ExternalVendorCode/go-attestation
1
0
Fork 0
mirror of https://github.com/google/go-attestation.git synced 2025-02-08 03:30:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Handle EFI_ACTION events signalling DMA protection is disabled. (#235)

Browse Source
This commit is contained in:
Tom D 2021-08-23 14:03:58 -07:00 committed by GitHub
parent 7d128657ca
commit cc52e2d143
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
attest/pcp_windows.go
View File

@ -26,9 +26,9 @@ import (
"github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509"
"golang.org/x/sys/windows"
tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
"github.com/google/go-tpm/tpmutil" "github.com/google/go-tpm/tpmutil"
tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
"golang.org/x/sys/windows"
) )
const ( const (

19
attest/secureboot.go
View File

@ -19,8 +19,8 @@ import (
"errors" "errors"
"fmt" "fmt"
"github.com/google/go-attestation/attest/internal"
"github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509"
"github.com/google/go-attestation/attest/internal"
) )
// SecurebootState describes the secure boot status of a machine, as determined // SecurebootState describes the secure boot status of a machine, as determined
@ -60,6 +60,12 @@ type SecurebootState struct {
// DriverLoadSourceHints describes the origin of boot services drivers. // DriverLoadSourceHints describes the origin of boot services drivers.
// This data is not tamper-proof and must only be used as a hint. // This data is not tamper-proof and must only be used as a hint.
DriverLoadSourceHints []DriverLoadSource DriverLoadSourceHints []DriverLoadSource
// DMAProtectionDisabled is true if the platform reports during boot that
// DMA protection is supported but disabled.
//
// See: https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-kernel-dma-protection
DMAProtectionDisabled bool
} }
// DriverLoadSource describes the logical origin of a boot services driver. // DriverLoadSource describes the logical origin of a boot services driver.
@ -125,10 +131,17 @@ func ParseSecurebootState(events []Event) (*SecurebootState, error) {
} }
case internal.EFIAction: case internal.EFIAction:
if string(e.Data) == "UEFI Debug Mode" { switch string(e.Data) {
case "UEFI Debug Mode":
return nil, errors.New("a UEFI debugger was present during boot") return nil, errors.New("a UEFI debugger was present during boot")
case "DMA Protection Disabled":
if digestVerify != nil {
return nil, fmt.Errorf("invalid digest for EFI Action 'DMA Protection Disabled' on event %d: %v", e.sequence, digestVerify)
}
out.DMAProtectionDisabled = true
default:
return nil, fmt.Errorf("event %d: unexpected EFI action event", e.sequence)
} }
return nil, fmt.Errorf("event %d: unexpected EFI action event", e.sequence)
case internal.EFIVariableDriverConfig: case internal.EFIVariableDriverConfig:
v, err := internal.ParseUEFIVariableData(bytes.NewReader(e.Data)) v, err := internal.ParseUEFIVariableData(bytes.NewReader(e.Data))

2
attest/tpm_windows.go
View File

@ -28,9 +28,9 @@ import (
"io" "io"
"math/big" "math/big"
"golang.org/x/sys/windows"
tpm1 "github.com/google/go-tpm/tpm" tpm1 "github.com/google/go-tpm/tpm"
tpmtbs "github.com/google/go-tpm/tpmutil/tbs" tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
"golang.org/x/sys/windows"
) )
var wellKnownAuth [20]byte var wellKnownAuth [20]byte