go-tpm-tools icon indicating copy to clipboard operation
go-tpm-tools copied to clipboard

Published 20 hours ago verified publisher icon google

failed to validate the PCClient event log in VMware

Open GastonMeghi opened this issue 2 years ago • 3 comments

I've created the following script for testing proposes and I'm running it on a VMware VM with a virtualized TPM with RHEL8 as the OS. I got the following error when running server.VerifyAttestation:

failed to validate the PCClient event log: failed to replay event log: event log failed to verify: the following registers failed to replay: [0]

Is this expected to happen? I'm thinking about testing this on my real machine with the actual TPM but I afraid to break something.

The code is pretty much the same as the verify_test.go one but using VMwares virtualized TPM.

`package main

import ( "crypto" "fmt"

"github.com/google/go-tpm-tools/client"
"github.com/google/go-tpm-tools/server"
"github.com/google/go-tpm/tpm2"

)

func main() {

tpm, err := tpm2.OpenTPM()
if err != nil {
	fmt.Println("[ERROR] opening tpm failed: ", err)
	return
}

AttestationKeyRSA, err := client.AttestationKeyRSA(tpm)
defer AttestationKeyRSA.Close()

if err != nil {
	fmt.Println("[ERROR] RSA AK Creation failed: ", err)
	return
}
fmt.Println("[INFO] AK Created: ", AttestationKeyRSA)

nonce, err := tpm2.GetRandom(tpm, 15)

if err != nil {
	fmt.Println("[ERROR] nonce creation failed: ", err)
	return
}
fmt.Println("[INFO] nonce Created: ", nonce)

attestation, err := AttestationKeyRSA.Attest(client.AttestOpts{Nonce: nonce})

if err != nil {
	fmt.Println("[ERROR] Attestation failed: ", err)
	return
}

MachineState, err := server.VerifyAttestation(attestation, server.VerifyOpts{
	Nonce:      nonce,
	TrustedAKs: []crypto.PublicKey{AttestationKeyRSA.PublicKey()},
})

if err != nil {
	// handle error
	fmt.Println("[ERROR] VerifyAttestation failed: ", err)
	return
}

fmt.Println("INFO: Grub State", MachineState)

}`

GastonMeghi avatar Jul 18 '22 22:07 GastonMeghi

This is not unexpected. See https://github.com/google/go-tpm-tools/issues/141 for another example.

Basically, this error means the event log located at /sys/kernel/security/tpm0/binary_bios_measurements failed to replay against PCR0 (BIOS measurements, including CRTM). It could be a firmware bug as firmware has been known to log a different measurement in the event log than what they measure into the TPM.

Feel free to dump that here and I can take a look, or you can also examine the event log yourself by running tpm2_eventlog /sys/kernel/security/tpm0/binary_bios_measurements. (https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_eventlog.1.md)

alexmwu avatar Jul 19 '22 19:07 alexmwu

okay, no worries! I can check it. One question though, how risky is it to run this types of routines agains the real TPM? I don't need to do more than a credential activation to verify that the AK comes from a real TPM as shown on the readme of go attestation, and after that do boot measurements. I think it's risk free right? Because I tried this same program on ubuntu 22.04 and it didn't work also. It might be VMware the one causing issues.

GastonMeghi avatar Jul 21 '22 14:07 GastonMeghi

I think the only mutating command you're running above is in creating the AttestationKey: AttestationKeyRSA, err := client.AttestationKeyRSA(tpm). This is cached, however, and should not create a new one if you call it again (provided the template is the same)

Everything else reads from the TPM or the firmware event log and does not modify the TPM.

alexmwu avatar Jul 25 '22 21:07 alexmwu