From bf7677c4f65766a0744ac1e1b4f83a8d03c55e47 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 4 Jan 2024 12:24:12 -0500
Subject: [PATCH] WiP tpmr: unify simulated PCR output with raw/TPM event log
 output for comparison

Buggy as of now, will reverify next week

~ # tpmr verify_coreboot_measured_boot_tpm_event_log_vs_content_measured #Valida
te coreboot TPM event log against cbmem FMAP+cbfs content
[  293.267413] TRACE: Under /bin/tpmr
[  293.390454] TRACE: Under /bin/tpmr
[  293.441752] TRACE: Under /bin/tpmr:replay_pcr
[  293.551759] TRACE: Under /bin/tpmr:extend_pcr_state
[  293.574966] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000000000000000000000000000
[  293.639890] DEBUG: Extending PCR state with passed argument #1 hash: 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198
[  293.761500] DEBUG: Extending PCR state with passed argument #2 hash: 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb
[  293.899682] DEBUG: Extending PCR state with passed argument #3 hash: 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090
[  294.028814] DEBUG: Extending PCR state with passed argument #4 hash: cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a
[  294.137824] DEBUG: Extending PCR state with passed argument #5 hash: bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7
[  294.259655] DEBUG: Extending PCR state with passed argument #6 hash: bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b
[  294.400277] DEBUG: Extending PCR state with passed argument #7 hash: bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8
[  294.514983] DEBUG: Extended final PCR state: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  294.561181] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha256 : ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  294.699187] TRACE: Under /bin/tpmr
[  294.765450] TRACE: Under /bin/tpmr:recalculate_firmware_pcr_from_cbfs
[  294.812153] TRACE: Under /bin/tpmr:read_and_pad_FMAP_from_cbmem
[  295.853558] TRACE: Under /bin/tpmr:calc_pcr
[  295.909978] TRACE: Under /bin/tpmr:extend_pcr_state
[  295.955343] DEBUG: Initial PCR state: 0000000000000000000000000000000000000000000000000000000000000000
[  296.036572] DEBUG: Extending PCR state with passed argument #1 hash: 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198
[  296.196037] DEBUG: Extending PCR state with passed argument #2 hash: 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb
[  296.364665] DEBUG: Extending PCR state with passed argument #3 hash: 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090
[  296.528953] DEBUG: Extending PCR state with passed argument #4 hash: cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a
[  296.683826] DEBUG: Extending PCR state with passed argument #5 hash: bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7
[  296.843403] DEBUG: Extending PCR state with passed argument #6 hash: bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b
[  297.011405] DEBUG: Extending PCR state with passed argument #7 hash: bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8
[  297.142107] DEBUG: Extended final PCR state: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.200198] DEBUG: Replayed cbmem -L clean boot state of PCR=2 ALG=sha256 : ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.375755] DEBUG: Original TPM PCR2 value:     2 : 0xAB50D5ACD93870448844392A2582099650614E0C75F3B6C3F3A5F7A811AB3BCA
[  297.438635] DEBUG: TPM event log reported by cbmem -L: coreboot TPM log:
[  297.472275]
[  297.514744] PCR-2 02778dad5303b911adc8828cf5101a251a9b2a5a2b711a44159fb89a5a0b5198 SHA256 [FMAP: FMAP]
[  297.559260] PCR-2 5444dba991b48df882ed1e2b85f0c90f947f6c7f8ed3dd6c91dc70dd661b66cb SHA256 [CBFS: bootblock]
[  297.594767] PCR-2 13d3cacde02deff3d5e1ae2b52e5647c67046fb359b58d3899365a87a7161090 SHA256 [CBFS: fallback/romstage]
[  297.632653] PCR-2 cea785e25dfdc94b8296a0a2bcc75d2f44f93543d0eb4236a0efa5add87fc97a SHA256 [CBFS: fallback/postcar]
[  297.688218] PCR-2 bb2ff5833f90c09916fb972f49963653cf207cc65033276d458e00ce31d4b3d7 SHA256 [CBFS: fallback/ramstage]
[  297.723743] PCR-2 bc172d6c3551a44fbd6beef7ebbb2d4fa1452c46fcfdeebef1c519f13d668f1b SHA256 [CBFS: bootsplash.jpg]
[  297.760327] PCR-2 bf037ed20105da5af9affb40353a4bccc9c8e69f2b03b81260573821ccbfa6d8 SHA256 [CBFS: fallback/payload]
[  297.823487] DEBUG: Calculated TPM PCR2 value from files: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
[  297.872171] DEBUG: Measured boot from TPM event log: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab
[  297.905953] 3bca
[  297.955757] DEBUG: Measured boot from content measured by coreboot: ab50d5acd93870448844392a2582099650614e0c75f3b6c3f3a5f7a811ab3bca
Failed: TPM event log does not match content measured by coreboot
[  298.008151]  !!! ERROR: TPM event log does not match content measured by coreboot !!!

