From patchwork Fri Dec 16 05:42:43 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: ivanhu <ivan.hu@canonical.com>
X-Patchwork-Id: 1716394
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=fwts-devel-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=iBV38ai1;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NYJ0g5Dz1z2405
	for <incoming@patchwork.ozlabs.org>; Fri, 16 Dec 2022 16:42:58 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1p63Uh-00030x-Qh; Fri, 16 Dec 2022 05:42:51 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <ivan.hu@canonical.com>) id 1p63Ug-00030p-3q
 for fwts-devel@lists.ubuntu.com; Fri, 16 Dec 2022 05:42:50 +0000
Received: from canonical.com (unknown [106.104.136.95])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 6C5B9423E4
 for <fwts-devel@lists.ubuntu.com>; Fri, 16 Dec 2022 05:42:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1671169369;
 bh=ZE1W8DYHThxlF5iHlXpJh9s7HSPiiXLPE9YMqy/7oaw=;
 h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=iBV38ai10TytZPCQhvlDx2pPBuj9lK/738F/RlVdKP3D3KIDKQ2ei2hW73Ho0ROH7
 CPG1HFCf3k8KzUoFyunzoM6w5TNuBppSOfjkPjQsLXNlH8UVAYu13fVLIgXET+UqLW
 QtDEXf0xZfaJ5W9S2CEuVFXCJd4bA43C6jfdig8IbStLvZRCvGB+RP1TbvmlaLZNiw
 z2rWk9ioJDq8jYzNRKW3FHIWyPgBjNNsYED7b9cCtfqcpuPGGNXLwvFk9xE+D7PaEp
 p0dmeYR5njBP4575I+lghOJLLimqgBC59/Z9ob7SNOvpZ/kuOQAg1SQc9b6hqAH2lO
 t+IwzyWsftnFQ==
From: Ivan Hu <ivan.hu@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH] tpmevlog: add tests for checking the UEFI_IMAGE_LOAD_EVENT
 Structure
Date: Fri, 16 Dec 2022 13:42:43 +0800
Message-Id: <20221216054243.3427183-1-ivan.hu@canonical.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
 <mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
 <mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
Errors-To: fwts-devel-bounces@lists.ubuntu.com
Sender: "fwts-devel" <fwts-devel-bounces@lists.ubuntu.com>

Buglink: https://bugs.launchpad.net/fwts/+bug/1999728

From the TCG PFP specification, the PCR 4 and event type(0x80000003)
EV_EFI_BOOT_SERVICES_APPLICATION, the event field MUST contain a
UEFI_IMAGE_LOAD_EVENT structure. Some buggy firmwares that haven't
implemented correct the DevicePath on the UEFI_IMAGE_LOAD_EVENT
structure or executing something, but the log entry is broken
that cause the measurements failed.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
---
 src/lib/include/fwts_tpm.h  |  9 ++++++++
 src/tpm/tpmevlog/tpmevlog.c | 42 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/src/lib/include/fwts_tpm.h b/src/lib/include/fwts_tpm.h
index 0d24a245..03daf714 100644
--- a/src/lib/include/fwts_tpm.h
+++ b/src/lib/include/fwts_tpm.h
@@ -172,6 +172,15 @@ typedef struct {
 */
 } __attribute__ ((packed)) fwts_tcg_pcr_event2;
 
+typedef uint64_t uefi_physical_address;
+typedef struct {
+    uefi_physical_address	image_location_in_memory;
+    uint64_t			image_len_in_memory;
+    uint64_t			image_link_time_address;
+    uint64_t			length_of_device_path;
+    uint8_t			device_path[0];
+} __attribute__ ((packed)) uefi_image_load_event;
+
 void fwts_tpm_data_hexdump(fwts_framework *fw, const uint8_t *data,
 	const size_t size, const char *str);
 uint8_t fwts_tpm_get_hash_size(const TPM2_ALG_ID hash);
diff --git a/src/tpm/tpmevlog/tpmevlog.c b/src/tpm/tpmevlog/tpmevlog.c
index cfc287ab..215cd7cc 100644
--- a/src/tpm/tpmevlog/tpmevlog.c
+++ b/src/tpm/tpmevlog/tpmevlog.c
@@ -25,6 +25,7 @@
 #include <fcntl.h>
 
 #include "fwts_tpm.h"
+#include "fwts_uefi.h"
 
 #define FWTS_TPM_LOG_DIR_PATH	"/sys/kernel/security"
 
@@ -149,6 +150,40 @@ static int tpmevlog_algid_check(fwts_framework *fw, const TPM2_ALG_ID hash)
 	return FWTS_OK;
 }
 
+static int tpmevlog_pcr_type_event_check(
+	fwts_framework *fw,
+	const uint32_t pcr,
+	const fwts_tpmlog_event_type event_type,
+	uint32_t event_size,
+	uint8_t *event)
+{
+
+	uefi_image_load_event *ev_image_load = (uefi_image_load_event *)event;
+
+	if (pcr == 4 && event_type == EV_EFI_BOOT_SERVICES_APPLICATION) {
+		if (event_size <= sizeof(uefi_image_load_event)) {
+			fwts_failed(fw, LOG_LEVEL_HIGH, "ImageLoadEventLength",
+					"The length of the event is %" PRIu32 " which"
+					" is smaller than the UEFI Image Load Event "
+					"structure that contains DevicePath "
+					"of PE/COFF image for PCR4 and type "
+					"EV_EFI_BOOT_SERVICES_APPLICATION.",
+					event_size);
+			return FWTS_ERROR;
+		}
+		if (ev_image_load->length_of_device_path <= sizeof(fwts_uefi_dev_path)) {
+			fwts_failed(fw, LOG_LEVEL_HIGH, "ImageLoadDevicePathLength",
+					"The length of the device path is %" PRIu64
+					" is smaller than DevicePath of PE/COFF image "
+					"for PCR4 and type EV_EFI_BOOT_SERVICES_APPLICATION.",
+					ev_image_load->length_of_device_path);
+			return FWTS_ERROR;
+		}
+	}
+
+	return FWTS_OK;
+}
+
 static int tpmevlog_v2_check(
 	fwts_framework *fw,
 	uint8_t *data,
@@ -335,6 +370,12 @@ static int tpmevlog_v2_check(
 					sizeof(event_size));
 			return FWTS_ERROR;
 		}
+
+		ret = tpmevlog_pcr_type_event_check(fw, pcr_event2->pcr_index,
+				pcr_event2->event_type,
+				event_size, pdata + sizeof(event_size));
+		if (ret != FWTS_OK)
+			return ret;
 		pdata += (event_size + sizeof(event_size));
 		len_remain -= (event_size + sizeof(event_size));
 
@@ -386,7 +427,6 @@ static int tpmevlog_check(fwts_framework *fw, uint8_t *data, size_t len)
 	return FWTS_OK;
 }
 
-
 static uint8_t *tpmevlog_load_file(const int fd, size_t *length)
 {
 	uint8_t *ptr = NULL, *tmp;