Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / a50e845df333a4d7531793e3fed61ca8411384f5^! / . / core / pkg / tpm / eventlog / compat.go
commita50e845df333a4d7531793e3fed61ca8411384f5[log] [tgz]
authorLorenz Brun <lorenz@nexantic.com>Wed Sep 09 17:09:27 2020 +0200
committerLorenz Brun <lorenz@nexantic.com>Wed Sep 09 17:09:27 2020 +0200
treed27ebc111fce076181d9ddda5c06882334f91823
parented0503cbe3c2d85d138f2604b87d73417be6c940 [diff] [blame]
Introduce TPM event log infrastructure

This adds support for reading the local TPM event log and for parsing the
resulting blob. Reading the log is implemented as part of our TPM library, but
for reading and processing the event log binary structure we rely on Google's
go-attestation. Since they don't separate their event log processing from the rest
of the package, I imported the relevant files here directly.

Since TPM event logs are really terrible (see included workarounds and
https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md)
it's probably a bad idea to use them for anything where we can avoid it.
So this will likely only be used for EFI boot / secure boot attestation and
everything we measure will be part of our TPM library with a much less insane format.

Test Plan:
Manually smoke-tested using a custom fixture on a Ryzen 3000 fTPM.
We cannot really test this until we have a way of generating and loading
secure boot keys since an empty secure boot setup generates no events.

X-Origin-Diff: phab/D622
GitOrigin-RevId: e730a3ea69c4055e411833c80530f630d77788e4

diff --git a/core/pkg/tpm/eventlog/compat.go b/core/pkg/tpm/eventlog/compat.go
new file mode 100644
index 0000000..f83972b
--- /dev/null
+++ b/core/pkg/tpm/eventlog/compat.go

@@ -0,0 +1,32 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package eventlog
+
+// This file contains compatibility functions for our TPM library
+
+import (
+	"crypto"
+)
+
+// ConvertRawPCRs converts from raw PCRs to eventlog PCR structures
+func ConvertRawPCRs(pcrs [][]byte) []PCR {
+	var evPCRs []PCR
+	for i, digest := range pcrs {
+		evPCRs = append(evPCRs, PCR{DigestAlg: crypto.SHA256, Index: i, Digest: digest})
+	}
+	return evPCRs
+}