tpm2-tools/0016-tpm2_eventlog.c-Fix-pcr-extension-for-EV_NO_ACTION.patch

From 2f6a737efddce480803c02a5e3b65ce739c6acf2 Mon Sep 17 00:00:00 2001
From: Juergen Repp <juergen_repp@web.de>
Date: Tue, 28 Mar 2023 17:29:36 +0200
Subject: [PATCH 16/17] tpm2_eventlog.c Fix pcr extension for EV_NO_ACTION

EV_NO_ACTION events should not be extended to PCR registers.
Fixes: #3224

Signed-off-by: Juergen Repp <juergen_repp@web.de>
---
 lib/tpm2_eventlog.c            | 14 +++++++++-----
 lib/tpm2_eventlog.h            |  2 +-
 test/unit/test_tpm2_eventlog.c | 15 ++++++++-------
 3 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c
index 1b59eeeb..e2e27f02 100644
--- a/lib/tpm2_eventlog.c
+++ b/lib/tpm2_eventlog.c
@@ -30,7 +30,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
  * hold the digest. The size of the digest is passed to the callback in the
  * 'size' parameter.
  */
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2 const *digest, size_t count, size_t size) {
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
+                     TCG_DIGEST2 const *digest, size_t count, size_t size) {
 
     if (digest == NULL) {
         LOG_ERR("digest cannot be NULL");
@@ -80,7 +81,8 @@ bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2
             LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg);
         }
 
-        if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
+        if (eventType != EV_NO_ACTION && pcr &&
+            !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {
             LOG_ERR("PCR%d extend failed", pcr_index);
             return false;
         }
@@ -179,7 +181,8 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
         .data = digests_size,
         .digest2_cb = digest2_accumulator_callback,
     };
-    ret = foreach_digest2(&ctx, eventhdr->PCRIndex,
+    ret = foreach_digest2(&ctx, eventhdr->EventType,
+                          eventhdr->PCRIndex, 
                           eventhdr->Digests, eventhdr->DigestCount,
                           buf_size - sizeof(*eventhdr));
     if (ret != true) {
@@ -216,7 +219,7 @@ bool parse_sha1_log_event(tpm2_eventlog_context *ctx, TCG_EVENT const *event, si
     *event_size = sizeof(*event);
 
     pcr = ctx->sha1_pcrs[ event->pcrIndex];
-    if (pcr) {
+    if (event->eventType != EV_NO_ACTION && pcr) {
         tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20);
         ctx->sha1_used |= (1 << event->pcrIndex);
     }
@@ -451,7 +454,8 @@ bool foreach_event2(tpm2_eventlog_context *ctx, TCG_EVENT_HEADER2 const *eventhd
         }
 
         /* digest callback foreach digest */
-        ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size);
+        ret = foreach_digest2(ctx, eventhdr->EventType, eventhdr->PCRIndex,
+                              eventhdr->Digests, eventhdr->DigestCount, digests_size);
         if (ret != true) {
             return false;
         }
diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h
index 2a91ed60..f141e806 100644
--- a/lib/tpm2_eventlog.h
+++ b/lib/tpm2_eventlog.h
@@ -44,7 +44,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,
                                   void *data);
 
 bool parse_event2body(TCG_EVENT2 const *event, UINT32 type);
-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index,
+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,
                      TCG_DIGEST2 const *event_hdr, size_t count, size_t size);
 bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,
                   size_t *event_size, size_t *digests_size);
diff --git a/test/unit/test_tpm2_eventlog.c b/test/unit/test_tpm2_eventlog.c
index ebf50e80..e48404d8 100644
--- a/test/unit/test_tpm2_eventlog.c
+++ b/test/unit/test_tpm2_eventlog.c
@@ -27,7 +27,7 @@ static void test_foreach_digest2_null(void **state){
     (void)state;
     tpm2_eventlog_context ctx = {0};
 
