This adds support for reading TPM 2.0 PCRs using the tpm2-tools TSS.
Signed-off-by: Patrick Uiterwijk <patrick@xxxxxxxxxxxxxx>
---
configure.ac | 6 ++++++
src/evmctl.c | 34 ++++++++++++++++++++++++++++++----
2 files changed, 36 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 7747481..adcc6ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -35,6 +35,11 @@ if test "x$TSSPCRREAD" = "xyes"; then
AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread
binary installed])
fi
+AC_CHECK_PROG(TPM2PCRLIST, [tpm2_pcrlist], yes, no)
+if test "x$TPM2PCRLIST" = "xyes"; then
+ AC_DEFINE(HAVE_TPM2PCRLIST, 1, [Define to 1 if you have the
tpm2_pcrlist binary installed])
+fi
+
AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not
found. You need the c-library development package.])])
AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not
found. You need the libkeyutils development package.])])
@@ -78,4 +83,5 @@ echo "Configuration:"
echo " debug: $pkg_cv_enable_debug"
echo " openssl-conf: $enable_openssl_conf"
echo " tsspcrread: $TSSPCRREAD"
+echo " tpm2_pcrlist: $TPM2PCRLIST"
echo
diff --git a/src/evmctl.c b/src/evmctl.c
index be59ead..393a20d 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1421,15 +1421,20 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
return result;
}
-#ifdef HAVE_TSSPCRREAD
+#if defined(HAVE_TSSPCRREAD) || defined(HAVE_TPM2PCRLIST)
static int tpm2_pcr_read(int idx, uint8_t *hwpcr, int len, char **errmsg)
{
FILE *fp;
+ char *pcrval;
char pcr[100]; /* may contain an error */
char cmd[50];
int ret;
+ #if defined(HAVE_TSSPCRREAD)
sprintf(cmd, "tsspcrread -halg sha1 -ha %d -ns 2> /dev/null", idx);
+ #elif defined(HAVE_TPM2PCRLIST)
+ sprintf(cmd, "tpm2_pcrlist -L sha1:%d", idx);
+ #endif
fp = popen(cmd, "r");
if (!fp) {
ret = asprintf(errmsg, "popen failed: %s", strerror(errno));
@@ -1439,18 +1444,39 @@ static int tpm2_pcr_read(int idx, uint8_t
*hwpcr, int len, char **errmsg)
}
if (fgets(pcr, sizeof(pcr), fp) == NULL) {
- ret = asprintf(errmsg, "tsspcrread failed: %s",
+ ret = asprintf(errmsg, "PCR Reading failed: %s",
strerror(errno));
if (ret == -1) /* the contents of errmsg is undefined */
*errmsg = NULL;
ret = pclose(fp);
return -1;
}
+ pcrval = &pcr;
+
+ #ifdef HAVE_TPM2PCRLIST
+ /* Get the second line of output as PCR value */
+ if (fgets(pcr, sizeof(pcr), fp) == NULL) {
+ ret = asprintf(errmsg, "PCW Reading failed: %s",
+ strerror(errno));
+ if (ret == -1) /* the contents of errmsg is undefined */
+ *errmsg = NULL;
+ ret = pclose(fp);
+ return -1;
+ }
+ pcrval = strchr(&pcr, ':');
+ if (pcrval == NULL) {
+ *errmsg = NULL;
+ ret = pclose(fp);
+ return -1;
+ }
+ /* Skip the colon */
+ pcrval++;
+ #endif
/* get the popen "cmd" return code */
ret = pclose(fp);
if (!ret)
- hex2bin(hwpcr, pcr, SHA_DIGEST_LENGTH);
+ hex2bin(hwpcr, pcrval, SHA_DIGEST_LENGTH);
else
*errmsg = strndup(pcr, strlen(pcr) - 1); /* remove newline */
@@ -1715,7 +1741,7 @@ static int ima_measurement(const char *file)
log_dump(pcr[i], SHA_DIGEST_LENGTH);
if (tpm_pcr_read(i, hwpcr, sizeof(hwpcr))) {
-#ifdef HAVE_TSSPCRREAD
+#if defined(HAVE_TSSPCRREAD) || defined(HAVE_TPM2PCRLIST)
char *errmsg = NULL;
err = tpm2_pcr_read(i, hwpcr, sizeof(hwpcr), &errmsg);
--
2.21.0
