Bootguard 1.0 support

cmd/cbnt-prov/main.go → cmd/bg-prov/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"github.com/9elements/converged-security-suite/v2/pkg/log"
 	"github.com/alecthomas/kong"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	fianoLog "github.com/linuxboot/fiano/pkg/log"
 )
 
@@ -26,7 +26,7 @@ func main() {
 			Compact: true,
 			Summary: true,
 		}))
-	manifest.StrictOrderCheck = cli.ManifestStrictOrderCheck
+	cbnt.StrictOrderCheck = cli.ManifestStrictOrderCheck
 	fianoLog.DefaultLogger = log.DummyLogger{}
 	err := ctx.Run(&context{Debug: cli.Debug})
 	ctx.FatalIfErrorf(err)

cmd/pcr0tool/main.go

@@ -14,7 +14,7 @@ import (
 	"github.com/9elements/converged-security-suite/v2/cmd/pcr0tool/commands/printnodes"
 	"github.com/9elements/converged-security-suite/v2/cmd/pcr0tool/commands/sum"
 	"github.com/9elements/converged-security-suite/v2/pkg/log"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	fianoLog "github.com/linuxboot/fiano/pkg/log"
 )
 
@@ -52,7 +52,7 @@ func setupFlag() {
 }
 
 func main() {
-	manifest.StrictOrderCheck = false // some firmwares have incorrect elements order, should parse them anyway
+	cbnt.StrictOrderCheck = false // some firmwares have incorrect elements order, should parse them anyway
 	fianoLog.DefaultLogger = log.DummyLogger{}
 
 	setupFlag()

cmd/txt-prov/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"github.com/9elements/converged-security-suite/v2/pkg/log"
 	"github.com/alecthomas/kong"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	fianoLog "github.com/linuxboot/fiano/pkg/log"
 )
 
@@ -24,7 +24,7 @@ func main() {
 			Compact: true,
 			Summary: true,
 		}))
-	manifest.StrictOrderCheck = cli.ManifestStrictOrderCheck
+	cbnt.StrictOrderCheck = cli.ManifestStrictOrderCheck
 	fianoLog.DefaultLogger = log.DummyLogger{}
 
 	// Run commands

cmd/txt-suite/main.go

@@ -3,7 +3,7 @@ package main
 import (
 	"github.com/9elements/converged-security-suite/v2/pkg/log"
 	"github.com/alecthomas/kong"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	fianoLog "github.com/linuxboot/fiano/pkg/log"
 )
 
@@ -37,7 +37,7 @@ func main() {
 			Compact: true,
 			Summary: true,
 		}))
-	manifest.StrictOrderCheck = cli.ManifestStrictOrderCheck
+	cbnt.StrictOrderCheck = cli.ManifestStrictOrderCheck
 	fianoLog.DefaultLogger = log.DummyLogger{}
 	err := ctx.Run(&context{})
 	ctx.FatalIfErrorf(err)

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/klauspost/cpuid/v2 v2.2.3
 	github.com/linuxboot/contest v1.0.1
-	github.com/linuxboot/fiano v1.1.3
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/marcoguerri/go-tpm-tcti v0.0.0-20210425104733-8e8c8fe68e60
 	github.com/steakknife/hamming v0.0.0-20180906055917-c99c65617cd3
@@ -50,6 +49,7 @@ require (
 	github.com/intel-go/cpuid v0.0.0-20220614022739-219e067757cb // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/linuxboot/fiano v1.1.4-0.20230112160421-8a127a636eef // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect

go.sum

@@ -395,8 +395,10 @@ github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJ
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxboot/contest v1.0.1 h1:uZXIojtS+4WcEBqHqNatMAfN7+VW57f1Qu+wjQCo2hU=
 github.com/linuxboot/contest v1.0.1/go.mod h1:VbZjvYll1WLVl7un8N26DDs5TtC4WVhpcsFw7SR9KaU=
-github.com/linuxboot/fiano v1.1.3 h1:/EFBlsC+896J0YbU0CHi7lSm5dOcE08vE0ro9jBAl50=
-github.com/linuxboot/fiano v1.1.3/go.mod h1:1FwHUkd0fdHTvACyx6IdVn1GBAiS5mG2CM5b0nLMLxo=
+github.com/linuxboot/fiano v1.1.4-0.20230112151028-8e9c749e2563 h1:BLjv+K5+CjjLp2gs/bZX96SOBdcsjQeL8djHB5Uxs2w=
+github.com/linuxboot/fiano v1.1.4-0.20230112151028-8e9c749e2563/go.mod h1:1FwHUkd0fdHTvACyx6IdVn1GBAiS5mG2CM5b0nLMLxo=
+github.com/linuxboot/fiano v1.1.4-0.20230112160421-8a127a636eef h1:s8pxYsJ/RLXhAJ9GmGgPt1p4YTJHcnT3sH9vo4Frml4=
+github.com/linuxboot/fiano v1.1.4-0.20230112160421-8a127a636eef/go.mod h1:1FwHUkd0fdHTvACyx6IdVn1GBAiS5mG2CM5b0nLMLxo=
 github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczGlG91VSDkswnjF5A8=
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=

pkg/pcr/flow_detection.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 
 	amd "github.com/linuxboot/fiano/pkg/amd/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	"github.com/linuxboot/fiano/pkg/intel/metadata/fit"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
 
