ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2025-02-20 17:02:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

internal/eventlog: only trust the first time an event is written to the log (#95)

Browse Source 
Ensure an attacker can't alter the value we interpret by appending an entry of
the same type to the eventlog. Don't worry about events that come before the
EV_SEPARATOR for now.
This commit is contained in:
Eric Chiang 2019-09-06 10:20:43 -07:00 committed by Tom D
parent 6242485b62
commit cbf14e4244
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
attest/attest-tool/internal/eventlog/secureboot.go
View File

@ -164,6 +164,12 @@ func ParseSecureBoot(events []attest.Event) (*SecureBoot, error) {
if !sb.Enabled {
return nil, fmt.Errorf("%s/%s present when secure boot wasn't enabled", t, data.name)
}
if len(sb.Authority) != 0 {
// If a malicious value is appended to the eventlog,
// ensure we only trust the first value written by
// the UEFI firmware.
return nil, fmt.Errorf("%s/%s was already present earlier in the event log", t, data.name)
}
sb.Authority = data.data
}
}