acfe6b50eb
Includes fixes for CVE-2024-29038 and CVE-2024-29039. Resolves: RHEL-23198 Resolves: RHEL-41031 Resolves: RHEL-41035 Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
87 lines
3.0 KiB
Diff
87 lines
3.0 KiB
Diff
From 7076608db4b8a2cdcab6ff4bc47c23c935618e3b Mon Sep 17 00:00:00 2001
|
|
From: Juergen Repp <juergen_repp@web.de>
|
|
Date: Tue, 5 Mar 2024 22:11:38 +0100
|
|
Subject: [PATCH 4/6] tpm2_checkquote: Add comparison of pcr selection.
|
|
|
|
The pcr selection which is passed with the --pcr parameter it not
|
|
compared with the attest. So it's possible to fake a valid
|
|
attestation.
|
|
|
|
Fixes: CVE-2024-29039
|
|
|
|
Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
|
Signed-off-by: Andreas Fuchs <andreas.fuchs@infineon.com>
|
|
---
|
|
tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 40 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
|
|
index 6ce086f8..8a2a154e 100644
|
|
--- a/tools/misc/tpm2_checkquote.c
|
|
+++ b/tools/misc/tpm2_checkquote.c
|
|
@@ -54,6 +54,37 @@ static tpm2_verifysig_ctx ctx = {
|
|
.pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
|
|
};
|
|
|
|
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
|
|
+ if (attest_sel->count != pcr_sel->count) {
|
|
+ LOG_ERR("Selection sizes do not match.");
|
|
+ return false;
|
|
+ }
|
|
+ for (uint32_t i = 0; i < attest_sel->count; i++) {
|
|
+ for (uint32_t j = 0; j < pcr_sel->count; j++) {
|
|
+ if (attest_sel->pcrSelections[i].hash ==
|
|
+ pcr_sel->pcrSelections[j].hash) {
|
|
+ if (attest_sel->pcrSelections[i].sizeofSelect !=
|
|
+ pcr_sel->pcrSelections[j].sizeofSelect) {
|
|
+ LOG_ERR("Bitmask size does not match");
|
|
+ return false;
|
|
+ }
|
|
+ if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
|
|
+ &pcr_sel->pcrSelections[j].pcrSelect[0],
|
|
+ attest_sel->pcrSelections[i].sizeofSelect) != 0) {
|
|
+ LOG_ERR("Selection bitmasks do not match");
|
|
+ return false;
|
|
+ }
|
|
+ break;
|
|
+ }
|
|
+ if (j == pcr_sel->count - 1) {
|
|
+ LOG_ERR("Hash selections to not match.");
|
|
+ return false;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ return true;
|
|
+}
|
|
+
|
|
static bool verify(void) {
|
|
|
|
bool result = false;
|
|
@@ -374,7 +405,7 @@ static tool_rc init(void) {
|
|
}
|
|
|
|
TPM2B_ATTEST *msg = NULL;
|
|
- TPML_PCR_SELECTION pcr_select;
|
|
+ TPML_PCR_SELECTION pcr_select = { 0 };
|
|
tpm2_pcrs *pcrs;
|
|
tpm2_pcrs temp_pcrs = {};
|
|
tool_rc return_value = tool_rc_general_error;
|
|
@@ -537,6 +568,14 @@ static tool_rc init(void) {
|
|
goto err;
|
|
}
|
|
|
|
+ if (ctx.flags.pcr) {
|
|
+ if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
|
|
+ &pcr_select)) {
|
|
+ LOG_ERR("PCR selection does not match PCR slection from attest!");
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+
|
|
// Figure out the digest for this message
|
|
res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
|
|
msg->size, &ctx.msg_hash);
|
|
--
|
|
2.45.2
|
|
|