pcrbruteforcer

package

v2.8.1 Latest Latest Go to latest Published: Jan 31, 2025 License: BSD-3-Clause Imports: 34 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/9elements/converged-security-suite

README ¶

This package was initially implemented based on different libraries and then was stupidly ported keeping the changes minimal. As result the code is ugly, suboptimal and requires refactoring. Do not hesitate to do it :)

Also this package needs deep redesigning: there are more and more ways to do brute-forcing, so these modules should be flattened out instead of going coupling every method among each other.

Documentation ¶

Index ¶

Constants
func ApplyOrderSwaps[T any](swaps OrderSwaps, s []T)
func ReproduceEventLog(ctx context.Context, calculated *bootengine.BootProcess, ...) (ReproduceEventLogResult, *registers.ACMPolicyStatus, []Issue, error)
type Issue
type IssueLoggedDigestDoesNotMatch
- func (e IssueLoggedDigestDoesNotMatch) Error() string
type IssueUnexpectedLogEntry
- func (e IssueUnexpectedLogEntry) Error() string
type OrderSwap
type OrderSwaps
type ReproduceEventLogEntry
type ReproduceEventLogEntryStatus
type ReproduceEventLogResult
- func (s ReproduceEventLogResult) CombineAsEventLog() tpm.EventLog
- func (s ReproduceEventLogResult) CombineAsRestoredCommandLog() tpm.CommandLog
type ReproducePCR0Result
- func ReproduceExpectedPCR0(ctx context.Context, measurements tpm.CommandLog, hashAlgo tpm.Algorithm, ...) (*ReproducePCR0Result, error)
type SettingsBruteforceACMPolicyStatus
- func DefaultSettingsBruteforceACMPolicyStatus() SettingsBruteforceACMPolicyStatus
type SettingsReproduceEventLog
- func DefaultSettingsReproduceEventLog() SettingsReproduceEventLog
type SettingsReproducePCR0
- func DefaultSettingsReproducePCR0() SettingsReproducePCR0

Constants ¶

View Source

const (
	ReproduceEventLogEntryStatusUndefined = ReproduceEventLogEntryStatus(iota)
	ReproduceEventLogEntryStatusMatch
	ReproduceEventLogEntryStatusMismatch
	ReproduceEventLogEntryStatusUnexpected
	ReproduceEventLogEntryStatusMissing
)

View Source

const (
	PhysAddrBase = tpmeventlog.PhysAddrBase
)

Variables ¶

This section is empty.

Functions ¶

func ApplyOrderSwaps ¶

func ApplyOrderSwaps[T any](swaps OrderSwaps, s []T)

func ReproduceEventLog ¶

func ReproduceEventLog(
	ctx context.Context,
	calculated *bootengine.BootProcess,
	eventLogExpected *tpmeventlog.TPMEventLog,
	hashAlgo tpmeventlog.TPMAlgorithm,
	settings SettingsReproduceEventLog,
) (ReproduceEventLogResult, *registers.ACMPolicyStatus, []Issue, error)

ReproduceEventLog verifies measurements through TPM EventLog. If successful, the first returned variable is true; all mismatches are reported via `[]Issue`; and if ACM_POLICY_STATUS should be amended, then the updated value is returned as the second variable.

Current algorithm already supports disabling measurements, may be in future we will return the rest amended measurements as well.

Types ¶

type Issue ¶

type Issue error

Issue is a non-critical problem

type IssueLoggedDigestDoesNotMatch ¶

type IssueLoggedDigestDoesNotMatch struct {
	Index             int
	Measurement       *types.MeasuredData
	CalculatedDigest  types.ConvertedBytes
	Event             *tpmeventlog.Event
	LogEntryExplainer *logEntryExplainer
}

func (IssueLoggedDigestDoesNotMatch) Error ¶

func (e IssueLoggedDigestDoesNotMatch) Error() string

type IssueUnexpectedLogEntry ¶

type IssueUnexpectedLogEntry struct {
	Index             int
	Event             *tpmeventlog.Event
	LogEntryExplainer *logEntryExplainer
}

