search

osresearch / safeboot

Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
https://safeboot.dev/
GNU General Public License v2.0
270 stars 28 forks source link

tpm2-eventlog-csv not working #51

Closed miczyg1 closed 4 years ago

miczyg1 commented 4 years ago

tpm2-eventlog-csv can't parse output of tpm2 eventlog correctly:

Traceback (most recent call last):
  File "/usr/sbin/tpm2-eventlog-csv", line 108, in <module>
    entry2csv(entry)
  File "/usr/sbin/tpm2-eventlog-csv", line 51, in entry2csv
    pcr = entry['PCRIndex']
TypeError: string indices must be integers

After some debugging it seems like it hangs at parsing the first Yaml entry: which is 'events', then particular event entries occur.

In such case the loop iteration over entries should be:

- for entry in data:
+ for entry in data['events']:
    try:
        entry2csv(entry)
    except:
        print(entry)
        raise
osresearch commented 4 years ago

This is yet another casualty of the JSON fixes in the tpm2-tools tree. I patched their eventlog tool to generate proper JSON as well as the PCRs, and need to update the safeboot tool to use them correctly.

osresearch commented 4 years ago

Oh, tpm2-eventlog-csv is no longer required; my patch to tpm2 eventlog was merged to track the PCR values and the output the final ones after parsing the event log:

% tpm2 eventlog eventlog-t490.bin | tail -20
  sha1:
    0  : 0x66e044a4cbace47ba7cf287db17b13324f319714
    1  : 0x5d66df85ebf3b58a4d5ee493b39e1284d8c9b7ce
    2  : 0xb2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
    3  : 0xb2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
    4  : 0x9772d33856301f7d35f5c90028bea7d983e11ab4
    5  : 0x54165e0aa5df39dedefcdbb3cadec8455a90ac81
    6  : 0xb2a83b0ebf2f8374299a5b2bdfc31ea955ad7236
    7  : 0xd94301b6281d27a470d89799c5f17e247165a909
    14 : 0x8db56f6b5b28c4765c550cdfa1a648e680981838
  sha256:
    0  : 0x3fbf10a9dd919cd821c71c71b203f3839233120537798917f53714f1eff7f036
    1  : 0x6bad0d93219f5b1e3ba7031bab290eca4d973ae6468145847a49d44bcc0905bd
    2  : 0x3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
    3  : 0x3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
    4  : 0xc28f2726ba0a11b9fba161419ff95be3da6ca9addc286d5fa1e1e9ec0b79dc35
    5  : 0xc0db55d5c70b40fd86732c2deac4ffa56a132cbf6ef35de692d3a98549670824
    6  : 0x3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
    7  : 0x8e41936ce24d9fc8aaffda08eef40d19faec070914ade879aa93ab8c85829fe1
    14 : 0xd70dacaf0f3e0abad0046ae880a417badb3b4e0463496c3e2a88d7bd607b29a6

The tool that compares PCRs is tpm2-pcr-validate, which needs documentation, as mentioned in #52