diff options
| author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-08-11 10:50:42 -0700 |
|---|---|---|
| committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2018-08-12 09:07:52 -0700 |
| commit | de1b3f4fa05ad315b2100b313d1f5a1389812acc (patch) | |
| tree | f291331840ae447237bfc17ed80d1c301d0b810a | |
| parent | ed4ed23bc8990575345ad007bd944c8b79b6aaae (diff) | |
| download | openssl_tpm2_engine-de1b3f4fa05ad315b2100b313d1f5a1389812acc.tar.gz | |
policy: fail early for PCR mismatch
Now we have the ability to produce identifying error prints for
failing policy, we can make the PolicyPCR fail at policy check time
rather than waiting to find a policy hash mismatch. We do that by
adding the expected value of the PCR hash to the policy statement,
meaning the policy command fails if the current PCR values don't match
the expected ones. We can then check for this failure and print out a
more detailed message. There is a slight wrinkle in this scheme in
that TPM2_PolicyCounterTimer() returns TPM_RC_POLICY when the policy
fails, but TPM2_PolicyPRC() returns TPM_RC_VALUE if the hash is
mismatched, so the code must be updated to check for the correct
return indicating a policy failure.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
| -rw-r--r-- | tpm2-common.c | 34 |
1 files changed, 27 insertions, 7 deletions
diff --git a/tpm2-common.c b/tpm2-common.c index d0f0831..7bef099 100644 --- a/tpm2-common.c +++ b/tpm2-common.c @@ -613,24 +613,33 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, { INT32 size; BYTE *policy; - TPM_RC rc = 0; + TPM_RC rc = 0, reason_rc = 0; COMMAND_PARAMETERS in; int i; char reason[256]; reason[0] = '\0'; - ((PolicyPCR_In *)&in)->policySession = handle; + /* pick a random policy type: they all have the handle first */ + in.PolicyPCR.policySession = handle; for (i = 0; i < num_commands; i++) { size = commands[i].size; policy = commands[i].policy; switch (commands[i].code) { - case TPM_CC_PolicyPCR: + case TPM_CC_PolicyPCR: { + PolicyPCR_In *ppcrin = &in.PolicyPCR; + rc = TPML_PCR_SELECTION_Unmarshal( - &((PolicyPCR_In *)&in)->pcrs, &policy, &size); - ((PolicyPCR_In *)&in)->pcrDigest.b.size = 0; + &ppcrin->pcrs, &policy, &size); + ppcrin->pcrDigest.b.size = size; + memcpy(ppcrin->pcrDigest.b.buffer, + policy, size); + sprintf(reason, "PCR Mismatch"); + reason_rc = TPM_RC_VALUE; + break; + } case TPM_CC_PolicyAuthValue: break; case TPM_CC_PolicyCounterTimer: { @@ -674,6 +683,7 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, c += sprintf(&reason[c], "%02x", policy[i]); reason[c] = '\0'; + reason_rc = TPM_RC_POLICY; break; } @@ -691,12 +701,22 @@ TPM_RC tpm2_init_session(TSS_CONTEXT *tssContext, TPM_HANDLE handle, rc = TSS_Execute(tssContext, NULL, - (COMMAND_PARAMETERS *)&in, + &in, NULL, commands[i].code, TPM_RH_NULL, NULL, 0); if (rc) { - if (rc == TPM_RC_POLICY && reason[0]) + TPM_RC check_rc; + + /* strip additional parameter or session information */ + if ((rc & 0x180) == RC_VER1) + check_rc = rc & 0x1ff; + else if (rc & RC_FMT1) + check_rc = rc & 0xbf; + else + check_rc = rc; + + if (check_rc == reason_rc && reason[0]) fprintf(stderr, "Policy Failure: %s\n", reason); else tpm2_error(rc, "policy command"); |