diff --git a/extract/extract.go b/extract/extract.go index 45c6aef..87f6a1d 100644 --- a/extract/extract.go +++ b/extract/extract.go @@ -432,9 +432,6 @@ func EfiState(hash crypto.Hash, events []tcg.Event, registerCfg registerConfig, return nil, err } if isSeparator { - if !seenCallingEfiApp { - return nil, fmt.Errorf("found separator event in %s%d before CallingEFIApp event", registerCfg.Name, index) - } if seenSeparator4 { return nil, fmt.Errorf("found duplicate Separator event in %s%d", registerCfg.Name, registerCfg.EFIAppIdx) } diff --git a/extract/extract_test.go b/extract/extract_test.go index 266331b..a4baa7d 100644 --- a/extract/extract_test.go +++ b/extract/extract_test.go @@ -334,8 +334,9 @@ func TestExtractFirmwareLogStateTPM(t *testing.T) { for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { eventGetters := map[string]func(*testing.T) (crypto.Hash, []tcg.Event){ - "singleBoot": getTPMELEvents, - "multipleBoot": getTPMELEventsWithMultipleBootAttempts, + "singleBoot": getTPMELEvents, + "ubuntuMultipleBoot": getTPMELEventsUbuntuWithMultipleBootAttempts, + "cosSecureMultipleBoot": getTPMELEventsCosWithSecureBootAndMultipleBootAttempts, } for name, getEvents := range eventGetters { t.Run(name, func(t *testing.T) { @@ -541,26 +542,6 @@ func TestEfiState(t *testing.T) { AllowEFIAppBeforeCallingEvent: false, }, }, - { - name: "failed with valid boot attempt before Separator event in CCEL logs", - events: func() (crypto.Hash, []tcg.Event) { - hash, evts := crypto.SHA384, getCCELEvents(t) - var failedEvts []tcg.Event - for _, e := range evts { - if bytes.Equal(e.RawData(), []byte(tcg.CallingEFIApplication)) { - continue - } - failedEvts = append(failedEvts, e) - } - return hash, failedEvts - }, - registserConfig: RTMRRegisterConfig, - wantPass: false, - wantEfiState: nil, - opts: Opts{ - AllowEFIAppBeforeCallingEvent: true, - }, - }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { @@ -603,8 +584,8 @@ func getTPMELEvents(t *testing.T) (crypto.Hash, []tcg.Event) { return cryptoHash, events } -func getTPMELEventsWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) { - log := testdata.Ubuntu2404IntelTdxEventLog +func getTPMELEventsUbuntuWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) { + log := testdata.Ubuntu2404IntelTdxA4HighGpu8GEventLog bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{ 0: decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"), 1: decodeHex("ba1ac69c213175dc72db1493bd5bdfa4799028fe5d5c2bb41ddccc6affa50ba01f189d4639a77afbedd6dd6aff1af3b4"), @@ -643,6 +624,46 @@ func getTPMELEventsWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Ev return cryptoHash, events } +func getTPMELEventsCosWithSecureBootAndMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) { + log := testdata.Cos125IntelTdxSecureBootA4HighGpu8GEventLog + bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{ + 0: decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"), + 1: decodeHex("d67b943903a0ac6244e491604f4d4c2090031142847e914add418b058b032aa636a7eb559669b1879b8459963ab63c24"), + 2: decodeHex("c286e5791d56d735f1e159bc77c5c0fb04e27a4cb697e74974b98c9db246ac7effc466ab20f42bcd974d2c5e3f1ce7c3"), + 3: decodeHex("518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4"), + 4: decodeHex("404e1dfa6118533162df83b88e9e183272d139e8cb306f103251030aa444ba005e2b9c8cdb90c275f707dd29e21d0085"), + 5: decodeHex("c50b529497c7f441ea47305587d6ce83e2e31f7b4fab6c13dc0b0c3c900e1d0caf0768321100927862df142bf0465ee4"), + 6: decodeHex("518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4"), + 7: decodeHex("6e64b25bab4f2382466f419dae07a4dbdbaaa3ce56c16bb740516c8bc05cb6c3dbc161016739be4e542a7265c4bd1d70"), + 8: decodeHex("08052cde78f6561f52a4c37286edac23fa6915e211881770a5ebbbc5fc22411a4805829b9ca4741e0715edbb58aec4e5"), + 9: decodeHex("596ecbc8e6077dd980848c6f2ebcc7876321c9228eef86939fc61733d02d988e25a3a06d280f36c8d9c026ba2d6175d7"), + 10: decodeHex("8dfb3a115f861a7ef67e9670d47fe970f1029be7ca67b90cb851bc3358311ea3fd376b763b40b3a53df7785f75f1a8cb"), + 11: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + 12: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + 13: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + 14: decodeHex("7dd22d0be1dc4debfbfc5900589ea0940c6276d92edb6fed8625b6ec1f9be341c253d877229c00925c826761760cb355"), + 15: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + 16: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + 17: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 18: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 19: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 20: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 21: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 22: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), + 23: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), + }) + cryptoHash, err := bank.CryptoHash() + if err != nil { + t.Fatal(err) + } + events, err := tcg.ParseAndReplay(log, bank.MRs(), tcg.ParseOpts{}) + if err != nil { + t.Fatal(err) + + } + return cryptoHash, events +} + func decodeHex(hexStr string) []byte { bytes, err := hex.DecodeString(hexStr) if err != nil { diff --git a/testdata/eventlog_data.go b/testdata/eventlog_data.go index 6726180..fd8ce92 100644 --- a/testdata/eventlog_data.go +++ b/testdata/eventlog_data.go @@ -46,7 +46,9 @@ var ( //go:embed eventlogs/tpm/gdc-host.bin GdcHost []byte //go:embed eventlogs/tpm/ubuntu-2404-intel-tdx.bin - Ubuntu2404IntelTdxEventLog []byte + Ubuntu2404IntelTdxA4HighGpu8GEventLog []byte + //go:embed eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin + Cos125IntelTdxSecureBootA4HighGpu8GEventLog []byte ) // Kernel command lines from event logs. diff --git a/testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin b/testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin new file mode 100644 index 0000000..b003540 Binary files /dev/null and b/testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin differ diff --git a/tpmeventlog/replay_test.go b/tpmeventlog/replay_test.go index 3fee08d..b241aad 100644 --- a/tpmeventlog/replay_test.go +++ b/tpmeventlog/replay_test.go @@ -596,7 +596,7 @@ func TestParseEventLogs(t *testing.T) { {Ubuntu2104NoSecureBootGCE, "Ubuntu2104NoSecureBootGCE", extract.Opts{Loader: extract.GRUB}, []string{sbatErrorStr}}, {Ubuntu2404AmdSevSnp, "Ubuntu2404AmdSevSnp", extract.Opts{Loader: extract.GRUB}, nil}, // This event log has a SecureBoot variable length of 0. - {ArchLinuxWorkstation, "ArchLinuxWorkstation", extract.Opts{Loader: extract.UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true, AllowEmptySBVar: true}, []string{"found separator event in PCR4 before CallingEFIApp event"}}, + {ArchLinuxWorkstation, "ArchLinuxWorkstation", extract.Opts{Loader: extract.UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true, AllowEmptySBVar: true}, nil}, {COS85AmdSev, "COS85AmdSev", extract.Opts{Loader: extract.GRUB}, nil}, {COS93AmdSev, "COS93AmdSev", extract.Opts{Loader: extract.GRUB}, nil}, {COS101AmdSev, "COS101AmdSev", extract.Opts{Loader: extract.GRUB}, nil},