Commit Graph

240 Commits

Author SHA1 Message Date
Paweł Szałachowski
d436f3c9c5
attestPCRs(): make sure that the return values are consistent (#199) 2021-01-12 16:21:21 -08:00
Eric Chiang
339bdb245a
attest: add bounds checks for slice indexes (#197)
Found manually looking through the code. The activate credential could
crash the client, the secureboot and challenge generation could crash
the server.
2020-12-30 19:33:55 +01:00
dependabot[bot]
0ee6160aab
Bump github.com/google/go-tpm-tools from 0.2.0 to 0.2.1 (#196)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.2.0 to 0.2.1.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.2.0...v0.2.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-14 12:49:45 +01:00
dependabot[bot]
f98225cdc5
Bump github.com/google/go-tpm from 0.3.1 to 0.3.2 (#195)
Bumps [github.com/google/go-tpm](https://github.com/google/go-tpm) from 0.3.1 to 0.3.2.
- [Release notes](https://github.com/google/go-tpm/releases)
- [Commits](https://github.com/google/go-tpm/compare/v0.3.1...v0.3.2)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-14 12:44:47 +01:00
Deepika Rajani
dfe63791df
Update tpm_windows.go (#194) 2020-12-14 12:37:04 +01:00
Deepika Rajani
2f809d0330
Deepikarajani24 patch 1 (#193)
* tbs.dll to not initialize on start up
so that it's not initialized when tpm support is not required

Changed author to my google.com user

* initialize tbs.dll and proc Tbsi_GetDeviceInfo during probeSystemTPMs

initialization is done in probeSystemTPMs as it's called before openTPM which requires support of the dll
changed author to my google.com user

* tbs.dll to load once

Changed the author to my google.com email

* Tbsi_GetDeviceInfo check to happen once
changed the author of the commit
2020-12-02 11:09:22 -08:00
dependabot[bot]
9632df6f12
Bump github.com/google/go-cmp from 0.5.3 to 0.5.4 (#191)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.3...v0.5.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom D <40675700+twitchy-jsonp@users.noreply.github.com>
2020-11-30 12:27:08 -08:00
Eric Chiang
0efaf4b19f
attest: improve event log debugging (#190)
Event log verification is terrible and easy to mess up. Even if you
replay against the PCRs there are still values that can be tampered with
or reordered. PCRs also shouldn't be trusted unless they're attested to
have come from the correct TPM.

Given this, it seems advantageous to add some ability to consume raw
event logs, even if it's just for debugging.
2020-11-30 12:22:43 -08:00
Aditya Prakash
63c5188962
Export InvalidPCRs field in ReplayError (#189)
* Export InvalidPCRs field in ReplayError

In order to retrieve the Invalid PCRs which couldn't be replayed against the Event log, we need this field to be exported as this gives the exact and true information. Replay error events will give all the events, but doesn't give the exact PCR index which doesn't get replayed. 

Following is the test to extend PCR 7 and verify the PCRs 7,8,9 against the Event log. Output:
```
event log failed to verify: the following registers failed to replay: [7]
ReplayError Events:=[107]
Replay Error Events PCR indexes=[0 7 2 3 6 9 8 1 4 5]
```

