Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

attest: Add signal that Data section in an event corresponds to the event digest #91

Open
twitchy-jsonp opened this issue Aug 29, 2019 · 4 comments

Comments

@twitchy-jsonp
Copy link
Contributor

Use case:

  • Sometimes interesting information is put in the Data section of an event
  • In these cases the event is such that the digest extended matches the digest of the Data section
  • In this case, the consumer of the Event would like to use the contents of the data section if and only if the data section matches the digest of the event

Proposal:

  • Add a method/field that would indicate whether the data field of an Event is verified by the digest or not.
@brandonweeks
Copy link
Member

How about a method on EventType that takes does a map lookup?

Only problem I can see with that is if I recall correctly, whether or not the data should be validated is a tuple of the EventType and PCR index.

@twitchy-jsonp
Copy link
Contributor Author

Is this set of event types (and their semantics around verifiying the data section) relatively static? is it something we could embed in this library?

@brandonweeks
Copy link
Member

brandonweeks commented Aug 29, 2019

Is it statically bound to the "TCG PC Client Platform Firmware Profile
Specification" spec version. So yes but we might hit edge cases between 1.2 and 2.0.

https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientSpecPlat_TPM_2p0_1p04_pub.pdf

@ericchiang
Copy link
Member

I'd like to implement this using private methods while I work on #9 to see what works and what we need. Ideally, we could check the event type and reject invalid digests at the time of (*EventLog).Verify.

That work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants