Split policy creation and measured boot PCR scripts as per review

bgnetworks · Oct 31, 2023 · 7b15783 · 7b15783
1 parent db408ec
commit 7b15783
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 34 deletions.
diff --git a/recipes-support/tpm-test-scripts/tpm-examples/README.md b/recipes-support/tpm-test-scripts/tpm-examples/README.md
@@ -20,12 +20,18 @@ This script intentionally attempts to overwrite an AES-256 key stored in a TPM2
 
 `tpm_policy_creation.sh`
 
-This script shows how to create policy and also check the measured boot condition. The script performs the following steps:
+This script demonstrates how to create policies
 
-1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should be terminated.
-2. Verifying the existence of the measured.pcrvalues, in the script directory.If not, it will create measured.pcrvalues.
+1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated.
+2. Create a policy by using the current state of the PCR.
+
+`tpm_check_measured_boot.sh`
+
+This script check the measure boot condition. 
+
+1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated.
+2. Verifying the existence of the file to be checked (i.e) measured.pcrvalues, in the script directory.If not, it will create measured.pcrvalues and also the reboot is required.
 3. Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.
-4. Creating the policy with the satisfied pcr values for the defined pcr index.
 
 `tpm_nv_write_aes_256.sh`
 
@@ -56,7 +62,6 @@ The script performs the following steps:
 4. Use a loop to split the key into full segments and write the key in mentioned TPM index, ensuring that the key is only written if the PCR policy is satisfied.
 5. Also writes the remaining bytes if any in the mentioned TPM index.
 
-
 `tpm_nv_read_rsa_2048.sh`
 
 This script demonstrates how to securely retrive a rsa key from NV memory based on the satisfaction of a PCR.
@@ -100,6 +105,7 @@ The script performs the following steps:
 Run the scripts:
 ```
 ./tpm_policy_creation.sh
+./tpm_check_measured_boot.sh
 ./tpm_nv_write_rsa_2048.sh
 ./tpm_nv_read_rsa_2048.sh
 ./tpm_nv_write_aes_256.sh

diff --git a/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh b/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh
@@ -3,15 +3,6 @@
 # Define the PCR index
 pcr_index=16
 
-#script is located
-script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-# Define the filename you want to check
-file_to_check="measured.pcrvalues"
-
-# Combine the directory and the filename
-file_path="$script_directory/$file_to_check"
-
 tpm2_pcrread -o pcr16.dat sha256:$pcr_index
 
 # creating a bin file with the value of zero
@@ -28,27 +19,12 @@ else
     exit 1
 fi
 
-if [ -e "$file_path" ]; then
-  echo "File $file_to_check exists in the script's directory."
-else
-  echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file."
-  cp pcr16.dat measured.pcrvalues
-fi
-
 # Start a policy auth session used when authenticating with a policy.
-tpm2_startauthsession --policy-session -S session1.dat
-
-# Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.
-if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f $file_to_check; then
-    echo "PCR value is extended and Passes the Measure Boot condition."
-else
-    echo "PCR values are not matching, Measure Boot fails"
-    exit 1
-fi
+tpm2_startauthsession --policy-session -S session.dat
 
-# Create a policy for the current PCR index
-tpm2_createpolicy --policy-pcr -l sha256:$pcr_index -L policy16.pcr
-echo "policy created"
+# Create a policy by using the current state of the pcr
+tpm2_policypcr -S session.dat -l sha256:$pcr_index -L policy16.pcr
 
 rm pcr_zero.dat
-rm session1.dat
+rm session.dat
+rm pcr16.dat
diff --git a/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb b/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb
@@ -11,6 +11,7 @@ LICENSE = "CLOSED"
 
 SRC_URI = " \
     file://tpm_policy_creation.sh \
+    file://tpm_check_measured_boot.sh \
     file://tpm_error_aes_nvread.sh \
     file://tpm_error_aes_nvwrite.sh \
     file://tpm_nv_read_aes_256.sh \
@@ -28,6 +29,7 @@ do_install() {
     install -d ${D}/etc/tpm/user_examples
 
     install -m 0755 ${WORKDIR}/tpm_policy_creation.sh ${D}/etc/tpm/user_examples
+    install -m 0755 ${WORKDIR}/tpm_check_measured_boot.sh ${D}/etc/tpm/user_examples
     install -m 0755 ${WORKDIR}/tpm_error_aes_nvread.sh ${D}/etc/tpm/user_examples
     install -m 0755 ${WORKDIR}/tpm_error_aes_nvwrite.sh ${D}/etc/tpm/user_examples
     install -m 0755 ${WORKDIR}/tpm_nv_read_aes_256.sh ${D}/etc/tpm/user_examples
@@ -40,6 +42,7 @@ do_install() {
 
 FILES:${PN} += " \
     /etc/tpm/user_examples/tpm_policy_creation.sh \
+    /etc/tpm/user_examples/tpm_check_measured_boot.sh \
     /etc/tpm/user_examples/tpm_error_aes_nvread.sh \
     /etc/tpm/user_examples/tpm_error_aes_nvwrite.sh \
     /etc/tpm/user_examples/tpm_nv_read_aes_256.sh \

diff --git a/recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh b/recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Define the PCR index
+pcr_index=16
+
+#script is located
+script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Define the filename you want to check
+file_to_check="measured.pcrvalues"
+
+# Combine the directory and the filename
+file_path="$script_directory/$file_to_check"
+
+tpm2_pcrread -o pcr16.dat sha256:$pcr_index
+
+# creating a bin file with the value of zero
+dd if=/dev/zero of=pcr_zero.dat bs=32 count=1
+
+#comparing the pcr.dat with pcr_zero.dat file, if the values is not extended means then it will terminated the whole process.
+cmp_value=$(cmp -s pcr16.dat pcr_zero.dat; echo $?)
+
+if [ "$cmp_value" -eq 1 ]; then
+    echo "PCR value is extended we can proceed further"
+else
+    echo "PCR value is all zeros, check whether it is the closed board or not."
+    rm pcr16.dat
+    exit 1
+fi
+
+if [ -e "$file_path" ]; then
+  echo "File $file_to_check exists in the script's directory."
+else
+  echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file."
+  cp pcr16.dat measured.pcrvalues
+fi
+
+# Start a policy auth session used when authenticating with a policy.
+tpm2_startauthsession --policy-session -S session1.dat
+
+# Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally.
+if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f $file_to_check; then
+    echo "PCR value is extended and Passes the Measure Boot condition."
+else
+    echo "PCR values are not matching, Measure Boot fails"
+    exit 1
+fi
+