WIP: BG suite errors combine, multiline print

Signed-off-by: Daniel Maslowski <[email protected]>
9elements · May 21, 2023 · bc9f246 · bc9f246
1 parent 5eba138
commit bc9f246
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 37 deletions.
diff --git a/pkg/provisioning/bootguard/bootguard.go b/pkg/provisioning/bootguard/bootguard.go
@@ -800,27 +800,27 @@ func (b *BootGuard) BPMCryptoSecure() (bool, error) {
 	case bgheader.Version10:
 		hash := b.VData.BGbpm.SE[0].Digest.HashAlg
 		if hash == bg.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("signed IBB hash in BPM uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("signed IBB hash in BPM uses insecure hash algorithm SHA1/Null"))
 		}
 		hash = b.VData.BGbpm.PMSE.Signature.HashAlg
 		if hash == bg.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null"))
 		}
 	case bgheader.Version20:
 		for _, hash := range b.VData.CBNTbpm.SE[0].DigestList.List {
 			if hash.HashAlg == cbnt.AlgSHA1 || hash.HashAlg.IsNull() {
 				if b.VData.CBNTbpm.SE[0].DigestList.Size < 2 {
-					errs = multierr.Append(errs, fmt.Errorf("signed IBB hash list in BPM uses insecure hash algorithm SHA1/Null"))
+					errs = multierr.Combine(errs, fmt.Errorf("signed IBB hash list in BPM uses insecure hash algorithm SHA1/Null"))
 				}
 			}
 		}
 		hash := b.VData.CBNTbpm.PMSE.Signature.HashAlg
 		if hash == cbnt.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null"))
 		}
 	}
 	if errs != nil {
-		return false, errs
+		return false, fmt.Errorf("%+v", errs)
 	}
 	return true, nil
 }
@@ -832,25 +832,25 @@ func (b *BootGuard) KMCryptoSecure() (bool, error) {
 	case bgheader.Version10:
 		hash := b.VData.BGkm.KeyAndSignature.Signature.HashAlg
 		if hash == bg.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null"))
 		}
 		hash = b.VData.BGkm.BPKey.HashAlg
 		if hash == bg.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("signed BPM hash in KM uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("signed BPM hash in KM uses insecure hash algorithm SHA1/Null"))
 		}
 	case bgheader.Version20:
 		hash := b.VData.CBNTkm.PubKeyHashAlg
 		if hash == cbnt.AlgSHA1 || hash.IsNull() {
-			errs = multierr.Append(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null"))
+			errs = multierr.Combine(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null"))
 		}
 		for _, hash := range b.VData.CBNTkm.Hash {
 			if hash.Digest.HashAlg == cbnt.AlgSHA1 || hash.Digest.HashAlg.IsNull() {
-				errs = multierr.Append(errs, fmt.Errorf("the KM hash %s uses insecure hash algorithm SHA1/Null", hash.Usage.String()))
+				errs = multierr.Combine(errs, fmt.Errorf("the KM hash %s uses insecure hash algorithm SHA1/Null", hash.Usage.String()))
 			}
 		}
 	}
 	if errs != nil {
-		return false, errs
+		return false, fmt.Errorf("%+v", errs)
 	}
 	return true, nil
 }
@@ -905,47 +905,47 @@ func (b *BootGuard) SaneBPMSecurityProps() (bool, error) {
 	case bgheader.Version10:
 		flags := b.VData.BGbpm.SE[0].Flags
 		if !flags.DMAProtection() {
-			errs = multierr.Append(errs, fmt.Errorf("dma protection should be enabled for bootguard"))
+			errs = multierr.Combine(errs, fmt.Errorf("dma protection should be enabled for bootguard"))
 		}
 		if !flags.AuthorityMeasure() {
-			errs = multierr.Append(errs, fmt.Errorf("pcr-7 data should extended for OS security"))
+			errs = multierr.Combine(errs, fmt.Errorf("pcr-7 data should extended for OS security"))
 		}
 		if !flags.TPMFailureLeavesHierarchiesEnabled() {
-			errs = multierr.Append(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7"))
+			errs = multierr.Combine(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7"))
 		}
 		if b.VData.BGbpm.SE[0].PBETValue.PBETValue() == 0 {
-			errs = multierr.Append(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened"))
+			errs = multierr.Combine(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened"))
 		}
 	case bgheader.Version20:
 		bgFlags := b.VData.CBNTbpm.SE[0].Flags
 		if !bgFlags.DMAProtection() {
 			if b.VData.CBNTbpm.SE[0].DMAProtBase0 == 0 && b.VData.CBNTbpm.SE[0].VTdBAR == 0 {
-				errs = multierr.Append(errs, fmt.Errorf("dma protection should be enabled for bootguard"))
+				errs = multierr.Combine(errs, fmt.Errorf("dma protection should be enabled for bootguard"))
 			}
 		}
 		if !bgFlags.AuthorityMeasure() {
-			errs = multierr.Append(errs, fmt.Errorf("PCR-7 data should extended for OS security"))
+			errs = multierr.Combine(errs, fmt.Errorf("PCR-7 data should extended for OS security"))
 		}
 		if !bgFlags.TPMFailureLeavesHierarchiesEnabled() {
-			errs = multierr.Append(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7"))
+			errs = multierr.Combine(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7"))
 		}
 		pm := b.VData.BGbpm
 		if pm == nil {
-			errs = multierr.Append(errs, fmt.Errorf("no BootGuard boot policy manifest found"))