* Add Comment to the exported field
2020-11-30 11:56:55 -08:00
Brandon Weeks
d90962df3c
Add InjectSimulatedTPMForTest function for testing (#187) 2020-11-19 07:43:19 +01:00
Brandon Weeks
6bd14729ac
Add RFC 4043 and GCP OIDs (#188)
Co-authored-by: Tom D <40675700+twitchy-jsonp@users.noreply.github.com>
2020-11-18 22:34:46 -08:00
Brandon Weeks
72a39f3597
Upgrade dependencies, enable Dependabot (#186)
Co-authored-by: Tom D <40675700+twitchy-jsonp@users.noreply.github.com>
2020-11-18 22:29:50 -08:00
Brandon Weeks
25f5b13c2c
Fix Go Vet string conversion warnings (#185)
https://golang.org/doc/go1.15#vet
2020-11-18 22:25:44 -08:00
Eric Chiang
b59ed18da9
Revert "README: add build dependencies to instructions (#68)" (#184)
This reverts commit 1b270852e6.
2020-11-18 09:45:30 -08:00
Eric Chiang
1b270852e6
README: add build dependencies to instructions (#68) 2020-11-18 09:24:10 -08:00
Matthew Garrett
3cc596e3c6 Add missing optional tags
Some fields have default values, which also means they should be treated
as optional. Fix up the tagging to handle that. The natural defaults
here will work, so no need to make them explicit.
2020-11-17 15:00:41 -08:00
Matthew Garrett
4ad1cc2bf5 Fix type for ComponentClassValue
This is an octet string (ie, an array of bytes) rather than a string.
Fix it to be []byte.
2020-11-12 16:31:41 -08:00
Matthew Garrett
cc244b36f4 Explicitly tag context-specific UTF8Strings
Context-specific fields in ASN.1 don't have explicit type tags in the
ASN.1 stream, so encoding/asn1 infers the tag from the type of the
struct field the stream is being unmarshalled to. By default string is
assumed to be PrintableString, which is only permitted to contain a
subset of possible characters. If a field is defined as UTF8String in
the spec then it may contain characters that are not permitted in
PrintableString, and in this case Unmarshal() will return an error. We
can avoid this by explicitly tagging any context-specific UTF8Strings.
2020-11-12 16:31:41 -08:00
Brandon Weeks
355135fd13
Create codeql-analysis.yml (#180) 2020-10-06 15:20:54 +02:00
Joseph Richey
8bf9473a2e
Merge pull request #179 from twitchy-jsonp/no_cgo
Disable linux TPM12 support if build without cgo
2020-09-24 12:36:46 -07:00
Tom D'Netto
5eca4dfe2a Disable linux TPM12 support if build without cgo 2020-09-24 11:35:08 -07:00
Tom D
142c9d263a
Implement parsing of PCR 13 WBCL information (#178) 2020-09-14 16:44:10 -07:00
Tom D
2453c8f39a
Update go-tpm dependency to 0.3.0 (#176) 2020-07-23 12:15:16 -07:00
Brandon Weeks
9559fc1cd4 Create oid package to centralize TCG relevant OIDs 2020-07-23 12:13:07 -07:00
Tom D
63d2595542
Update dependencies of go-attestation (#175)
* Update to latest version of go-tpm

* Update go-tpm-tools to latest
2020-07-23 11:42:24 -07:00
Tom D
6d760d44a1
windows events: Extract the ELAM driver names and their configuration (#173) 2020-06-18 13:59:51 -07:00
Matthew Garrett
fe22f29ec8 Handle StartupLocality events
Systems with TXT enabled may issue the TPM2_Startup() command from a
locality other than 0. In this case, the initial value of PCR0 will
represent the locality that the call was made from. This is exposed to
higher layers by an EV_NO_ACTION event that has data containing the
NULL-terminated string "StartupLocality" followed by a single byte
representing the state of the locality. As this event is EV_NO_ACTION,
it does not represent an extension in itself.

So:

1) Ignore events that are EV_NO_ACTION when replaying the log, except:
2) For PCR0, if an event is EV_NO_ACTION and contains the string
"StartupLocality", use the final byte of the event data as the initial
value of PCR0 for the replay.
2020-06-11 13:18:05 -07:00
Tom D
5e360d3104
Remove constraint that all reported bitlocker unlocks use the same method. (#170) 2020-06-10 17:10:15 -07:00
Eric Chiang
0fec707a00
Merge pull request #169 from alishuja/master
Fixed typo
2020-06-10 08:01:05 -07:00
Ali Shuja Siddiqui
863b7400b1
Fixed typo 2020-06-10 10:57:09 -04:00
Tom D
3b5f0a5e00
Begin implementing extraction of windows info from the event log (#167) 2020-06-01 17:35:23 -07:00
Matthew Garrett
42b1d805de
Handle platform certificates that only provide a single property (#168)
Handle platform certificates that only provide a single property

