search

9elements / converged-security-suite

Converged Security Suite for Intel & AMD platform security features
https://www.9esec.io
BSD 3-Clause "New" or "Revised" License
58 stars 15 forks source link

BG suite multierror support #362

Open orangecms opened 1 year ago

orangecms commented 1 year ago

Signed-off-by: Daniel Maslowski info@orangecms.org

orangecms commented 9 months ago

So I checked because I noticed that go-multierror was already in the dependencies... https://www.libhunt.com/compare-multierr-vs-go-multierror

Which led me to this: Apparently, Go 1.20 added native multi error support. https://www.reddit.com/r/golang/comments/z870te/multiple_error_wrapping_is_coming_in_go_120/

Anyway, I think introducing the Uber package is fine here, and we can rework things nicely again later.

orangecms commented 9 months ago

And the CI error basically says that we should upgrade to Go 1.19 at least (I would go straight to 1.21).

# go.uber.org/multierr
/go/pkg/mod/go.uber.org/multierr@v1.11.0/error.go:209:20: undefined: atomic.Bool
note: module requires Go 1.19

Exited with code exit status 2

Huh, we do have 1.19 though... no idea what's wrong here... sigh

Edit/addendum: sooooo... since this uses atomics and Go doesn't offer them on all architectures we use, I'll see about using github.com/hashicorp/go-multierror here instead; hope that has everything necessary :grimacing:

ChriMarMe commented 9 months ago

:heart:

orangecms commented 9 months ago

The dependency removal is the actual feature here; this before vs after should clarify it:

before

bg-suite exec-tests -f ~/firmware/MSI/Cyborg\ 15\ A12VE/E15K1IMS.30B/E15K1IMS.30B
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
02 - Key Manifest meets sane BootGuard requirements: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
03 - Boot Policy Manifest meets sane BootGuard requirements: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
04 - Verifies BPM and IBBs match firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (txt regs aren't valid: couldn't fetch TXT regs: open /dev/mem: permission denied)

after

bg-suite exec-tests -f "/home/dama/firmware/MSI/Cyborg 15 A12VE/E15K1IMS.30B/E15K1IMS.30B"
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : PASS
02 - Key Manifest meets sane BootGuard requirements: PASS
03 - Boot Policy Manifest meets sane BootGuard requirements: FAIL                 (
 multiple errors:
 bpm hasn't sane security properties: no BootGuard Boot Policy Manifest found
)
04 - Verifies BPM and IBBs match firmware image: PASS
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (
 txt regs aren't valid:
 couldn't fetch TXT regs: open /dev/mem: permission denied
)
orangecms commented 9 months ago

grammar fixed:

bg-suite exec-tests -f "/home/dama/firmware/MSI/Cyborg 15 A12VE/E15K1IMS.30B/E15K1IMS.30B"
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : PASS
02 - Key Manifest meets sane BootGuard requirements: PASS
03 - Boot Policy Manifest meets sane BootGuard requirements: FAIL                 (
 Errors occurred:
 Boot Policy Manifest doesn't have sane security properties: no BootGuard Boot Policy Manifest found
)
04 - Verifies BPM and IBBs match firmware image: PASS
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (
 txt regs aren't valid:
 couldn't fetch TXT regs: open /dev/mem: permission denied
)