Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport PR3002 to 9.4 branch #3008

Merged
merged 3 commits into from
Jan 26, 2023
+10,494 −153,738
Merged

Backport PR3002 to 9.4 branch #3008

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
063a60c
Improve key sealing code
mikem-zed Jan 20, 2023
5acd28e
Use TPMEvent instead of Extend
mikem-zed Jan 22, 2023
6793718
Remove unnecessary vendored packages
mikem-zed Jan 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
5 changes: 1 addition & 4 deletions pkg/measure-config/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,4 @@ replace github.com/lf-edge/eve/api/go => github.com/lf-edge/eve/api/go v0.0.0-20

replace github.com/lf-edge/eve/libs/depgraph => github.com/lf-edge/eve/libs/depgraph v0.0.0-20221108162354-969f3cba94d8

require (
github.com/google/go-tpm v0.3.3
github.com/lf-edge/eve/pkg/pillar v0.0.0-20221108162354-969f3cba94d8
)
require github.com/google/go-tpm v0.3.3
2,291 changes: 1 addition & 2,290 deletions pkg/measure-config/go.sum
View file
Open in desktop

Large diffs are not rendered by default.

53 changes: 9 additions & 44 deletions pkg/measure-config/src/measurefs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import (

"github.com/google/go-tpm/tpm2"
"github.com/google/go-tpm/tpmutil"
"github.com/lf-edge/eve/pkg/pillar/evetpm"
)

const (
Expand Down Expand Up @@ -89,7 +88,7 @@ func sha256sumString(s string) [32]byte {
return sha256.Sum256([]byte(s))
}

func measureFileContent(filePath string, tpm io.ReadWriter, tpmPassword string) (*tpmEvent, error) {
func measureFileContent(filePath string, tpm io.ReadWriter) (*tpmEvent, error) {
hash, err := sha256sumForFile(filePath)

if err != nil {
Expand All @@ -101,7 +100,7 @@ func measureFileContent(filePath string, tpm io.ReadWriter, tpmPassword string)
// it seems PCRExtend expects a hash not data itself.
eventDataHash := sha256sumString(eventData)

err = tpm2.PCRExtend(tpm, configPCRHandle, tpm2.AlgSHA256, eventDataHash[:], tpmPassword)
err = tpm2.PCREvent(tpm, configPCRHandle, eventDataHash[:])

if err != nil {
return nil, fmt.Errorf("cannot measure %s. couldn't extend PCR: %v", filePath, err)
Expand All @@ -116,12 +115,12 @@ func measureFileContent(filePath string, tpm io.ReadWriter, tpmPassword string)
return &tpmEvent{eventData, pcr}, nil
}

func measureFilePath(filePath string, tpm io.ReadWriter, tpmPassword string, exist bool) (*tpmEvent, error) {
func measureFilePath(filePath string, tpm io.ReadWriter, exist bool) (*tpmEvent, error) {
eventData := fmt.Sprintf("file:%s exist:%t", filePath, exist)
// it seems PCRExtend expects a hash not data itself.
eventDataHash := sha256sumString(eventData)

err := tpm2.PCRExtend(tpm, configPCRHandle, tpm2.AlgSHA256, eventDataHash[:], tpmPassword)
err := tpm2.PCREvent(tpm, configPCRHandle, eventDataHash[:])

if err != nil {
return nil, fmt.Errorf("cannot measure path %s. couldn't extend PCR: %v", filePath, err)
Expand All @@ -136,29 +135,6 @@ func measureFilePath(filePath string, tpm io.ReadWriter, tpmPassword string, exi
return &tpmEvent{eventData, pcr}, nil
}

func getTPMCredentials(readFromFile bool) (string, error) {
var password string
var err error

if readFromFile {
password, err = evetpm.ReadOwnerCrdl()

// on the first run /config/tpm_credential may not exist
// but this is not a problem. In this case TPM is accessible
// without a password
if os.IsNotExist(err) {
return "", nil
}

// for any other error just return it
if err != nil {
return "", err
}
}

return password, err
}

func getFileMap() (map[string]fileInfo, error) {
files := make(map[string]fileInfo)

Expand Down Expand Up @@ -207,7 +183,7 @@ func getSortedFileList(files map[string]fileInfo) []string {
return keys
}

func measureConfig(tpm io.ReadWriter, password string) error {
func measureConfig(tpm io.ReadWriter) error {
files, err := getFileMap()

if err != nil {
Expand All @@ -225,12 +201,12 @@ func measureConfig(tpm io.ReadWriter, password string) error {

if info.exist {
if info.measureContent {
event, err = measureFileContent(file, tpm, password)
event, err = measureFileContent(file, tpm)
} else {
event, err = measureFilePath(file, tpm, password, true)
event, err = measureFilePath(file, tpm, true)
}
} else {
event, err = measureFilePath(file, tpm, password, false)
event, err = measureFilePath(file, tpm, false)
}
if err != nil {
return fmt.Errorf("cannot measure %s: %v", file, err)
Expand Down Expand Up @@ -263,18 +239,7 @@ func main() {
}
defer tpm.Close()

// now we measure config just after UEFI has finished its part
// the session is not encrypted until pillar is started and we
// must not use the password from tpm_credential so pass 'false'
// But it may be changed in future if the code is moved to other
// application
password, err := getTPMCredentials(false)

if err != nil {
log.Fatalf("couldn't read TPM credentials: %v\n", err)
}

err = measureConfig(tpm, password)
err = measureConfig(tpm)

if err != nil {
log.Fatal(err)
Expand Down
20 changes: 0 additions & 20 deletions pkg/measure-config/vendor/github.com/StackExchange/wmi/LICENSE
View file
Open in desktop

This file was deleted.

6 changes: 0 additions & 6 deletions pkg/measure-config/vendor/github.com/StackExchange/wmi/README.md
View file
Open in desktop

This file was deleted.

Loading