Skip to content

fix(tdeventlog): fix SpecID header detection and exclude invalid RTMRs #418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hyperfinitism wants to merge 1 commit into
base: main
Choose a base branch
from
+24 −3
Open

fix(tdeventlog): fix SpecID header detection and exclude invalid RTMRs #418

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions tests/lib/tdx-tools/src/tdxtools/tdeventlog.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
"""

import logging
from typing import List
from typing import Dict, List
import os
from hashlib import sha384
Expand Down Expand Up @@ -349,6 +348,19 @@ def find_hash(self, digest) -> None:
events.append(event_log)
return events

def _has_specid_signature(self, entry_start: int) -> bool:
"""
Minimal SpecID check: return True if the event data starts with
the SpecID signature string "Spec ID Event03".
TCG PC Client Specific Platform Firmware Profile Specification:
https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/
"""
specid_sig = b"Spec ID Event03\x00"
sig_off = entry_start + 32
if entry_start < 0 or sig_off + len(specid_sig) > len(self._data):
return False
return self._data[sig_off:sig_off + len(specid_sig)] == specid_sig

def process(self) -> None:
"""
Factory process raw data and generate entries
Expand All @@ -373,7 +385,7 @@ def process(self) -> None:
if rtmr == 0xFFFFFFFF:
break

if etype == TDEventLogType.EV_NO_ACTION:
if (etype == TDEventLogType.EV_NO_ACTION and self._has_specid_signature(start)):
self._specid_header = TDEventLogSpecIdHeader(
self._log_base + start)
self._specid_header.parse(self._data[start:])
Expand All @@ -387,6 +399,8 @@ def process(self) -> None:

count += 1

assert self._specid_header is not None, "SpecID header not found"

def replay(self) -> Dict[int, RTMR]:
"""
Replay event logs to generate RTMR value, which will be used during
Expand All @@ -403,6 +417,12 @@ def replay(self) -> Dict[int, RTMR]:
event_logs_by_index[index] = []

for event_log in self._event_logs:
# Some platforms emit entries with td_register_index == 0, which
# results in rtmr == -1. These entries are not extendable into any
# RTMR, so skip them during replay.
if event_log.rtmr not in event_logs_by_index:
LOG.debug("Skip event with invalid RTMR index %s", event_log.rtmr)
continue
event_logs_by_index[event_log.rtmr].append(event_log)

rtmr_by_index = {}
Expand Down Expand Up @@ -471,6 +491,7 @@ def check_initrd():

td_event_log_actor.process()

initrd_digest = sha384(open('/boot/initrd.img','rb').read()).hexdigest()
with open('/boot/initrd.img', 'rb') as f:
initrd_digest = sha384(f.read()).hexdigest()
events = td_event_log_actor.find_hash(initrd_digest)
assert len(events) == 1