Skip to content

Commit

Permalink
preinstall: Add initial checks for TCG log consistency with PCR values
Browse files Browse the repository at this point in the history 
This adds a function that verifies that the TCG log is well formed and
is consistent with the TPM's PCR values for at least one supported PCR
bank. On success, it returns the best PCR bank to use and the startup
locality, and any errors that occurred for non-mandatory PCRs. A PCR
might not be mandatory because we don't have a way to generate profiles
for it, or because the input flags to RunChecks marked it as not
required. The startup locality is later on with the discrete TPM indication
to customize the PCR profile.

It performs some other tests, notably that:
- the TCG defined PCRs contain a EV_SEPARATOR event between the pre-OS
  and OS-present environment (although the one in PCR7 separates secure
  boot policy from secure boot authentication).
- none of the EV_SEPARATORs in the TCG defined PCRs indicated that an
  error occurred.
- there are no pre-OS measurements to non-TCG defined PCRs (8-).

Future PRs will add more specific checks for each supported PCR.

This pulls in a newer go-tpm2 for TPM2_PCR_Allocate support in the
library and test harness. This is a function that's normally ever
called from firmware, but we need to be able to do what the firmware
does to enable/disable PCR banks here.
  • Loading branch information
@chrisccoulson
chrisccoulson committed Aug 21, 2024
1 parent 54f79b1 commit 64dc595
Show file tree
Hide file tree
Showing 8 changed files with 1,471 additions and 31 deletions.
6 changes: 4 additions & 2 deletions efi/fw_load_handler_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,8 @@ func (s *fwLoadHandlerSuite) TestMeasureImageStartPlatformFirmwareProfile(c *C)
pcrs: MakePcrFlags(internal_efi.PlatformFirmwarePCR),
expectedEvents: []*mockPcrBranchEvent{
{pcr: 0, eventType: mockPcrBranchResetEvent},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "d0ff5974b6aa52cf562bea5921840c032a860a91a3512f7fe8f768f6bbe005f6")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "cd1137dfa2bfba51973100d73d78d9f496e089fd246fe980fadc668b4efc9443")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "5ca5e6acb83d626a42b53ddc5a2fe04d6a4b2f045bb07f6d9baf0e82900d7bbe")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "aef237d4703e8936530141636186a9f249fa39e194f02f668cd328bd5902cf03")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "8b0eec99d3cccc081edb98c3a2aa74b99a02b785bd74513e1cf7401e99121e80")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119")},
Expand All @@ -300,7 +301,8 @@ func (s *fwLoadHandlerSuite) TestMeasureImageStartPlatformFirmwareProfileSL3(c *
pcrs: MakePcrFlags(internal_efi.PlatformFirmwarePCR),
expectedEvents: []*mockPcrBranchEvent{
{pcr: 0, eventType: mockPcrBranchResetCRTMPCREvent, locality: 3},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "d0ff5974b6aa52cf562bea5921840c032a860a91a3512f7fe8f768f6bbe005f6")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "cd1137dfa2bfba51973100d73d78d9f496e089fd246fe980fadc668b4efc9443")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "5ca5e6acb83d626a42b53ddc5a2fe04d6a4b2f045bb07f6d9baf0e82900d7bbe")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "aef237d4703e8936530141636186a9f249fa39e194f02f668cd328bd5902cf03")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "8b0eec99d3cccc081edb98c3a2aa74b99a02b785bd74513e1cf7401e99121e80")},
{pcr: 0, eventType: mockPcrBranchExtendEvent, digest: testutil.DecodeHexString(c, "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119")},
Expand Down
8 changes: 4 additions & 4 deletions efi/pcr_profile_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -745,7 +745,7 @@ func (s *pcrProfileSuite) TestAddPCRProfileUC20WithExtraProfiles(c *C) {
expected: []tpm2.PCRValues{
{
tpm2.HashAlgorithmSHA256: {
0: testutil.DecodeHexString(c, "3d2b11b4c5cb623acbde6d14205217e47ebd368eab861e4fed782bb99be4598a"),
0: testutil.DecodeHexString(c, "a6602a7a403068b5556e78cc3f5b00c9c76d33d514093ca9b584dce7590e6c69"),
2: testutil.DecodeHexString(c, "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
4: testutil.DecodeHexString(c, "bec6121586508581e08a41244944292ef452879f8e19c7f93d166e912c6aac5e"),
7: testutil.DecodeHexString(c, "3d65dbe406e9427d402488ea4f87e07e8b584c79c578a735d48d21a6405fc8bb"),
Expand All @@ -754,7 +754,7 @@ func (s *pcrProfileSuite) TestAddPCRProfileUC20WithExtraProfiles(c *C) {
},
{
tpm2.HashAlgorithmSHA256: {
0: testutil.DecodeHexString(c, "3d2b11b4c5cb623acbde6d14205217e47ebd368eab861e4fed782bb99be4598a"),
0: testutil.DecodeHexString(c, "a6602a7a403068b5556e78cc3f5b00c9c76d33d514093ca9b584dce7590e6c69"),
2: testutil.DecodeHexString(c, "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
4: testutil.DecodeHexString(c, "c731a39b7fc6475c7d8a9264e704902157c7cee40c22f59fa1690ea99ff70c67"),
7: testutil.DecodeHexString(c, "3d65dbe406e9427d402488ea4f87e07e8b584c79c578a735d48d21a6405fc8bb"),
Expand Down Expand Up @@ -801,7 +801,7 @@ func (s *pcrProfileSuite) TestAddPCRProfileUC20WithPlatformFirmwareProfileSL3(c
expected: []tpm2.PCRValues{
{
tpm2.HashAlgorithmSHA256: {
0: testutil.DecodeHexString(c, "25a58800ba22dff433a8bb1b5084a53ddf02dc71f204053b38036fe1c0f146e2"),
0: testutil.DecodeHexString(c, "b0d6d5f50852be1524306ad88b928605c14338e56a1b8c0dc211a144524df2ef"),
2: testutil.DecodeHexString(c, "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
4: testutil.DecodeHexString(c, "bec6121586508581e08a41244944292ef452879f8e19c7f93d166e912c6aac5e"),
7: testutil.DecodeHexString(c, "3d65dbe406e9427d402488ea4f87e07e8b584c79c578a735d48d21a6405fc8bb"),
Expand All @@ -810,7 +810,7 @@ func (s *pcrProfileSuite) TestAddPCRProfileUC20WithPlatformFirmwareProfileSL3(c
},
{
tpm2.HashAlgorithmSHA256: {
0: testutil.DecodeHexString(c, "25a58800ba22dff433a8bb1b5084a53ddf02dc71f204053b38036fe1c0f146e2"),
0: testutil.DecodeHexString(c, "b0d6d5f50852be1524306ad88b928605c14338e56a1b8c0dc211a144524df2ef"),
2: testutil.DecodeHexString(c, "3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
4: testutil.DecodeHexString(c, "c731a39b7fc6475c7d8a9264e704902157c7cee40c22f59fa1690ea99ff70c67"),
7: testutil.DecodeHexString(c, "3d65dbe406e9427d402488ea4f87e07e8b584c79c578a735d48d21a6405fc8bb"),
Expand Down
Loading

0 comments on commit 64dc595

Please sign in to comment.