 	"github.com/9elements/converged-security-suite/v2/pkg/errors"
 	"github.com/9elements/converged-security-suite/v2/pkg/registers"
@@ -55,7 +55,7 @@ func DetectTPM(firmware Firmware, regs registers.Registers) (tpmdetection.Type,
 				if data == nil {
 					return 0, fmt.Errorf("unable to parse EntrySACM: %w", err)
 				}
-				_, chipset, err := manifest.ParseChipsetACModuleInformation(bytes.NewBuffer(data.UserArea))
+				_, chipset, err := cbnt.ParseChipsetACModuleInformation(bytes.NewBuffer(data.UserArea))
 				if err != nil {
 					return 0, fmt.Errorf("failed to read ChipsetACModuleInformation, err: %w", err)
 				}
@@ -69,7 +69,7 @@ func DetectTPM(firmware Firmware, regs registers.Registers) (tpmdetection.Type,
 
 				// chipset.TPMInfoList is an offset in bytes from ACM start.
 				image := firmware.ImageBytes()
-				var tpmInfo manifest.TPMInfoList
+				var tpmInfo cbnt.TPMInfoList
 				sacmOffset := fitEntry.Headers.Address.Offset(uint64(len(image)))
 				_, err = tpmInfo.ReadFrom(bytes.NewBuffer(image[sacmOffset+uint64(chipset.TPMInfoList):]))
 				if err != nil {

pkg/pcr/get_measurements_pcr0_cbnt0t.go

@@ -6,10 +6,10 @@ import (
 
 	"github.com/9elements/converged-security-suite/v2/pkg/registers"
 	pkgbytes "github.com/linuxboot/fiano/pkg/bytes"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt/cbntbootpolicy"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt/cbntkey"
 	"github.com/linuxboot/fiano/pkg/intel/metadata/fit"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest/bootpolicy"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest/key"
 )
 
 type pcr0Data struct {
@@ -98,7 +98,7 @@ func MeasurePCR0Data(config MeasurementConfig, imageSize uint64, fitEntries []fi
 	// Note: +2 - skip array size field to get the first element
 	offsetToTheFirstDigest := bpmOffset + bpManifest.SEOffset() +
 		bpManifest.SE[0].DigestListOffset() + (bpManifest.SE[0].DigestList.ListOffset() + 2)
-	if config.PCR0DataIbbDigestHashAlgorithm == manifest.AlgUnknown || config.PCR0DataIbbDigestHashAlgorithm == manifest.AlgNull {
+	if config.PCR0DataIbbDigestHashAlgorithm == cbnt.AlgUnknown || config.PCR0DataIbbDigestHashAlgorithm == cbnt.AlgNull {
 		// take the fist element as stated in the doc above
 		data.ibbDigest = pkgbytes.Range{
 			Offset: offsetToTheFirstDigest + (digests[0].HashBufferOffset() + 2),
@@ -142,7 +142,7 @@ func getACM(fitEntries []fit.Entry) (*fit.EntrySACMData, *fit.EntrySACM, error)
 	return nil, nil, fmt.Errorf("ACM FIT entry is not found")
 }
 
-func getKeyManifest(fitEntries []fit.Entry) (*key.Manifest, *fit.EntryKeyManifestRecord, error) {
+func getKeyManifest(fitEntries []fit.Entry) (*cbntkey.Manifest, *fit.EntryKeyManifestRecord, error) {
 	for _, fitEntry := range fitEntries {
 		switch fitEntry := fitEntry.(type) {
 		case *fit.EntryKeyManifestRecord:
@@ -156,7 +156,7 @@ func getKeyManifest(fitEntries []fit.Entry) (*key.Manifest, *fit.EntryKeyManifes
 	return nil, nil, fmt.Errorf("key manifest FIT entry is not found")
 }
 
-func getBootPolicyManifest(fitEntries []fit.Entry) (*bootpolicy.Manifest, *fit.EntryBootPolicyManifestRecord, error) {
+func getBootPolicyManifest(fitEntries []fit.Entry) (*cbntbootpolicy.Manifest, *fit.EntryBootPolicyManifestRecord, error) {
 	for _, fitEntry := range fitEntries {
 		switch fitEntry := fitEntry.(type) {
 		case *fit.EntryBootPolicyManifestRecord:
@@ -170,7 +170,7 @@ func getBootPolicyManifest(fitEntries []fit.Entry) (*bootpolicy.Manifest, *fit.E
 	return nil, nil, fmt.Errorf("boot policy manifest FIT entry is not found")
 }
 
