From d436f3c9c5945355d4219f25710f3b4ba959d20a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Sza=C5=82achowski?= <szp@google.com>
Date: Tue, 12 Jan 2021 16:21:21 -0800
Subject: [PATCH] attestPCRs(): make sure that the return values are consistent
 (#199)

---
 attest/tpm.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/attest/tpm.go b/attest/tpm.go
index b524833..ac374e5 100644
--- a/attest/tpm.go
+++ b/attest/tpm.go
@@ -353,6 +353,17 @@ func (t *TPM) attestPCRs(ak *AK, nonce []byte, alg HashAlg) (*Quote, []PCR, erro
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to quote using %v: %v", alg, err)
 	}
+
+	// Make sure that the pcrs and quote values are consistent. See details in Section 17.6.2 of
+	// https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf
+	pub, err := ParseAKPublic(t.Version(), ak.AttestationParameters().Public)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse AK public: %v", err)
+	}
+	if err := pub.Verify(*quote, pcrs, nonce); err != nil {
+		return nil, nil, fmt.Errorf("local quote verification failed: %v", err)
+	}
+
 	return quote, pcrs, nil
 }