On Tue, 30 Jun 2020 at 20:53, Peter Jones <pjones@xxxxxxxxxx> wrote: > > On Tue, Jun 16, 2020 at 11:08:38AM +0200, Ard Biesheuvel wrote: > > (cc Matthew and Peter) > > > > On Tue, 16 Jun 2020 at 01:28, Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > Require that the TCG_PCR_EVENT2.digests.count value strictly matches the > > > value of TCG_EfiSpecIdEvent.numberOfAlgorithms in the event field of the > > > TCG_PCClientPCREvent event log header. Also require that > > > TCG_EfiSpecIdEvent.numberOfAlgorithms is non-zero. > > > > > > The TCG PC Client Platform Firmware Profile Specification section 9.1 > > > (Family "2.0", Level 00 Revision 1.04) states: > > > > > > For each Hash algorithm enumerated in the TCG_PCClientPCREvent entry, > > > there SHALL be a corresponding digest in all TCG_PCR_EVENT2 structures. > > > Note: This includes EV_NO_ACTION events which do not extend the PCR. > > > > > > Section 9.4.5.1 provides this description of > > > TCG_EfiSpecIdEvent.numberOfAlgorithms: > > > > > > The number of Hash algorithms in the digestSizes field. This field MUST > > > be set to a value of 0x01 or greater. > > > > > > Enforce these restrictions, as required by the above specification, in > > > order to better identify and ignore invalid sequences of bytes at the > > > end of an otherwise valid TPM2 event log. Firmware doesn't always have > > > the means necessary to inform the kernel of the actual event log size so > > > the kernel's event log parsing code should be stringent when parsing the > > > event log for resiliency against firmware bugs. This is true, for > > > example, when firmware passes the event log to the kernel via a reserved > > > memory region described in device tree. > > > > > > > When does this happen? Do we have code in mainline that does this? > > > > > Prior to this patch, a single bit set in the offset corresponding to > > > either the TCG_PCR_EVENT2.eventType or TCG_PCR_EVENT2.eventSize fields, > > > after the last valid event log entry, could confuse the parser into > > > thinking that an additional entry is present in the event log. This > > > patch raises the bar on how difficult it is for stale memory to confuse > > > the kernel's event log parser but there's still a reliance on firmware > > > to properly initialize the remainder of the memory region reserved for > > > the event log as the parser cannot be expected to detect a stale but > > > otherwise properly formatted firmware event log entry. > > > > > > Fixes: fd5c78694f3f ("tpm: fix handling of the TPM 2.0 event logs") > > > Signed-off-by: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> > > > --- > > > > I am all for stringent checks, but this could potentially break > > measured boot on systems that are working fine today, right? > > Seems like in that case our measurement is unreliable and can't really > be trusted. That said, having things that were using the measurements > before this suddenly stop being able to access sealed secrets is not a > great experience for the user who unwittingly bought the junk hardware. > Same with the zero-supported-hashes case. It would be nice to at log it > and have a way for them to opt-in to allowing the old measurement to go > through, so they can recover their data, though I don't know what that > method would be if the measured command line is one of their > dependencies. > Maybe use a EFI variable?