the 3cba on second line is weird. Close but not good enough

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/.ash_history |  1 +
 initrd/bin/tpmr     | 31 ++++++++++++++++++++++++++++---
 targets/qemu.mk     |  2 +-
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/initrd/.ash_history b/initrd/.ash_history
index 0541ab0cc..42f495001 100644
--- a/initrd/.ash_history
+++ b/initrd/.ash_history
@@ -8,6 +8,7 @@ flash.sh /media/coreboot.rom -p #flash coreboot.rom WITH preserving user setting
 cbmem --console | grep '^ME' #view ME console
 cbmem --console | less #view coreboot console
 tpmr recalculate_firmware_pcr_from_cbfs #Replay coreboot TPM event log from CBFS
+tpmr verify_coreboot_measured_boot_tpm_event_log_vs_content_measured #Validate coreboot TPM event log against cbmem FMAP+cbfs content
 # Reboot/power off (important for devices with no keyboard to escape recovery shell)
 reboot  # Press Enter with this command to reboot
 poweroff  # Press Enter with this command to power off
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index 5abdf8f44..dda72e17e 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -354,17 +354,35 @@ recalculate_firmware_pcr_from_cbfs()
 		return 1
 	fi
 
-	DO_WITH_DEBUG calc_pcr "$1" 2 \
+	calculated_pcr=$(calc_pcr "$1" 2 \
 		"$(read_and_pad_FMAP_from_cbmem "$1")" \
 		"$(cbfs --read bootblock | $checksum_prog | awk -F ' ' '{print $1}')" \
 		"$(cbfs --read fallback/romstage | $checksum_prog | awk -F ' ' '{print $1}')" \
 		"$(cbfs --read fallback/postcar | $checksum_prog | awk -F ' ' '{print $1}')" \
 		"$(cbfs --read fallback/ramstage | $checksum_prog | awk -F ' ' '{print $1}')" \
 		"$(cbfs --read bootsplash.jpg | $checksum_prog | awk -F ' ' '{print $1}')" \
-		"$(cbfs --read fallback/payload | $checksum_prog | awk -F ' ' '{print $1}')"
+		"$(cbfs --read fallback/payload | $checksum_prog | awk -F ' ' '{print $1}')")
 
-		DEBUG "Actual TPM $(pcrs | grep "$PCR_STRING")"
+		DEBUG "Original TPM PCR2 value: $(pcrs | grep "$PCR_STRING")"
 		DEBUG "TPM event log reported by cbmem -L: $(cbmem -L)"
+		DEBUG "Calculated TPM PCR2 value from files: $calculated_pcr"
+		echo "$calculated_pcr"
+}
+
+verify_coreboot_measured_boot_tpm_event_log_vs_content_measured()
+{
+	measured_boot=$(tpmr calcfuturepcr 2  | xxd -p)
+	content_measured=$(tpmr recalculate_firmware_pcr_from_cbfs)
+
+	DEBUG "Measured boot from TPM event log: $measured_boot"
+	DEBUG "Measured boot from content measured by coreboot: $content_measured"
+
+	if [ "$measured_boot" == "$content_measured" ]; then
+		echo "Verified: TPM event log matches content measured by coreboot"
+	else
+		echo "Failed: TPM event log does not match content measured by coreboot"
+		die "TPM event log does not match content measured by coreboot"
+	fi
 }
 
 tpm2_extend() {
@@ -897,6 +915,10 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		shift
 		recalculate_firmware_pcr_from_cbfs "sha1"
 		;;
+	verify_coreboot_measured_boot_tpm_event_log_vs_content_measured)
+		shift
+		verify_coreboot_measured_boot_tpm_event_log_vs_content_measured
+		;;
 	counter_create)
 		shift
 		tpm1_counter_create "$@"
@@ -948,6 +970,9 @@ calc_pcr)
 recalculate_firmware_pcr_from_cbfs)
 	recalculate_firmware_pcr_from_cbfs "sha256"
 	;;
+verify_coreboot_measured_boot_tpm_event_log_vs_content_measured)
+	verify_coreboot_measured_boot_tpm_event_log_vs_content_measured
+	;;
 extend)
 	tpm2_extend "$@"
 	;;
diff --git a/targets/qemu.mk b/targets/qemu.mk
index 930afa7b3..59286a3e1 100644
--- a/targets/qemu.mk
+++ b/targets/qemu.mk
@@ -88,7 +88,7 @@ run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
 	-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
 		--machine q35,accel=kvm:tcg \
 		-rtc base=utc \
-		-smp "$$(nproc)" \
+		-smp 1 \
 		-vga std \
 		-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
 		-serial stdio \