failed to validate the PCClient event log in VMware

[GastonMeghi]

I've created the following script for testing proposes and I'm running it on a VMware VM with a virtualized TPM with RHEL8 as the OS. I got the following error when running server.VerifyAttestation:

failed to validate the PCClient event log:
failed to replay event log: event log failed to verify: the following registers failed to replay: [0]

Is this expected to happen? I'm thinking about testing this on my real machine with the actual TPM but I afraid to break something.

The code is pretty much the same as the verify_test.go one but using VMwares virtualized TPM.

`package main

import (
"crypto"
"fmt"

"github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm-tools/server"
"github.com/google/go-tpm/tpm2"

)

func main() {

tpm, err := tpm2.OpenTPM()
if err != nil {
	fmt.Println("[ERROR] opening tpm failed: ", err)
	return
}

AttestationKeyRSA, err := client.AttestationKeyRSA(tpm)
defer AttestationKeyRSA.Close()

if err != nil {
	fmt.Println("[ERROR] RSA AK Creation failed: ", err)
	return
}
fmt.Println("[INFO] AK Created: ", AttestationKeyRSA)

nonce, err := tpm2.GetRandom(tpm, 15)

if err != nil {
	fmt.Println("[ERROR] nonce creation failed: ", err)
	return
}
fmt.Println("[INFO] nonce Created: ", nonce)

attestation, err := AttestationKeyRSA.Attest(client.AttestOpts{Nonce: nonce})

if err != nil {
	fmt.Println("[ERROR] Attestation failed: ", err)
	return
}

MachineState, err := server.VerifyAttestation(attestation, server.VerifyOpts{
	Nonce:      nonce,
	TrustedAKs: []crypto.PublicKey{AttestationKeyRSA.PublicKey()},
})

if err != nil {
	// handle error
	fmt.Println("[ERROR] VerifyAttestation failed: ", err)
	return
}

fmt.Println("INFO: Grub State", MachineState)

}`

[alexmwu]

This is not unexpected. See #141 for another example.

Basically, this error means the event log located at /sys/kernel/security/tpm0/binary_bios_measurements failed to replay against PCR0 (BIOS measurements, including CRTM). It could be a firmware bug as firmware has been known to log a different measurement in the event log than what they measure into the TPM.

Feel free to dump that here and I can take a look, or you can also examine the event log yourself by running tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements. (https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_eventlog.1.md)

[GastonMeghi]

okay, no worries! I can check it. One question though, how risky is it to run this types of routines agains the real TPM? I don't need to do more than a credential activation to verify that the AK comes from a real TPM as shown on the readme of go attestation, and after that do boot measurements. I think it's risk free right? Because I tried this same program on ubuntu 22.04 and it didn't work also. It might be VMware the one causing issues.

[alexmwu]

I think the only mutating command you're running above is in creating the AttestationKey:
AttestationKeyRSA, err := client.AttestationKeyRSA(tpm). This is cached, however, and should not create a new one if you call it again (provided the template is the same)

Everything else reads from the TPM or the firmware event log and does not modify the TPM.