

All requirements are void if you are fully vaccinated more than two weeks ago or was previously infected.

Note that the country classifications can change very week.

covid 19 – Do I need PCR test to enter Switzerland by vehicle from Germany?

No. The Federal Office of Public Health (BAG/OFSP) has the information you need.

As of June 3, the last German states (Land Sachsen and Thüringen) are removed from the high-risk list. But the situation can again change and states may be added back.

From a low-risk country/region, you may enter by private vehicle, bike or as a pedestrian without particular conditions. If you take a bus or train, an entry form needs to be filled in. If you are taking a flight, a negative test is also necessary. Exemptions apply for persons coming from border regions, fully vaccinated persons within last six months, persons who recovered from COVID-19 in the past 6 months and other grounds (see the link for more detailed information).

customs and immigration – Sri Lanka – PCR 96 hours within first flight clarification

Sri Lanka COVID restrictions are as follows:

Passengers must have a printed negative COVID-19 PCR test taken at most 96 hours before departure from the first embarkation point. The test result must be in English.

My flight route is:

Nassau, Bahamas (NAS) to Panama (PTY) on 06/20 (Ticket #1)
Panama (PTY) to Istanbul (IST) on 06/21 (Part of Single Ticket #2)
Istanbul (IST) to Maldives (MAL) on 06/22 (Part of Single Ticket #2)
Maldives (MAL) to Sri Lanka (CMB) on 06/22 (Part of Single Ticket #2)

Does that mean I can take the RT PCR test anytime on 05/17 to 05/20? Most countries is PCR results must be within 96 hours of landing but according to Timtac, for Sri Lanka it’s 96 hours of the first flight (which I assume is going to be PTY to IST).

air travel – RT-PCR v PCR Test for entry into Belarus

I need to travel to Belarus from Berlin in the next two weeks and according to the government’s website, foreigners need to present a valid PCR test that is not older than 72 hours. When I visit the website coronatest.de, it offers an RT-PCR test. From a quick google search, it is my understanding that they are the same “level” of tests except the RT-PCR test is in real-time.

My question is then as the following: Will the RT-PCR test be valid for entry into Belarus?

international travel – Is the UK exempt from providing a negative PCR test when traveling to Spain?

I was planning on visiting the Balearic Islands (Mallorca) at the beginning of June (4-6th) from the UK.

Method of transport would be air, landing in Palma.

I did a bit of research and came across the following guidance on the palmaairport.info website.
https://www.palmaairport.info/airport/covid-19-what-you-need-to-know-when-travelling-via-palma-airport/

Mandatory PCR-Test – Arrivals

From Monday, 23/11/2020, anyone travelling to Mallorca from a high-risk country (which currently includes the UK) must be able to provide evidence of a negative PCR-test result on arrival at the airport. Please see here for a full list of countries currently considered to be high-risk.

Please note:

The test can only be taken up to 72 hours prior to arrival in Mallorca.

The test result can be presented in either Spanish, English, German or French.

Anyone arriving without evidence of a negative test will be fined and will have to undergo testing at Palma Airport.

Children under the age of six are exempt and do not need to present a test result.

Upon checking the Spanish Ministry of Health website regarding a full list of countries currently considered to be high-risk
https://www.mscbs.gob.es/en/profesionales/saludPublica/ccayes/alertasActual/nCov/spth.htm

I wasn’t able to find any information about the UK:
https://www.mscbs.gob.es/en/profesionales/saludPublica/ccayes/alertasActual/nCov/documentos/AnnexII_between_24052021-and-06062021.pdf

The airport guidance, judging by the latter bullet point highlighted in bold, suggests that everyone arriving must have a negative PCR test upon arrival, regardless of the country they came from.

Would that be a correct assumption?

But reading the Spanish Health Ministry’s website, is the UK considered a high-risk country or not?

What I’m trying to figure out is if I need to have a PCR test done in the UK prior to entry.

luks – SecureBoot: PCR to use or not

I’m working on the hardening of a Debian Bullseye box.

At the moment, every works perfectly: SecureBoot enabled, “Admin” password for BIOS set, every partitions except EFI one are ciphered with Luks, i flashed my own keys and restrict boot option to my signed efi image holding kernel/initrd/cmdline and SecureBoot enabled.

Regarding the disk unlock, i implemented the following way:

The goal of the “relaxed” handle only sealed with PCR #0 is to ease update process:

  1. I store again my passphrase in handle 0x8100000 sealed only with PCR #0
  2. I generate and sign a new EFI app with my new kernel and initramfs
  3. I boot on updated image (PCR 1 to 7 may be broken because of changes)
  4. I revoke handle 0x81002000
  5. I store again my passphrase in handle 0x81002000 with updated PCR #0,1,2,3,4,5,6,7
  6. I revoke handle 0x81000000
  • Is the described implementation correct regarding the security looked up ?
  • Could i use more PCR than only #0 for my “relaxed”, update only key handle ? At that point, i only want to ensure that the booted package is signed with my key.
  • Regarding regular mode of operation, are PCR 0,1,2,3,4,5,6,7 are stable enought ? I don’t want one of them to randomly change value and broke my boot process…

bonus: any comprehensive mapping between PCR and stuff in the “real” world (kernel, keys, initramfs, boot process interruption, etc..) is welcomed !

disk encryption – Is it secure to automatically unlock encrypted system drive using the TPM PCR values?

A simple way of automatically decrypting system drive at boot time:

clevis luks bind -d /dev/yourdrive tpm2 '{"pcr_ids":"4,5"}'

systemctl enable clevis-luks-askpass.path

When I booted another OS on the same machine, tpm2_pcrread listed mostly identical PCR values, except for 4 and 5. I understand that PCR 4 is a hash of the MBR and partitioning data, and PCR 5 is generated by the code in MBR. Besides, it’s an EFI system.
If an attacker makes a copy of the entire disk, can he generate the PCR 4 value by hashing the stolen MBR and partitioning data?

air travel – What does Ecuador require to be shown on a COVID-19 PCR test in order to enter the country?

I am scheduled to fly to Ecuador (Guayaquil) in a few months from the US. Ecuador currently requires a negative COVID-19 PCR test from no more than 10 days before entry in order go avoid quarantine. I found this and other useful information on the US Embassy site. I also found similar information in Spanish from what appears to be the official Ecuadorian embassy site (plus Galápagos-specific information in English).

However, I cannot find any information about what specifically counts as a negative COVID-19 PCR test. I get regular COVID-19 tests via test-at-home kits, and each test result shows (in English):

  • My name
  • The approving physician’s name
  • The type of the test (SARS-CoV-2 RT-PCR)
  • A test ID/locator number
  • The “result date” (just the date, no time). This is not actually the date the test sample was collected from me, just the date the lab finished analyzing it (typically a couple days later).
  • The result: “Not Detected” for a negative test
  • The name/logo of the lab that performed the test

Is a print out of such a test result enough to qualify for entry to Ecuador, or do I need a test result showing more information? Would it be better to directly show the website containing the test result on my phone? Where could I find authoritative information on this topic?