-    assert_false(foreach_digest2(&ctx, 0, NULL, 0, sizeof(TCG_DIGEST2)));
+    assert_false(foreach_digest2(&ctx, 0, 0, NULL, 0, sizeof(TCG_DIGEST2)));
 }
 static void test_foreach_digest2_size(void **state) {
 
@@ -36,7 +36,7 @@ static void test_foreach_digest2_size(void **state) {
     TCG_DIGEST2 *digest = (TCG_DIGEST2*)buf;
     tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
 
-    assert_false(foreach_digest2(&ctx, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
+    assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));
 }
 static void test_foreach_digest2(void **state) {
 
@@ -47,7 +47,7 @@ static void test_foreach_digest2(void **state) {
     will_return(foreach_digest2_test_callback, true);
 
     tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
-    assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+    assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
 }
 static void test_foreach_digest2_cbnull(void **state){
 
@@ -56,7 +56,7 @@ static void test_foreach_digest2_cbnull(void **state){
     TCG_DIGEST2* digest = (TCG_DIGEST2*)buf;
 
     tpm2_eventlog_context ctx = {0};
-    assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+    assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
 }
 static void test_sha1(void **state){
 
@@ -73,7 +73,7 @@ static void test_sha1(void **state){
     memcpy(digest->Digest, "the magic words are:", TPM2_SHA1_DIGEST_SIZE);
 
     tpm2_eventlog_context ctx = {0};
-    assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+    assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));
     assert_memory_equal(ctx.sha1_pcrs[pcr_index], sha1sum, sizeof(sha1sum));
 }
 static void test_sha256(void **state){
@@ -93,7 +93,7 @@ static void test_sha256(void **state){
     memcpy(digest->Digest, "The Magic Words are Squeamish Ossifrage, for RSA-129 (from 1977)", TPM2_SHA256_DIGEST_SIZE);
 
     tpm2_eventlog_context ctx = {0};
-    assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
+    assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));
     assert_memory_equal(ctx.sha256_pcrs[pcr_index], sha256sum, sizeof(sha256sum));
 }
 static void test_foreach_digest2_cbfail(void **state){
@@ -105,7 +105,7 @@ static void test_foreach_digest2_cbfail(void **state){
     will_return(foreach_digest2_test_callback, false);
 
     tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };
-    assert_false(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
+    assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));
 }
 static void test_digest2_accumulator_callback(void **state) {
 
@@ -292,6 +292,7 @@ static void test_foreach_event2_parse_event2body_fail(void **state){
 
     eventhdr->DigestCount = 1;
     eventhdr->EventType = EV_EFI_VARIABLE_BOOT;
+    eventhdr->PCRIndex = 0;
     digest->AlgorithmId = TPM2_ALG_SHA1;
     event->EventSize = 1;
 
-- 
2.40.1
tpm2-tools: Backport from upstream Includes fixes and tpm2_encodeobject tool. Resolves: rhbz#2160304 Resolves: rhbz#2047342 Signed-off-by: Štěpán Horáček <shoracek@redhat.com> 2023-05-10 15:27:34 +00:00			`From 2f6a737efddce480803c02a5e3b65ce739c6acf2 Mon Sep 17 00:00:00 2001`
			`From: Juergen Repp <juergen_repp@web.de>`
			`Date: Tue, 28 Mar 2023 17:29:36 +0200`
			`Subject: [PATCH 16/17] tpm2_eventlog.c Fix pcr extension for EV_NO_ACTION`

			`EV_NO_ACTION events should not be extended to PCR registers.`
			`Fixes: #3224`

			`Signed-off-by: Juergen Repp <juergen_repp@web.de>`
			`---`
			`lib/tpm2_eventlog.c \| 14 +++++++++-----`
			`lib/tpm2_eventlog.h \| 2 +-`
			`test/unit/test_tpm2_eventlog.c \| 15 ++++++++-------`
			`3 files changed, 18 insertions(+), 13 deletions(-)`