+			errs = multierr.Combine(errs, fmt.Errorf("no BootGuard boot policy manifest found"))
 		}
 		if pm != nil && pm.SE[0].PBETValue.PBETValue() == 0 {
-			errs = multierr.Append(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened"))
+			errs = multierr.Combine(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened"))
 		}
 		txtFlags := b.VData.CBNTbpm.TXTE.ControlFlags
 		if txtFlags.MemoryScrubbingPolicy() != cbntbootpolicy.MemoryScrubbingPolicySACM {
-			errs = multierr.Append(errs, fmt.Errorf("S-ACM memory scrubbing should be used over the BIOS"))
+			errs = multierr.Combine(errs, fmt.Errorf("S-ACM memory scrubbing should be used over the BIOS"))
 		}
 		if !txtFlags.IsSACMRequestedToExtendStaticPCRs() {
-			errs = multierr.Append(errs, fmt.Errorf("S-ACM shall always extend static PCRs"))
+			errs = multierr.Combine(errs, fmt.Errorf("S-ACM shall always extend static PCRs"))
 		}
 	}
 	if errs != nil {
-		return false, errs
+		return false, fmt.Errorf("%+v", errs)
 	}
 	return true, nil
 }
@@ -975,27 +975,27 @@ func (b *BootGuard) ValidateMEAgainstManifests(fws *FirmwareStatus6) (bool, erro
 	switch b.Version {
 	case bgheader.Version10:
 		if fws.BPMSVN != uint32(b.VData.BGbpm.BPMSVN) {
-			errs = multierr.Append(errs, fmt.Errorf("bpm svn doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("bpm svn doesn't match me configuration"))
 		}
 		if fws.KMSVN != uint32(b.VData.BGkm.KMSVN) {
-			errs = multierr.Append(errs, fmt.Errorf("km svn doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("km svn doesn't match me configuration"))
 		}
 		if fws.KMID != uint32(b.VData.BGkm.KMID) {
-			errs = multierr.Append(errs, fmt.Errorf("km KMID doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("km KMID doesn't match me configuration"))
 		}
 	case bgheader.Version20:
 		if fws.BPMSVN != uint32(b.VData.CBNTbpm.BPMSVN) {
-			errs = multierr.Append(errs, fmt.Errorf("bpm svn doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("bpm svn doesn't match me configuration"))
 		}
 		if fws.KMSVN != uint32(b.VData.CBNTkm.KMSVN) {
-			errs = multierr.Append(errs, fmt.Errorf("km svn doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("km svn doesn't match me configuration"))
 		}
 		if fws.KMID != uint32(b.VData.CBNTkm.KMID) {
-			errs = multierr.Append(errs, fmt.Errorf("km KMID doesn't match me configuration"))
+			errs = multierr.Combine(errs, fmt.Errorf("km KMID doesn't match me configuration"))
 		}
 	}
 	if errs != nil {
-		return false, errs
+		return false, fmt.Errorf("%+v", errs)
 	}
 	return true, nil
 }
diff --git a/pkg/test/bootguard_tests.go b/pkg/test/bootguard_tests.go
@@ -224,28 +224,28 @@ func BootGuardBPM(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error,
 	var errs error
 	b, err := bootguard.NewBPMAndKM(bpmReader, kmReader)
 	if b == nil || err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("couldn't parse KM and BPM"))
+		errs = multierr.Combine(errs, fmt.Errorf("couldn't parse KM and BPM\n"))
 	}
 	if err := b.ValidateBPM(); err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("couldn't validate BPM"))
+		errs = multierr.Combine(errs, fmt.Errorf("couldn't validate BPM"))
 	}
 	if err := b.VerifyBPM(); err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("couldn't verify BPM signature"))
+		errs = multierr.Combine(errs, fmt.Errorf("couldn't verify BPM signature"))
 	}
 	secure, err := b.BPMCryptoSecure()
 	if !secure || err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("bpm crypto parameters are insecure"))
+		errs = multierr.Combine(errs, fmt.Errorf("bpm crypto parameters are insecure"))
 	}
 	secure, err = b.SaneBPMSecurityProps()
 	if !secure || err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("bpm hasn't sane security properties: %v", err))
+		errs = multierr.Combine(errs, fmt.Errorf("bpm hasn't sane security properties: %v", err))
 	}
 	secure, err = b.BPMKeyMatchKMHash()
 	if !secure || err != nil {
-		errs = multierr.Append(errs, fmt.Errorf("bpm doesn't match km hash: %v", err))
+		errs = multierr.Combine(errs, fmt.Errorf("bpm doesn't match km hash: %v", err))
 	}
 	if errs != nil {
-		return false, fmt.Errorf("multiple errors"), errs
+		return false, fmt.Errorf("multiple errors"), fmt.Errorf("%+v", errs)
 	}
 	return true, nil, nil
 }

diff --git a/pkg/test/test.go b/pkg/test/test.go
@@ -111,7 +111,7 @@ func (t *Test) Run(hw hwapi.LowLevelHardwareInterfaces, preset *PreSet) bool {
 			}
 			t.Result = ResultFail
 		} else if testerror != nil && internalerror != nil {
-			t.ErrorText = testerror.Error() + ": " + internalerror.Error()
+			t.ErrorText = fmt.Sprintf("\n %v:\n %+v\n", testerror.Error(), internalerror)
 			if t.SpecificiationTitle != "" || t.SpecificationDocumentID != "" {
 				t.ErrorTextSpec = "Please have a look at "
 				if t.SpecificiationTitle != "" {