-// MeasureKeyManifest returns a measurement containing CBnT key manifest.
+// MeasureKeyManifest returns a measurement containing CBnT key cbnt.
 func MeasureKeyManifest(imageSize uint64, fitEntries []fit.Entry) (*Measurement, error) {
 	_, kmFITEntry, err := getKeyManifest(fitEntries)
 	if err != nil {
@@ -188,7 +188,7 @@ func MeasureKeyManifest(imageSize uint64, fitEntries []fit.Entry) (*Measurement,
 	}, nil
 }
 
-// MeasureBootPolicy returns a measurement containing CBnT key manifest.
+// MeasureBootPolicy returns a measurement containing CBnT key cbnt.
 func MeasureBootPolicy(imageSize uint64, fitEntries []fit.Entry) (*Measurement, error) {
 	_, bpmFITEntry, err := getBootPolicyManifest(fitEntries)
 	if err != nil {

pkg/pcr/get_measurements_pcr0_legacytxtenabled.go

@@ -7,8 +7,8 @@ import (
 	"fmt"
 
 	"github.com/9elements/converged-security-suite/v2/pkg/errors"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 	"github.com/linuxboot/fiano/pkg/intel/metadata/fit"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
 )
 
 // MeasureInit returns the fake measurement for TPM initialization, it
@@ -83,16 +83,16 @@ func MeasureACMDate(imageSize uint64, fitEntries []fit.Entry) (*Measurement, err
 
 // MeasureACMDateInPlace returns a measurement of ACM date, but without hashing
 // it (it is used in obsolete TPM1.2 flows; a bug of the initial implementation?).
-func MeasureACMDateInPlace(hashAlg manifest.Algorithm, imageSize uint64, fitEntries []fit.Entry) (*Measurement, error) {
+func MeasureACMDateInPlace(hashAlg cbnt.Algorithm, imageSize uint64, fitEntries []fit.Entry) (*Measurement, error) {
 	m := Measurement{
 		ID: MeasurementIDACMDateInPlace,
 	}
 
 	var hashSize int
 	switch hashAlg {
-	case manifest.AlgSHA1:
+	case cbnt.AlgSHA1:
 		hashSize = sha1.New().Size()
-	case manifest.AlgSHA256:
+	case cbnt.AlgSHA256:
 		hashSize = sha256.New().Size()
 	default:
 		return nil, fmt.Errorf("unknown hash algorithm: %v", hashAlg)

pkg/pcr/measure_option.go

@@ -3,9 +3,9 @@ package pcr
 import (
 	"github.com/9elements/converged-security-suite/v2/pkg/tpmdetection"
 	"github.com/google/go-tpm/tpm2"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 
 	"github.com/9elements/converged-security-suite/v2/pkg/registers"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
 )
 
 // MeasureOption is the interface of an option which may change
@@ -28,7 +28,7 @@ type SetIBBHashDigest tpm2.Algorithm
 
 // Apply implements `MeasureOption`
 func (opt SetIBBHashDigest) Apply(config *MeasurementConfig) error {
-	config.PCR0DataIbbDigestHashAlgorithm = manifest.Algorithm(opt)
+	config.PCR0DataIbbDigestHashAlgorithm = cbnt.Algorithm(opt)
 	return nil
 }
 

pkg/pcr/measurement_config.go

@@ -3,7 +3,7 @@ package pcr
 import (
 	"github.com/9elements/converged-security-suite/v2/pkg/registers"
 	"github.com/9elements/converged-security-suite/v2/pkg/tpmdetection"
-	"github.com/linuxboot/fiano/pkg/intel/metadata/manifest"
+	"github.com/linuxboot/fiano/pkg/intel/metadata/cbnt"
 )
 
 // MeasurementConfig is the structure used to store different gates about
@@ -25,7 +25,7 @@ type MeasurementConfig struct {
 
 	// PCR0DataIbbDigestHashAlgorithm defines hash algorithm that should be used for pcr0Data.ibbDigest
 	// TPM_ALG_ERROR will use the first element (by default)
-	PCR0DataIbbDigestHashAlgorithm manifest.Algorithm
+	PCR0DataIbbDigestHashAlgorithm cbnt.Algorithm
 
 	// TPMDevice defines a TPM device version that performed the measurements.
 	// Value TypeNoTPM means undefined

pkg/provisioning/acm/acm.go

@@ -0,0 +1,33 @@
+package acm
+
+import (
+	"encoding/json"
+	"os"
+
+	"github.com/linuxboot/fiano/pkg/intel/metadata/fit"
+	"github.com/tidwall/pretty"
+)
+
+func ReadACM(filepath string) (*fit.EntrySACMData3, error) {
+	var acm fit.EntrySACMData3
+	data, err := os.ReadFile(filepath)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(data, &acm); err != nil {
+		return nil, err
+	}
+	return &acm, nil
+}
+
+func WriteACM(f *os.File, acm *fit.EntrySACMData3) error {
+	cfg, err := json.Marshal(acm)
+	if err != nil {
+		return err
+	}
+	json := pretty.Pretty(cfg)
+	if _, err := f.Write(json); err != nil {
+		return err
+	}
+	return nil
+}