ACK: [PATCH] tpmevlog: Ensure EV_SEPARATOR recorded for PCRs 0-7
ivanhu
ivan.hu at canonical.com
Mon Jun 17 04:23:27 UTC 2024
Thanks!
Acked-by: Ivan Hu <ivan.hu at canonical.com>
On 6/11/24 17:23, Jonathan McDowell wrote:
> From: Jonathan McDowell <noodles at meta.com>
>
> The TCG PC Client Platform Firmware Profile Specification requires that
> EV_SEPARATOR is measured into PCRs 0-7 prior to the first invocation of
> the Ready to Boot call. Add a check to ensure these are seen in the
> event log.
>
> Signed-off-by: Jonathan McDowell <noodles at meta.com>
> ---
> src/tpm/tpmevlog/tpmevlog.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/src/tpm/tpmevlog/tpmevlog.c b/src/tpm/tpmevlog/tpmevlog.c
> index 90b1062d..d06638f0 100644
> --- a/src/tpm/tpmevlog/tpmevlog.c
> +++ b/src/tpm/tpmevlog/tpmevlog.c
> @@ -200,6 +200,7 @@ static int tpmevlog_v2_check(
> fwts_pc_client_pcr_event *pc_event;
> fwts_efi_spec_id_event *specid_evcent;
> fwts_spec_id_event_alg_sz *alg_sz;
> + bool separator_seen[8] = { false };
>
> /* specid_event_check */
> if (len < sizeof(fwts_pc_client_pcr_event)) {
> @@ -379,10 +380,24 @@ static int tpmevlog_v2_check(
> event_size, pdata + sizeof(event_size));
> if (ret != FWTS_OK)
> return ret;
> +
> + if ((pcr_event2->pcr_index < 8) && (pcr_event2->event_type == EV_SEPARATOR))
> + separator_seen[pcr_event2->pcr_index] = true;
> +
> pdata += (event_size + sizeof(event_size));
> len_remain -= (event_size + sizeof(event_size));
>
> }
> +
> + for (i = 0; i < 8; i++) {
> + if (!separator_seen[i]) {
> + fwts_failed(fw, LOG_LEVEL_MEDIUM, "EventV2SeparatorSeen",
> + "PCR %d did not have EV_SEPARATOR measured into it at "
> + "Platform Firmware handover.", i);
> + return FWTS_ERROR;
> + }
> + }
> +
> fwts_passed(fw, "Check TPM crypto agile event log test passed.");
> return FWTS_OK;
> }
More information about the fwts-devel
mailing list