From 7b1578320864246adfc83baa8c2d083a57854adf Mon Sep 17 00:00:00 2001 From: vishnusudhan Date: Tue, 31 Oct 2023 17:12:22 +0530 Subject: [PATCH] Split policy creation and measured boot PCR scripts as per review --- .../tpm-test-scripts/tpm-examples/README.md | 16 +++++-- .../tpm-examples/tpm_policy_creation.sh | 34 ++----------- .../tpm-test-scripts/tpm-examples_1.0.bb | 3 ++ .../tpm_check_measured_boot.sh | 48 +++++++++++++++++++ 4 files changed, 67 insertions(+), 34 deletions(-) create mode 100644 recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh diff --git a/recipes-support/tpm-test-scripts/tpm-examples/README.md b/recipes-support/tpm-test-scripts/tpm-examples/README.md index 6caa895..564e38a 100644 --- a/recipes-support/tpm-test-scripts/tpm-examples/README.md +++ b/recipes-support/tpm-test-scripts/tpm-examples/README.md @@ -20,12 +20,18 @@ This script intentionally attempts to overwrite an AES-256 key stored in a TPM2 `tpm_policy_creation.sh` -This script shows how to create policy and also check the measured boot condition. The script performs the following steps: +This script demonstrates how to create policies -1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should be terminated. -2. Verifying the existence of the measured.pcrvalues, in the script directory.If not, it will create measured.pcrvalues. +1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated. +2. Create a policy by using the current state of the PCR. + +`tpm_check_measured_boot.sh` + +This script check the measure boot condition. + +1. Checking whether the pcr is extended or not. If extended it will proceed further otherwise the process should terminated. +2. Verifying the existence of the file to be checked (i.e) measured.pcrvalues, in the script directory.If not, it will create measured.pcrvalues and also the reboot is required. 3. Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally. -4. Creating the policy with the satisfied pcr values for the defined pcr index. `tpm_nv_write_aes_256.sh` @@ -56,7 +62,6 @@ The script performs the following steps: 4. Use a loop to split the key into full segments and write the key in mentioned TPM index, ensuring that the key is only written if the PCR policy is satisfied. 5. Also writes the remaining bytes if any in the mentioned TPM index. - `tpm_nv_read_rsa_2048.sh` This script demonstrates how to securely retrive a rsa key from NV memory based on the satisfaction of a PCR. @@ -100,6 +105,7 @@ The script performs the following steps: Run the scripts: ``` ./tpm_policy_creation.sh +./tpm_check_measured_boot.sh ./tpm_nv_write_rsa_2048.sh ./tpm_nv_read_rsa_2048.sh ./tpm_nv_write_aes_256.sh diff --git a/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh b/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh index 395b901..cebf4f3 100644 --- a/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh +++ b/recipes-support/tpm-test-scripts/tpm-examples/tpm_policy_creation.sh @@ -3,15 +3,6 @@ # Define the PCR index pcr_index=16 -#script is located -script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# Define the filename you want to check -file_to_check="measured.pcrvalues" - -# Combine the directory and the filename -file_path="$script_directory/$file_to_check" - tpm2_pcrread -o pcr16.dat sha256:$pcr_index # creating a bin file with the value of zero @@ -28,27 +19,12 @@ else exit 1 fi -if [ -e "$file_path" ]; then - echo "File $file_to_check exists in the script's directory." -else - echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file." - cp pcr16.dat measured.pcrvalues -fi - # Start a policy auth session used when authenticating with a policy. -tpm2_startauthsession --policy-session -S session1.dat - -# Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally. -if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f $file_to_check; then - echo "PCR value is extended and Passes the Measure Boot condition." -else - echo "PCR values are not matching, Measure Boot fails" - exit 1 -fi +tpm2_startauthsession --policy-session -S session.dat -# Create a policy for the current PCR index -tpm2_createpolicy --policy-pcr -l sha256:$pcr_index -L policy16.pcr -echo "policy created" +# Create a policy by using the current state of the pcr +tpm2_policypcr -S session.dat -l sha256:$pcr_index -L policy16.pcr rm pcr_zero.dat -rm session1.dat \ No newline at end of file +rm session.dat +rm pcr16.dat diff --git a/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb b/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb index 7c5d773..a0a8ebb 100644 --- a/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb +++ b/recipes-support/tpm-test-scripts/tpm-examples_1.0.bb @@ -11,6 +11,7 @@ LICENSE = "CLOSED" SRC_URI = " \ file://tpm_policy_creation.sh \ + file://tpm_check_measured_boot.sh \ file://tpm_error_aes_nvread.sh \ file://tpm_error_aes_nvwrite.sh \ file://tpm_nv_read_aes_256.sh \ @@ -28,6 +29,7 @@ do_install() { install -d ${D}/etc/tpm/user_examples install -m 0755 ${WORKDIR}/tpm_policy_creation.sh ${D}/etc/tpm/user_examples + install -m 0755 ${WORKDIR}/tpm_check_measured_boot.sh ${D}/etc/tpm/user_examples install -m 0755 ${WORKDIR}/tpm_error_aes_nvread.sh ${D}/etc/tpm/user_examples install -m 0755 ${WORKDIR}/tpm_error_aes_nvwrite.sh ${D}/etc/tpm/user_examples install -m 0755 ${WORKDIR}/tpm_nv_read_aes_256.sh ${D}/etc/tpm/user_examples @@ -40,6 +42,7 @@ do_install() { FILES:${PN} += " \ /etc/tpm/user_examples/tpm_policy_creation.sh \ + /etc/tpm/user_examples/tpm_check_measured_boot.sh \ /etc/tpm/user_examples/tpm_error_aes_nvread.sh \ /etc/tpm/user_examples/tpm_error_aes_nvwrite.sh \ /etc/tpm/user_examples/tpm_nv_read_aes_256.sh \ diff --git a/recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh b/recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh new file mode 100644 index 0000000..e4f2651 --- /dev/null +++ b/recipes-support/tpm-test-scripts/tpm_check_measured_boot.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# Define the PCR index +pcr_index=16 + +#script is located +script_directory="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +# Define the filename you want to check +file_to_check="measured.pcrvalues" + +# Combine the directory and the filename +file_path="$script_directory/$file_to_check" + +tpm2_pcrread -o pcr16.dat sha256:$pcr_index + +# creating a bin file with the value of zero +dd if=/dev/zero of=pcr_zero.dat bs=32 count=1 + +#comparing the pcr.dat with pcr_zero.dat file, if the values is not extended means then it will terminated the whole process. +cmp_value=$(cmp -s pcr16.dat pcr_zero.dat; echo $?) + +if [ "$cmp_value" -eq 1 ]; then + echo "PCR value is extended we can proceed further" +else + echo "PCR value is all zeros, check whether it is the closed board or not." + rm pcr16.dat + exit 1 +fi + +if [ -e "$file_path" ]; then + echo "File $file_to_check exists in the script's directory." +else + echo "File $file_to_check does not exist in the script's directory, creating measured.pcrvalues file." + cp pcr16.dat measured.pcrvalues +fi + +# Start a policy auth session used when authenticating with a policy. +tpm2_startauthsession --policy-session -S session1.dat + +# Measured boot check using tpm2_policypcr api carried out by comparing current state value with the measured.pcrvalues value; this is done by TPM internally. +if tpm2_policypcr -S session1.dat -l sha256:$pcr_index -f $file_to_check; then + echo "PCR value is extended and Passes the Measure Boot condition." +else + echo "PCR values are not matching, Measure Boot fails" + exit 1 +fi +