			`diff --git a/lib/tpm2_eventlog.c b/lib/tpm2_eventlog.c`
			`index 1b59eeeb..e2e27f02 100644`
			`--- a/lib/tpm2_eventlog.c`
			`+++ b/lib/tpm2_eventlog.c`
			`@@ -30,7 +30,8 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,`
			`* hold the digest. The size of the digest is passed to the callback in the`
			`* 'size' parameter.`
			`*/`
			`-bool foreach_digest2(tpm2_eventlog_context ctx, unsigned pcr_index, TCG_DIGEST2 const digest, size_t count, size_t size) {`
			`+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,`
			`+ TCG_DIGEST2 const *digest, size_t count, size_t size) {`

			`if (digest == NULL) {`
			`LOG_ERR("digest cannot be NULL");`
			`@@ -80,7 +81,8 @@ bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index, TCG_DIGEST2`
			`LOG_WARN("PCR%d algorithm %d unsupported", pcr_index, alg);`
			`}`

			`- if (pcr && !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {`
			`+ if (eventType != EV_NO_ACTION && pcr &&`
			`+ !tpm2_openssl_pcr_extend(alg, pcr, digest->Digest, alg_size)) {`
			`LOG_ERR("PCR%d extend failed", pcr_index);`
			`return false;`
			`}`
			`@@ -179,7 +181,8 @@ bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,`
			`.data = digests_size,`
			`.digest2_cb = digest2_accumulator_callback,`
			`};`
			`- ret = foreach_digest2(&ctx, eventhdr->PCRIndex,`
			`+ ret = foreach_digest2(&ctx, eventhdr->EventType,`
			`+ eventhdr->PCRIndex,`
			`eventhdr->Digests, eventhdr->DigestCount,`
			`buf_size - sizeof(*eventhdr));`
			`if (ret != true) {`
			`@@ -216,7 +219,7 @@ bool parse_sha1_log_event(tpm2_eventlog_context ctx, TCG_EVENT const event, si`
			`event_size = sizeof(event);`

			`pcr = ctx->sha1_pcrs[ event->pcrIndex];`
			`- if (pcr) {`
			`+ if (event->eventType != EV_NO_ACTION && pcr) {`
			`tpm2_openssl_pcr_extend(TPM2_ALG_SHA1, pcr, &event->digest[0], 20);`
			`ctx->sha1_used \|= (1 << event->pcrIndex);`
			`}`
			`@@ -451,7 +454,8 @@ bool foreach_event2(tpm2_eventlog_context ctx, TCG_EVENT_HEADER2 const eventhd`
			`}`

			`/* digest callback foreach digest */`
			`- ret = foreach_digest2(ctx, eventhdr->PCRIndex, eventhdr->Digests, eventhdr->DigestCount, digests_size);`
			`+ ret = foreach_digest2(ctx, eventhdr->EventType, eventhdr->PCRIndex,`
			`+ eventhdr->Digests, eventhdr->DigestCount, digests_size);`
			`if (ret != true) {`
			`return false;`
			`}`
			`diff --git a/lib/tpm2_eventlog.h b/lib/tpm2_eventlog.h`
			`index 2a91ed60..f141e806 100644`
			`--- a/lib/tpm2_eventlog.h`
			`+++ b/lib/tpm2_eventlog.h`
			`@@ -44,7 +44,7 @@ bool digest2_accumulator_callback(TCG_DIGEST2 const *digest, size_t size,`
			`void *data);`

			`bool parse_event2body(TCG_EVENT2 const *event, UINT32 type);`
			`-bool foreach_digest2(tpm2_eventlog_context *ctx, unsigned pcr_index,`
			`+bool foreach_digest2(tpm2_eventlog_context *ctx, UINT32 eventType, unsigned pcr_index,`
			`TCG_DIGEST2 const *event_hdr, size_t count, size_t size);`
			`bool parse_event2(TCG_EVENT_HEADER2 const *eventhdr, size_t buf_size,`
			`size_t event_size, size_t digests_size);`
			`diff --git a/test/unit/test_tpm2_eventlog.c b/test/unit/test_tpm2_eventlog.c`
			`index ebf50e80..e48404d8 100644`
			`--- a/test/unit/test_tpm2_eventlog.c`
			`+++ b/test/unit/test_tpm2_eventlog.c`
			`@@ -27,7 +27,7 @@ static void test_foreach_digest2_null(void **state){`
			`(void)state;`
			`tpm2_eventlog_context ctx = {0};`

