From patchwork Tue Jun 11 09:23:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonathan McDowell X-Patchwork-Id: 1946193 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=fwts-devel-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Vz3Bc540Zz20Pb for ; Tue, 11 Jun 2024 19:23:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sGxiv-00008K-Es; Tue, 11 Jun 2024 09:23:25 +0000 Received: from the.earth.li ([93.93.131.124]) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sGxis-000086-Em for fwts-devel@lists.ubuntu.com; Tue, 11 Jun 2024 09:23:22 +0000 Received: from noodles by the.earth.li with local (Exim 4.96) (envelope-from ) id 1sGxis-0016vM-06 for fwts-devel@lists.ubuntu.com; Tue, 11 Jun 2024 10:23:22 +0100 Date: Tue, 11 Jun 2024 10:23:22 +0100 From: Jonathan McDowell To: fwts-devel@lists.ubuntu.com Subject: [PATCH] tpmevlog: Ensure EV_SEPARATOR recorded for PCRs 0-7 Message-ID: MIME-Version: 1.0 Content-Disposition: inline Received-SPF: pass client-ip=93.93.131.124; envelope-from=noodles@earth.li; helo=the.earth.li X-BeenThere: fwts-devel@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Firmware Test Suite Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: fwts-devel-bounces@lists.ubuntu.com Sender: "fwts-devel" From: Jonathan McDowell The TCG PC Client Platform Firmware Profile Specification requires that EV_SEPARATOR is measured into PCRs 0-7 prior to the first invocation of the Ready to Boot call. Add a check to ensure these are seen in the event log. Signed-off-by: Jonathan McDowell Acked-by: Ivan Hu --- src/tpm/tpmevlog/tpmevlog.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/tpm/tpmevlog/tpmevlog.c b/src/tpm/tpmevlog/tpmevlog.c index 90b1062d..d06638f0 100644 --- a/src/tpm/tpmevlog/tpmevlog.c +++ b/src/tpm/tpmevlog/tpmevlog.c @@ -200,6 +200,7 @@ static int tpmevlog_v2_check( fwts_pc_client_pcr_event *pc_event; fwts_efi_spec_id_event *specid_evcent; fwts_spec_id_event_alg_sz *alg_sz; + bool separator_seen[8] = { false }; /* specid_event_check */ if (len < sizeof(fwts_pc_client_pcr_event)) { @@ -379,10 +380,24 @@ static int tpmevlog_v2_check( event_size, pdata + sizeof(event_size)); if (ret != FWTS_OK) return ret; + + if ((pcr_event2->pcr_index < 8) && (pcr_event2->event_type == EV_SEPARATOR)) + separator_seen[pcr_event2->pcr_index] = true; + pdata += (event_size + sizeof(event_size)); len_remain -= (event_size + sizeof(event_size)); } + + for (i = 0; i < 8; i++) { + if (!separator_seen[i]) { + fwts_failed(fw, LOG_LEVEL_MEDIUM, "EventV2SeparatorSeen", + "PCR %d did not have EV_SEPARATOR measured into it at " + "Platform Firmware handover.", i); + return FWTS_ERROR; + } + } + fwts_passed(fw, "Check TPM crypto agile event log test passed."); return FWTS_OK; }