diff mbox series

tpmevlog: Ensure EV_SEPARATOR recorded for PCRs 0-7

Message ID ZmgXigNx22Dr9TxI@earth.li
State Accepted
Headers show
Series tpmevlog: Ensure EV_SEPARATOR recorded for PCRs 0-7 | expand

Commit Message

Jonathan McDowell June 11, 2024, 9:23 a.m. UTC 
From: Jonathan McDowell <noodles@meta.com>

The TCG PC Client Platform Firmware Profile Specification requires that
EV_SEPARATOR is measured into PCRs 0-7 prior to the first invocation of
the Ready to Boot call. Add a check to ensure these are seen in the
event log.

Signed-off-by: Jonathan McDowell <noodles@meta.com>
---
 src/tpm/tpmevlog/tpmevlog.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comments

Ivan Hu June 17, 2024, 4:23 a.m. UTC | #1 
Thanks!

Acked-by: Ivan Hu <ivan.hu@canonical.com>

On 6/11/24 17:23, Jonathan McDowell wrote:
> From: Jonathan McDowell <noodles@meta.com>
> 
> The TCG PC Client Platform Firmware Profile Specification requires that
> EV_SEPARATOR is measured into PCRs 0-7 prior to the first invocation of
> the Ready to Boot call. Add a check to ensure these are seen in the
> event log.
> 
> Signed-off-by: Jonathan McDowell <noodles@meta.com>
> ---
>   src/tpm/tpmevlog/tpmevlog.c | 15 +++++++++++++++
>   1 file changed, 15 insertions(+)
> 
> diff --git a/src/tpm/tpmevlog/tpmevlog.c b/src/tpm/tpmevlog/tpmevlog.c
> index 90b1062d..d06638f0 100644
> --- a/src/tpm/tpmevlog/tpmevlog.c
> +++ b/src/tpm/tpmevlog/tpmevlog.c
> @@ -200,6 +200,7 @@ static int tpmevlog_v2_check(
>   	fwts_pc_client_pcr_event *pc_event;
>   	fwts_efi_spec_id_event *specid_evcent;
>   	fwts_spec_id_event_alg_sz *alg_sz;
> +	bool separator_seen[8] = { false };
>   
>   	/* specid_event_check */
>   	if (len < sizeof(fwts_pc_client_pcr_event)) {
> @@ -379,10 +380,24 @@ static int tpmevlog_v2_check(
>   				event_size, pdata + sizeof(event_size));
>   		if (ret != FWTS_OK)
>   			return ret;
> +
> +		if ((pcr_event2->pcr_index < 8) && (pcr_event2->event_type == EV_SEPARATOR))
> +			separator_seen[pcr_event2->pcr_index] = true;
> +
>   		pdata += (event_size + sizeof(event_size));
>   		len_remain -= (event_size + sizeof(event_size));
>   
>   	}
> +
> +	for (i = 0; i < 8; i++) {
> +		if (!separator_seen[i]) {
> +			fwts_failed(fw, LOG_LEVEL_MEDIUM, "EventV2SeparatorSeen",
> +				"PCR %d did not have EV_SEPARATOR measured into it at "
> +				"Platform Firmware handover.", i);
> +			return FWTS_ERROR;
> +		}
> +	}
> +
>   	fwts_passed(fw, "Check TPM crypto agile event log test passed.");
>   	return FWTS_OK;
>   }
diff mbox series

Patch

diff --git a/src/tpm/tpmevlog/tpmevlog.c b/src/tpm/tpmevlog/tpmevlog.c
index 90b1062d..d06638f0 100644
--- a/src/tpm/tpmevlog/tpmevlog.c
+++ b/src/tpm/tpmevlog/tpmevlog.c
@@ -200,6 +200,7 @@  static int tpmevlog_v2_check(
 	fwts_pc_client_pcr_event *pc_event;
 	fwts_efi_spec_id_event *specid_evcent;
 	fwts_spec_id_event_alg_sz *alg_sz;
+	bool separator_seen[8] = { false };
 
 	/* specid_event_check */
 	if (len < sizeof(fwts_pc_client_pcr_event)) {
@@ -379,10 +380,24 @@  static int tpmevlog_v2_check(
 				event_size, pdata + sizeof(event_size));
 		if (ret != FWTS_OK)
 			return ret;
+
+		if ((pcr_event2->pcr_index < 8) && (pcr_event2->event_type == EV_SEPARATOR))
+			separator_seen[pcr_event2->pcr_index] = true;
+
 		pdata += (event_size + sizeof(event_size));
 		len_remain -= (event_size + sizeof(event_size));
 
 	}
+
+	for (i = 0; i < 8; i++) {
+		if (!separator_seen[i]) {
+			fwts_failed(fw, LOG_LEVEL_MEDIUM, "EventV2SeparatorSeen",
+				"PCR %d did not have EV_SEPARATOR measured into it at "
+				"Platform Firmware handover.", i);
+			return FWTS_ERROR;
+		}
+	}
+
 	fwts_passed(fw, "Check TPM crypto agile event log test passed.");
 	return FWTS_OK;
 }