			`- assert_false(foreach_digest2(&ctx, 0, NULL, 0, sizeof(TCG_DIGEST2)));`
			`+ assert_false(foreach_digest2(&ctx, 0, 0, NULL, 0, sizeof(TCG_DIGEST2)));`
			`}`
			`static void test_foreach_digest2_size(void **state) {`

			`@@ -36,7 +36,7 @@ static void test_foreach_digest2_size(void **state) {`
			`TCG_DIGEST2 digest = (TCG_DIGEST2)buf;`
			`tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };`

			`- assert_false(foreach_digest2(&ctx, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));`
			`+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, sizeof(TCG_DIGEST2) - 1));`
			`}`
			`static void test_foreach_digest2(void **state) {`

			`@@ -47,7 +47,7 @@ static void test_foreach_digest2(void **state) {`
			`will_return(foreach_digest2_test_callback, true);`

			`tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };`
			`- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`}`
			`static void test_foreach_digest2_cbnull(void **state){`

			`@@ -56,7 +56,7 @@ static void test_foreach_digest2_cbnull(void **state){`
			`TCG_DIGEST2* digest = (TCG_DIGEST2*)buf;`

			`tpm2_eventlog_context ctx = {0};`
			`- assert_true(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`+ assert_true(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`}`
			`static void test_sha1(void **state){`

			`@@ -73,7 +73,7 @@ static void test_sha1(void **state){`
			`memcpy(digest->Digest, "the magic words are:", TPM2_SHA1_DIGEST_SIZE);`

			`tpm2_eventlog_context ctx = {0};`
			`- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`assert_memory_equal(ctx.sha1_pcrs[pcr_index], sha1sum, sizeof(sha1sum));`
			`}`
			`static void test_sha256(void **state){`
			`@@ -93,7 +93,7 @@ static void test_sha256(void **state){`
			`memcpy(digest->Digest, "The Magic Words are Squeamish Ossifrage, for RSA-129 (from 1977)", TPM2_SHA256_DIGEST_SIZE);`

			`tpm2_eventlog_context ctx = {0};`
			`- assert_true(foreach_digest2(&ctx, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));`
			`+ assert_true(foreach_digest2(&ctx, 0, pcr_index, digest, 1, TCG_DIGEST2_SHA256_SIZE));`
			`assert_memory_equal(ctx.sha256_pcrs[pcr_index], sha256sum, sizeof(sha256sum));`
			`}`
			`static void test_foreach_digest2_cbfail(void **state){`
			`@@ -105,7 +105,7 @@ static void test_foreach_digest2_cbfail(void **state){`
			`will_return(foreach_digest2_test_callback, false);`

			`tpm2_eventlog_context ctx = { .digest2_cb = foreach_digest2_test_callback };`
			`- assert_false(foreach_digest2(&ctx, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`+ assert_false(foreach_digest2(&ctx, 0, 0, digest, 1, TCG_DIGEST2_SHA1_SIZE));`
			`}`
			`static void test_digest2_accumulator_callback(void **state) {`

			`@@ -292,6 +292,7 @@ static void test_foreach_event2_parse_event2body_fail(void **state){`

			`eventhdr->DigestCount = 1;`
			`eventhdr->EventType = EV_EFI_VARIABLE_BOOT;`
			`+ eventhdr->PCRIndex = 0;`
			`digest->AlgorithmId = TPM2_ALG_SHA1;`
			`event->EventSize = 1;`

			`--`
			`2.40.1`