The spec states that the PlatformProperties field of the
PlatformConfiguration attribute should be a sequence of key value pairs.
However, it seems that if there's only a single property present, it's
sometimes being stored as a bare key value pair rather than a sequence
with a single entry. Work around that.
2020-05-29 17:24:06 -07:00
Matthew Garrett
fbd936aac7 Parse out platform component and properties data
This provides information about individual components within the system,
which may be useful for various policy decisions.
2020-05-08 14:32:33 -07:00
Matthew Garrett
3538e3d287 Fix broken tag statements
A number of the struct definitions had broken tag definitions, which
meant some parsing was working by accident and some parsing was entirely
broken. Fixing this uncovered some additional issues (a mixture of
incorrect definitions and platform certificates that violate the spec),
so this is all cleaned up as well.
2020-05-08 14:32:33 -07:00
Tom D
596928d20b
Fix oss-fuzz, update to latest go-tpm (#165) 2020-05-07 15:25:53 -07:00
Matthew Garrett
bddeb5217c Add tests to verify attribute certificate signatures
Use an old Intel Transparent Supply Chain certificate to verify the
signatures for the test platform certificates we have that correspond to
it.
2020-05-06 18:54:52 -07:00
Matthew Garrett
61ed2a0d17 Fix attribute certificate signature handling
Attribute certificates are generally using RSA-SHA1 or RSA-SHA256
signatures, so include those. In addition, the CA signing restrictions
imposed for general purpose certificates don't apply here - drop that
restriction from certificate signature validation.
2020-05-06 18:54:52 -07:00
Tom D
ebb0b62d80
Split linuxTPM -> {trousersTPM,wrappedTPM20}, implement CommandChannel
* Split linuxTPM -> {trousersTPM,wrappedTPM20} + prefix windows key type with windows

* Address feedback, implement CommandChannel
2020-05-05 16:56:57 -07:00
Tom D
1045ef6327
Refactor *platformTPM -> tpmBase interface (#160) 2020-05-05 14:56:40 -07:00
Tom D
ab116a02a1
Implement workaround for secureboot authority events from shim (#158) 2020-05-01 14:20:54 -07:00
Tom D
022cf8e2ae
Fix broken build from intersection of two PRs (#155) 2020-04-16 11:42:48 -07:00
Tom D
67c0b4ad07
Add workaround in validation for missing exit boot services event log messages (#153) 2020-04-16 10:20:55 -07:00
Matthew Garrett
0815f5e221
Remove length-based hash lookups
Using the length of a digest to infer the hash algorithm is somewhat
fragile - if we end up with multiple hash algorithms that share the same
digest length, things will break. Instead, pass more complete digest
information through to relevant functions and figure things out by
mapping the TPM hash algorithm to the appropriate Golang type.
2020-04-14 14:38:24 -07:00
Tom D
fe41cef1db
Return error from AttestPlatform() if the event log returned from the system is too short to be valid (#151) 2020-01-30 14:39:59 -08:00
Brandon Weeks
e9e2656545 Return an error if event data size is 0 2020-01-08 13:43:10 -08:00
Tom D
e134551bb0
Implement extractor for determining secure boot state (#148) 2019-12-19 12:28:32 -08:00
Eric Chiang
34338f547c
Merge pull request #147 from ericchiang/formatting
docs: small changes to wording in the event log disclosure
2019-12-12 09:41:08 -08:00
Eric Chiang
9ad68fc43f docs: small changes to wording in the event log disclosure 2019-12-12 09:33:10 -08:00
Eric Chiang
303958184b
Merge pull request #146 from afritzler/patch-1
Fixed typo
2019-12-11 13:58:20 -08:00
Andreas Fritzler
c0a238f2c6
Fixed typo 2019-12-11 22:02:49 +01:00