Open HarryR opened 1 year ago
I'm ignoring the control commands as I can't find them in the TCG docs, and the '0x00C1' packet.
Naturally. They are not standardized, but swtpm-proprietary.
Even though tpmstream can't parse the packet it could be skipped as the length of the packet in the header is correct, so could be skipped with a hex dump provided instead?
Maybe support for these command could be added to tpmstream
. That depends mainly if the format for swtpm (and perhaps also ibmtpm/mssim) is compatible with how tpmstream works under the hood. However, that format might change and break things.
Also, a switch --input-format
is conceivable (or auto-recognizing it) where tpmstream supports "swtpm log format" alltogether. I'm cautious here, though. These types of logs are not intended to be parsed. This would break in the future, for sure.
A better option would be to add support for dumping raw TPM commands/responses in swtpm. Contrary to log files, that format is actually specified and stable. Then you could plug swtpm and tpmstream simply together using a pipe.
@HarryR Also, I forgot to mention that tpmstream can parse pcap. That is, you can export your traffic (or pipe it somehow) fromn wireshark as pcap and then have tpmstream parse it. Just use --in=pcapng
or --in=auto
.
FYI, in pull request #23 I implemented support for directly detecting & parsing swtpm's debug logs as a new data input format. I just skip over the swtpm control commands since they're not especially relevant.
Hi, I started writing my own tpm log parser to grok the output of https://github.com/stefanberger/swtpm debug logs, but then found yours which is very elegantly written and has saved me a load of time.
I'm ignoring the control commands as I can't find them in the TCG docs, and the '0x00C1' packet. Even though
tpmstream
can't parse the packet it could be skipped as the length of the packet in the header is correct, so could be skipped with a hex dump provided instead?Unknown packet & response (first packet which occurs after command codes). When this is skipped everything else works fine:
Example
swtpm
command:Example log file:
The script: