tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
718 stars 378 forks source link

tpm2_eventlog cannot parse in-memory binary_bios_measurements file #1975

Closed dnoliver closed 4 years ago

dnoliver commented 4 years ago

How to reproduce

[root@localhost misc]# ./tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements

ERROR: insufficient size for SpecID event header
ERROR: failed to parse tpm2 eventlog
ERROR: Unable to run ./tpm2_eventlog

Workaround

Copy the file to a regular location and execute the parser.

[root@localhost misc]# cp /sys/kernel/security/tpm0/binary_bios_measurements .
[root@localhost misc]# ./tpm2_eventlog binary_bios_measurements

Notes

I run into this same problem when trying to implement a parser myself! Buffers seems to change in memory, and you get malformed events. I was doing it in Node.js at that time

For some reason, this python parser never run into that problem https://github.com/ValdikSS/binary_bios_measurements_parser.

idesai commented 4 years ago

@dnoliver this is a puzzler. Not sure what is going on here, I see the same.

dnoliver commented 4 years ago

Yes that special file behavior is weird. Maybe reading the entire file content, save that into a different memory place, and doing the parsing over that saved memory space could workaround this.

diabonas commented 4 years ago

The problem is that the reported file size for most sysfs files is always 0 since they are generated on the fly by the kernel, see #1981 for a fix.

prbinu commented 4 years ago

Getting into a similar issue on Ubuntu 20.04

sudo TPM2TOOLS_TCTI=device:/dev/tpmrm0 tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements
---
events:
ERROR: invalid eventDataSize in specid event
ERROR: failed to parse tpm2 eventlog
ERROR: Unable to run tpm2_eventlog`

Copying the file to a /tmp location and running tpm2_eventlog is also throwing the same error messages.

BTW, https://github.com/ValdikSS/binary_bios_measurements_parser program works pretty well

Appreciate your help to fix this.

@diabonas @idesai

diabonas commented 4 years ago

@prbinu Please try the current tpm2-tools master branch, there are some fixes in https://github.com/tpm2-software/tpm2-tools/pull/2021 that have not made it to a released version yet.

prbinu commented 4 years ago

@diabonas, Actually I'm using the master branch (git clone from master).

dnoliver commented 4 years ago

@prbinu could you try this one just to verify that it is a tpm2-tools problem:

tsseventextend -sim -if /sys/kernel/security/tpm0/binary_bios_measurements 

I saw some devices that have the TPM Event Log malformed before.

prbinu commented 4 years ago

This is also failing:

$ sudo  tsseventextend -sim -if /sys/kernel/security/tpm0/binary_bios_measurements 
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer Handle number unspecified`

I see somewhat related discussion here: https://www.spinics.net/lists/linux-integrity/msg11866.html (i'm also on a Dell hardware)

dnoliver commented 4 years ago

Maybe the python parser handles that error, or just don't try to read those structures (because the guy that made it was only interested on getting the measured digests :) )

It looks like a BIOS problem right?

I had the same problem in a device with Intel Bay Trail:

[test@automation-test ~]$ sudo tsseventextend -sim -if /sys/kernel/security/tpm0/binary_bios_measurements
eventextend: failed, rc 0000009a
TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer Handle number unspecified

Several problems with the BIOS on that device.

It may be interesting to run fwupdmgr security --force on that device and see if the PCR 0 reconstruction test also fails. Some info here https://github.com/fwupd/fwupd/issues/2181

prbinu commented 4 years ago

Here is the output: The TPM PCR0 reconstruction is "Not Found"

$ sudo fwupdmgr security --force
Host Security ID: HSI:0+! (v1.5.0)

HSI-1
✔ AMT manufacturing mode:        Locked
✔ AMT override:                  Locked
✔ Intel DCI debugger:            Disabled
✔ SPI BIOS region:               Locked
✔ SPI lock:                      Enabled
✔ SPI write:                     Disabled
✔ TPM v2.0:                      Found
✘ UEFI dbx:                      Not found: https://github.com/fwupd/fwupd/wiki/Missingdbx

HSI-2
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✘ IOMMU:                         Not found
✘ Intel DCI debugger:            Unlocked
✘ TPM PCR0 reconstruction:       Not found

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Suspend-to-ram:                Disabled
✘ Intel CET Enabled:             Not supported
✘ Pre-boot DMA protection:       Disabled
✘ Suspend-to-idle:               Disabled

HSI-4
✔ Intel SMAP:                    Enabled
✘ Encrypted RAM:                 Not supported

This system has HSI runtime issues.
 » https://github.com/fwupd/fwupd/wiki/Host-security-ID-runtime-issues
prbinu commented 4 years ago

@dnoliver @diabonas So if the issue is related to BIOS firmware, what would be the way forward? Is it ok to discard PCR0 but focus on other PCR values (until it gets fixed)?

dnoliver commented 4 years ago

Sorry for the delay!

https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-reconstruction

I think this is a firmware issue. There are also Dell maintainers in there where may be able to help with this.

In order to conclude what type of failure this is, fwupd has the ability to demonstrate the construction of PCR0 using TPM event log in a tool called fwupdtpmevelog. Please file a bug report to https://github.com/fwupd/fwupd and include the output of this tool when run as root.