Re: [PATCH] Add support for TSS2 for PCR reading

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Patrick,

On Sat, 2020-01-25 at 02:15 -0800, Patrick Uiterwijk wrote:
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

Sorry for the long delay in reviewing the posted ima-evm-utils
patches, including yours.  I'm hoping to get back to working on ima-
evm-utils soon.

Mimi
 
> ---
>  configure.ac |   5 +++
>  src/evmctl.c | 116 +++++++++++++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 118 insertions(+), 3 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index eedf90e..58a7fee 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -35,6 +35,9 @@ if test "x$TSSPCRREAD" = "xyes"; then
>  	AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread
> binary installed])],
>  fi
> 
> +AC_CHECK_LIB([tss2-esys], [Esys_PCR_Read])
> +AC_CHECK_LIB([tss2-rc], [Tss2_RC_Decode])
> +
>  AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not
> found. You need the c-library development package.])])
>  AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not
> found. You need the libkeyutils development package.])])
> 
> @@ -78,4 +81,6 @@ echo	"Configuration:"
>  echo	"          debug: $pkg_cv_enable_debug"
>  echo	"   openssl-conf: $enable_openssl_conf"
>  echo	"     tsspcrread: $TSSPCRREAD"
> +echo	"      tss2-esys: $ac_cv_lib_tss2_esys_Esys_PCR_Read"
> +echo	" tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
>  echo
> diff --git a/src/evmctl.c b/src/evmctl.c
> index b02be8b..5bc6773 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -69,6 +69,15 @@
>  #define XATTR_NAME_APPARMOR XATTR_SECURITY_PREFIX XATTR_APPARMOR_SUFFIX
>  #endif
> 
> +#ifdef HAVE_LIBTSS2_ESYS
> +#include <tss2/tss2_esys.h>
> +
> +#ifdef HAVE_LIBTSS2_RC
> +#include <tss2/tss2_rc.h>
> +#endif
> +#endif
> +
> +
>  #define USE_FPRINTF
> 
>  #include "imaevm.h"
> @@ -1407,9 +1416,110 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
>  	return result;
>  }
> 
> -#ifdef HAVE_TSSPCRREAD
> +#ifdef HAVE_LIBTSS2_ESYS
> +static int pcr_selections_match(TPML_PCR_SELECTION *a, TPML_PCR_SELECTION *b)
> +{
> +	if (a->count != b->count)
> +		return 0;
> +	for (int i = 0; i < a->count; i++) {
> +		if (a->pcrSelections[i].hash != b->pcrSelections[i].hash)
> +			return 0;
> +		if (a->pcrSelections[i].sizeofSelect != b->pcrSelections[i].sizeofSelect)
> +			return 0;
> +		for (int j = 0; j < a->pcrSelections[i].sizeofSelect; j++) {
> +			if (a->pcrSelections[i].pcrSelect[j] != b->pcrSelections[i].pcrSelect[j])
> +				return 0;
> +		}
> +	}
> +
> +	return 1;
> +}
> +
> +static inline int tpm2_set_errmsg(char **errmsg, const char *message,
> TSS2_RC ret)
> +{
> +#ifdef HAVE_LIBTSS2_RC
> +		ret = asprintf(errmsg, "%s: %s", message, Tss2_RC_Decode(ret));
> +#else
> +		ret = asprintf(errmsg, "%s: #%d", message, ret);
> +#endif
> +}
> +#endif
> +
>  static int tpm2_pcr_read(int idx, uint8_t *hwpcr, int len, char **errmsg)
>  {
> +#if defined(HAVE_LIBTSS2_ESYS)
> +	TSS2_ABI_VERSION abi_version = {
> +		.tssCreator = 1,
> +		.tssFamily = 2,
> +		.tssLevel = 1,
> +		.tssVersion = 108,
> +	};
> +	ESYS_CONTEXT *ctx = NULL;
> +	TSS2_RC ret = 0;
> +	TPML_PCR_SELECTION pcr_select_in = {
> +		.count = 1,
> +		.pcrSelections = {
> +			{
> +				.hash = TPM2_ALG_SHA1,
> +				.sizeofSelect = 3,
> +				.pcrSelect = { 0x00, 0x00, 0x00 },
> +			}
> +		}
> +	};
> +	TPML_PCR_SELECTION *pcr_select_out;
> +	TPML_DIGEST *pcr_digests;
> +	UINT32 pcr_update_counter;
> +
> +	pcr_select_in.pcrSelections[0].pcrSelect[idx / 8] = (1 << (idx % 8));
> +
> +	ret = Esys_Initialize(&ctx, NULL, &abi_version);
> +	if (ret != 0) {
> +		ret = tpm2_set_errmsg(errmsg, "esys initialize failed", ret);
> +		if (ret == -1)	/* the contents of errmsg are undefined */
> +			*errmsg = NULL;
> +		return -1;
> +	}
> +
> +	ret = Esys_PCR_Read(ctx,
> +			    ESYS_TR_NONE,
> +			    ESYS_TR_NONE,
> +			    ESYS_TR_NONE,
> +			    &pcr_select_in,
> +			    &pcr_update_counter,
> +			    &pcr_select_out,
> +			    &pcr_digests);
> +	Esys_Finalize(&ctx);
> +	if (ret != 0) {
> +		ret = tpm2_set_errmsg(errmsg, "esys PCR reading failed", ret);
> +		if (ret == -1)	/* the contents of errmsg is undefined */
> +			*errmsg = NULL;
> +		return -1;
> +	}
> +
> +	if (!pcr_selections_match(&pcr_select_in, pcr_select_out)) {
> +		Esys_Free(pcr_select_out);
> +		Esys_Free(pcr_digests);
> +
> +		ret = asprintf(errmsg, "TPM returned incorrect PCRs");
> +		if (ret == -1)	/* the contents of errmsg are undefined */
> +			*errmsg = NULL;
> +		return -1;
> +	}
> +	Esys_Free(pcr_select_out);
> +
> +	if (pcr_digests->count != 1 || pcr_digests->digests[0].size !=
> SHA_DIGEST_LENGTH) {
> +		Esys_Free(pcr_digests);
> +		ret = asprintf(errmsg, "TPM returned incorrect digests");
> +		if (ret == -1)	/* the contents of errmsg is undefined */
> +			*errmsg = NULL;
> +		return -1;
> +	}
> +
> +	memcpy(hwpcr, pcr_digests->digests[0].buffer, len);
> +	Esys_Free(pcr_digests);
> +	return 0;
> +
> +#elif defined(HAVE_TSSPCRREAD)
>  	FILE *fp;
>  	char pcr[100];	/* may contain an error */
>  	char cmd[50];
> @@ -1441,8 +1551,8 @@ static int tpm2_pcr_read(int idx, uint8_t
> *hwpcr, int len, char **errmsg)
>  		*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
> 
>  	return ret;
> -}
>  #endif
> +}
> 
>  #define TCG_EVENT_NAME_LEN_MAX	255
> 
> @@ -1701,7 +1811,7 @@ static int ima_measurement(const char *file)
>  		log_dump(pcr[i], SHA_DIGEST_LENGTH);
> 
>  		if (tpm_pcr_read(i, hwpcr, sizeof(hwpcr))) {
> -#ifdef HAVE_TSSPCRREAD
> +#if defined(HAVE_TSSPCRREAD) || defined(HAVE_LIBTSS2_ESYS)
>  			char *errmsg = NULL;
> 
>  			err = tpm2_pcr_read(i, hwpcr, sizeof(hwpcr), &errmsg);