func (IssueUnexpectedLogEntry) Error ¶

func (e IssueUnexpectedLogEntry) Error() string

type OrderSwap ¶

type OrderSwap struct {
	IdxA int
	IdxB int
}

type OrderSwaps ¶

type OrderSwaps []OrderSwap

type ReproduceEventLogEntry ¶

type ReproduceEventLogEntry struct {
	Measurement       *types.MeasuredData
	Calculated        *tpm.EventLogEntry
	Expected          *tpmeventlog.Event
	ActionCoordinates *types.ActionCoordinates
	Status            ReproduceEventLogEntryStatus
}

type ReproduceEventLogEntryStatus ¶

type ReproduceEventLogEntryStatus int

type ReproduceEventLogResult ¶

type ReproduceEventLogResult []ReproduceEventLogEntry

func (ReproduceEventLogResult) CombineAsEventLog ¶

func (s ReproduceEventLogResult) CombineAsEventLog() tpm.EventLog

func (ReproduceEventLogResult) CombineAsRestoredCommandLog ¶

func (s ReproduceEventLogResult) CombineAsRestoredCommandLog() tpm.CommandLog

type ReproducePCR0Result ¶

type ReproducePCR0Result struct {
	Locality             uint8
	ACMPolicyStatus      *registers.ACMPolicyStatus
	DisabledMeasurements []*tpm.CommandLogEntry
	OrderSwaps           OrderSwaps
}

ReproducePCR0Result represents the applied PCR bruteforce methods: check different localities, ACM_POLICY_STATUS, disabling measurements

func ReproduceExpectedPCR0 ¶

func ReproduceExpectedPCR0(
	ctx context.Context,
	measurements tpm.CommandLog,
	hashAlgo tpm.Algorithm,
	expectedPCR0 tpm.Digest,
	settings SettingsReproducePCR0,
) (*ReproducePCR0Result, error)

ReproduceExpectedPCR0 brute-forces measurements to achieve the expected PCR0 SHA1 or SHA256 value.

If succeeded to reproduce, then `isSuccess` is true.

The updated ACM_POLICY_STATUS value is returned as `updatedACMPolicyStatus`.

All the problems are returned through `returnErr`.

Current algorithm already supports disabling measurements, may be in future we will return the rest amended measurements as well.

type SettingsBruteforceACMPolicyStatus ¶

type SettingsBruteforceACMPolicyStatus struct {
	// EnableACMPolicyCombinatorialStrategy enables a strategy to brute-force ACM Policy
	// Status register by finding a combination of bits to flip. This was the
	// initial approach before the nature of the corruptions was investigated,
	// and it became clear that a more effective strategy is just linear decrement.
	EnableACMPolicyCombinatorialStrategy bool

	// the limit for the combinatorial bruteforcer (expensive)
	MaxACMPolicyCombinatorialDistance int

	// MaxACMPolicyLinearDistance specifies a range of linear bruteforcer to try:
	// [initial value of ACM_POLICY_STATUS - MaxACMPolicyLinearDistance : initial value of ACM_POLICY_STATUS + MaxACMPolicyLinearDistance]
	MaxACMPolicyLinearDistance int
}

SettingsBruteforceACMPolicyStatus defines settings of how to reproduce Intel ACM Policy Status.

func DefaultSettingsBruteforceACMPolicyStatus ¶

func DefaultSettingsBruteforceACMPolicyStatus() SettingsBruteforceACMPolicyStatus

DefaultSettingsBruteforceACMPolicyStatus returns recommended default settings to reproduce ACM Policy Status (given its digest and a close value).

type SettingsReproduceEventLog ¶

type SettingsReproduceEventLog struct {
	SettingsBruteforceACMPolicyStatus
	DisabledEventsMaxDistance uint64
	MaxDigestRangeGuesses     uint64
}

SettingsReproduceEventLog defines settings for internal bruteforce algorithms used in ReproduceEventLog

func DefaultSettingsReproduceEventLog ¶

func DefaultSettingsReproduceEventLog() SettingsReproduceEventLog

DefaultSettingsReproduceEventLog returns recommended default PCR0 settings

type SettingsReproducePCR0 ¶

type SettingsReproducePCR0 struct {
	MaxDisabledMeasurements int
	MaxReorders             int

	SettingsBruteforceACMPolicyStatus
}

SettingsReproducePCR0 defines settings for internal bruteforce algorithms used in ReproduceExpectedPCR0

func DefaultSettingsReproducePCR0 ¶

func DefaultSettingsReproducePCR0() SettingsReproducePCR0

DefaultSettingsReproducePCR0 returns recommended default PCR0 settings

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL