* AKPublic.Verify: Return an error if a provided PCR of the correct
digest was not included in the quote.
* AKPublic.VerifyAll: Implement VerifyAll method, which can cross-check
that provided PCRs were covered by quotes across PCR banks.
* PCR.QuoteVerified(): Introduce getter method to expose whether a
PCR value was covered during quote verification.
This change allows users to specify TPM1.2 support rather than remove it.
go-attestation will build without needing Trousers/TSPI support.
The flip-side of this is that TPM1.2 does not just work; TPM1.2 users need to
include the `tspi` build tag.
As part of the Boothole fixes, shim has introduced an
SBAT feature https://github.com/rhboot/shim/blob/main/SBAT.md.
SBAT configuration is configured to log to PCR7 using
EV_EFI_VARIABLE_AUTHORITY.
493bd940e5/mok.c (L228-L247)
This causes issue with ParseUEFIVariableAuthority, as
it asssumes that an event with type EV_EFI_VARIABLE_AUTHORITY
can be parsed as EFI_SIGNATURE_DATA, per section 3.3.4.8
of the TCG PC Client Platform Firmware Profile Specification.
* replace CertifyCreation() by CertifyEx() to handle certification of objects for which we cannot extract CreationData
* add AK.Certify(handle) allowing to certify externally-created keys
* replace ReadPublic() by DecodePublic() when creating and loading keys: the current implementation calls ReadPublic() even if public data is already accessible
* drop handle() from the ak interface: it is unnecessary
* add Blobs() to attest.Key: to allow agnostic key marshaling
Found manually looking through the code. The activate credential could
crash the client, the secureboot and challenge generation could crash
the server.
* tbs.dll to not initialize on start up
so that it's not initialized when tpm support is not required
Changed author to my google.com user
* initialize tbs.dll and proc Tbsi_GetDeviceInfo during probeSystemTPMs
initialization is done in probeSystemTPMs as it's called before openTPM which requires support of the dll
changed author to my google.com user
* tbs.dll to load once
Changed the author to my google.com email
* Tbsi_GetDeviceInfo check to happen once
changed the author of the commit
Event log verification is terrible and easy to mess up. Even if you
replay against the PCRs there are still values that can be tampered with
or reordered. PCRs also shouldn't be trusted unless they're attested to
have come from the correct TPM.
Given this, it seems advantageous to add some ability to consume raw
event logs, even if it's just for debugging.
* Export InvalidPCRs field in ReplayError
In order to retrieve the Invalid PCRs which couldn't be replayed against the Event log, we need this field to be exported as this gives the exact and true information. Replay error events will give all the events, but doesn't give the exact PCR index which doesn't get replayed.
Following is the test to extend PCR 7 and verify the PCRs 7,8,9 against the Event log. Output:
```
event log failed to verify: the following registers failed to replay: [7]
ReplayError Events:=[107]
Replay Error Events PCR indexes=[0 7 2 3 6 9 8 1 4 5]
```
* Add Comment to the exported field
Systems with TXT enabled may issue the TPM2_Startup() command from a
locality other than 0. In this case, the initial value of PCR0 will
represent the locality that the call was made from. This is exposed to
higher layers by an EV_NO_ACTION event that has data containing the
NULL-terminated string "StartupLocality" followed by a single byte
representing the state of the locality. As this event is EV_NO_ACTION,
it does not represent an extension in itself.
So:
1) Ignore events that are EV_NO_ACTION when replaying the log, except:
2) For PCR0, if an event is EV_NO_ACTION and contains the string
"StartupLocality", use the final byte of the event data as the initial
value of PCR0 for the replay.
