commit 62050ca7c7094f714525cfbb3a0385707ccbc86e
author Tim Windelschmidt <tim@monogon.tech> Mon Apr 22 18:29:35 2024 +0200
committer Tim Windelschmidt <tim@monogon.tech> Wed Apr 24 22:29:11 2024 +0000
tree 00eec35a9dfa61b7308c9239d58ed377191db4fc
parent 8215e0c5e05e8c3822c2bac69898b1ec0a6de682

metropolis/pkg/tpm/eventlog: simplify replay events error check

Change-Id: Ib8d0fe3981ae2d64c72cb657b1d17b011bdde32c
Reviewed-on: https://review.monogon.dev/c/monogon/+/3035
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Vouch-Run-CI: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI

metropolis/pkg/tpm/eventlog/eventlog.go

diff --git a/metropolis/pkg/tpm/eventlog/eventlog.go b/metropolis/pkg/tpm/eventlog/eventlog.go
index 7201a89..036185a 100644
--- a/metropolis/pkg/tpm/eventlog/eventlog.go
+++ b/metropolis/pkg/tpm/eventlog/eventlog.go
@@ -246,26 +246,27 @@
 // An error is returned if the replayed digest for events with a given PCR
 // index do not match any provided value for that PCR index.
 func (e *EventLog) Verify(pcrs []PCR) ([]Event, error) {
-	events, err := e.verify(pcrs)
+	events, rErr := replayEvents(e.rawEvents, pcrs)
+	if rErr == nil {
+		return events, nil
+	}
 	// If there were any issues replaying the PCRs, try each of the workarounds
 	// in turn.
 	// TODO(jsonp): Allow workarounds to be combined.
-	if rErr, isReplayErr := err.(ReplayError); isReplayErr {
-		for _, wkrd := range eventlogWorkarounds {
-			if !rErr.affected(wkrd.affectedPCR) {
-				continue
-			}
-			el := e.clone()
-			if err := wkrd.apply(el); err != nil {
-				return nil, fmt.Errorf("failed applying workaround %q: %v", wkrd.id, err)
-			}
-			if events, err := el.verify(pcrs); err == nil {
-				return events, nil
-			}
+	for _, wkrd := range eventlogWorkarounds {
+		if !rErr.affected(wkrd.affectedPCR) {
+			continue
+		}
+		el := e.clone()
+		if err := wkrd.apply(el); err != nil {
+			return nil, fmt.Errorf("failed applying workaround %q: %v", wkrd.id, err)
+		}
+		if events, err := replayEvents(el.rawEvents, pcrs); err == nil {
+			return events, nil
 		}
 	}
 
-	return events, err
+	return events, rErr
 }
 
 // PCR encapsulates the value of a PCR at a point in time.
@@ -275,17 +276,6 @@
 	DigestAlg crypto.Hash
 }
 
-func (e *EventLog) verify(pcrs []PCR) ([]Event, error) {
-	events, err := replayEvents(e.rawEvents, pcrs)
-	if err != nil {
-		if _, isReplayErr := err.(ReplayError); isReplayErr {
-			return nil, err
-		}
-		return nil, fmt.Errorf("pcrs failed to replay: %v", err)
-	}
-	return events, nil
-}
-
 func extend(pcr PCR, replay []byte, e rawEvent) (pcrDigest []byte, eventDigest []byte, err error) {
 	h := pcr.DigestAlg
 
@@ -343,7 +333,7 @@
 	successful bool
 }
 
-func replayEvents(rawEvents []rawEvent, pcrs []PCR) ([]Event, error) {
+func replayEvents(rawEvents []rawEvent, pcrs []PCR) ([]Event, *ReplayError) {
 	var (
 		invalidReplays []int
 		verifiedEvents []Event
@@ -377,7 +367,7 @@
 		for _, e := range rawEvents {
 			events = append(events, Event{e.sequence, e.index, e.typ, e.data, nil})
 		}
-		return nil, ReplayError{
+		return nil, &ReplayError{
 			Events:      events,
 			invalidPCRs: invalidReplays,
 		}