converged-security-suite icon indicating copy to clipboard operation
converged-security-suite copied to clipboard

Published 20 hours ago verified publisher icon 9elements

BG suite multierror support

Open orangecms opened this issue 2 years ago • 5 comments

Signed-off-by: Daniel Maslowski [email protected]

orangecms avatar May 21 '23 21:05 orangecms

So I checked because I noticed that go-multierror was already in the dependencies... https://www.libhunt.com/compare-multierr-vs-go-multierror

Which led me to this: Apparently, Go 1.20 added native multi error support. https://www.reddit.com/r/golang/comments/z870te/multiple_error_wrapping_is_coming_in_go_120/

Anyway, I think introducing the Uber package is fine here, and we can rework things nicely again later.

orangecms avatar Jan 30 '24 13:01 orangecms

And the CI error basically says that we should upgrade to Go 1.19 at least (I would go straight to 1.21).

# go.uber.org/multierr
/go/pkg/mod/go.uber.org/[email protected]/error.go:209:20: undefined: atomic.Bool
note: module requires Go 1.19

Exited with code exit status 2

Huh, we do have 1.19 though... no idea what's wrong here... sigh

Edit/addendum: sooooo... since this uses atomics and Go doesn't offer them on all architectures we use, I'll see about using github.com/hashicorp/go-multierror here instead; hope that has everything necessary :grimacing:

orangecms avatar Jan 30 '24 13:01 orangecms

:heart:

ChriMarMe avatar Jan 30 '24 14:01 ChriMarMe

The dependency removal is the actual feature here; this before vs after should clarify it:

before

bg-suite exec-tests -f ~/firmware/MSI/Cyborg\ 15\ A12VE/E15K1IMS.30B/E15K1IMS.30B
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
02 - Key Manifest meets sane BootGuard requirements: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
03 - Boot Policy Manifest meets sane BootGuard requirements: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
04 - Verifies BPM and IBBs match firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (txt regs aren't valid: couldn't fetch TXT regs: open /dev/mem: permission denied)

after

bg-suite exec-tests -f "/home/dama/firmware/MSI/Cyborg 15 A12VE/E15K1IMS.30B/E15K1IMS.30B"
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : PASS
02 - Key Manifest meets sane BootGuard requirements: PASS
03 - Boot Policy Manifest meets sane BootGuard requirements: FAIL                 (
 multiple errors:
 bpm hasn't sane security properties: no BootGuard Boot Policy Manifest found
)
04 - Verifies BPM and IBBs match firmware image: PASS
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (
 txt regs aren't valid:
 couldn't fetch TXT regs: open /dev/mem: permission denied
)

orangecms avatar Jan 31 '24 10:01 orangecms

grammar fixed:

bg-suite exec-tests -f "/home/dama/firmware/MSI/Cyborg 15 A12VE/E15K1IMS.30B/E15K1IMS.30B"
For more information about the documents and chapters, run: bg-suite -m

All tests
_________
00 - FIT meets BootGuard requirements        : FAIL                 (couldn't find any BIOS Startup Module Entry in FIT)
01 - SACM meets sane BootGuard requirements  : PASS
02 - Key Manifest meets sane BootGuard requirements: PASS
03 - Boot Policy Manifest meets sane BootGuard requirements: FAIL                 (
 Errors occurred:
 Boot Policy Manifest doesn't have sane security properties: no BootGuard Boot Policy Manifest found
)
04 - Verifies BPM and IBBs match firmware image: PASS
05 - [RUNTIME] Validates Intel ME specific configuration against KM/BPM in firmware image: DEPENDENCY_FAILED    (FIT meets BootGuard requirements failed)
06 - [RUNTIME] Verifies Intel ME Boot Guard configuration is sane and safe: FAIL                 (couldn't read HFSTS6: couldn't read HFSTS6 from PCI config space: couldn't find Intel ME device for runtime checks)
07 - [RUNTIME] BtG/TXT registers are sane    : FAIL                 (
 txt regs aren't valid:
 couldn't fetch TXT regs: open /dev/mem: permission denied
)

orangecms avatar Jan 31 '24 10:01 orangecms