Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecureBootState to ParseMachineState #139

Merged
merged 14 commits into from
Dec 2, 2021
Merged

Add SecureBootState to ParseMachineState #139

merged 14 commits into from
Dec 2, 2021

Conversation

alexmwu
Copy link
Contributor

@alexmwu alexmwu commented Nov 2, 2021
edited
Loading

Also modifies the output of ParseMachineState to return GroupedErrors to better extract errors in parsing for certain parts of the event log.
Add testing on ParseGCENonHostInfo

Fixes #142

@alexmwu
Add SecureBootState to MachineState
219896e 
SecureBootState contains enabled, db, dbx, and (post-separator) authority for
the time being.
@alexmwu
Generate pb golang files with protoc
873aea0 
Ran `go generate ./...`.
@alexmwu
Add current and historic x64 dbx files
ec8aa2c 
Add the dbx files from
https://uefi.org/revocationlistfile

These are the the commonly expected and dbx files.
@alexmwu
Add MachineStateError
6f303fd 
MachineStateError is a struct that wraps multiple parsing errors when
calling ParseMachineState.
@alexmwu
Add SecureBootState support to ParseMachineState
4e23962 
This includes the Secure Boot variable (whether enabled), db, dbx, and
post-separator Authority. As with PlatformState, ParseMachineState may
return a zero value SecureBootState in MachineState if Secure Boot
parsing failed.

This commit also changes the output of
ParseMachineState to return *MachineStateError (implements error) so
that dependents can get a detailed view of which parts of the event log
fail parsing. As the type implements the Error interface, this is not
a breaking change.
@alexmwu
Change MachineStateError to GroupedError
556870a 
GroupedError allows the error that wraps a slice of errors to be reused
for Policy evaluation. This adds a helper function as well and fixes an
issue with the return value of ParseMachineState.

Previously, we always returned a non-nil MachineStateError from
ParseMachineState.  A zero value MachineStateError evaluate as
non-nil in error catching blocks, so we want to instead return
either nil or a pointer to a valid MachineStateError.
@alexmwu
Add helper methods for dealing with GroupedErrors
e156911 
Often when dealing with GroupedErrors (e.g., parsing a MachineState),
there may be a known issue that a user will want to ignore. These
functions support filtering through all the errors and looking for a
matching substring and also asserting if there is only one match.
@alexmwu
Ignore certain event log test parsing errors
c4c214f 
The Ubuntu2104NoDbxGCE and Ubuntu2104NoSecureBootGCE event logs fail to
parse due to a known issue where go-attestation does not handle SBAT
entries: google/go-attestation#222.

The Arch Linux event log has a Secure Boot variable with length 0, as
opposed to length 1 and data 0. This also causes parsing errors in
go-attestation:
https://github.com/google/go-attestation/blob/master/attest/secureboot.go#L165-L167

For now, we should expect certain errors and let the test succeed.
@alexmwu alexmwu requested review from josephlr, iKevinY and jkl73 November 2, 2021 01:28
iKevinY
iKevinY approved these changes Nov 2, 2021
View reviewed changes
proto/attest.proto Outdated Show resolved Hide resolved
jkl73
jkl73 reviewed Nov 3, 2021
View reviewed changes
server/eventlog.go Show resolved Hide resolved
proto/attest.proto Show resolved Hide resolved
proto/attest.proto Show resolved Hide resolved
server/eventlog_test.go Outdated Show resolved Hide resolved
server/eventlog.go Outdated Show resolved Hide resolved
alexmwu added a commit to alexmwu/go-tpm-tools that referenced this pull request Nov 5, 2021
@alexmwu
Temp regenerate pb golang
fb28a26 
Will need to rebase on google#139
alexmwu added a commit to alexmwu/go-tpm-tools that referenced this pull request Nov 18, 2021
@alexmwu
Temp regenerate the kernel-related protos
469ed71 
DONOTMERGE: Need to rebase against google#139.
@alexmwu alexmwu mentioned this pull request Nov 22, 2021
Merged
josephlr
josephlr approved these changes Dec 2, 2021
View reviewed changes
Copy link
Member

@josephlr josephlr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Some things that we want to address in followup PRs:

We should add more tests to make sure that the parsed out DB/DBX works like we expect

I think we can improve the ergonomics of GroupedError to work better with the Golang standard Is and As methods. But that's fine to do in a followup PR

proto/attest.proto Outdated Show resolved Hide resolved
server/eventlog.go Outdated Show resolved Hide resolved
@alexmwu alexmwu merged commit 17d6874 into google:master Dec 2, 2021
@alexmwu alexmwu deleted the secure-boot branch December 2, 2021 16:36
@alexmwu alexmwu mentioned this pull request Dec 2, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkl73 jkl73 jkl73 approved these changes

@josephlr josephlr josephlr approved these changes

@iKevinY iKevinY iKevinY approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MachineState to surface abstraction to detect SecureBootState
4 participants
@alexmwu @iKevinY @josephlr @jkl73