From bc9f2469db2c6d2c4908669beab754c7df107ab5 Mon Sep 17 00:00:00 2001 From: Daniel Maslowski Date: Mon, 22 May 2023 00:28:17 +0200 Subject: [PATCH] WIP: BG suite errors combine, multiline print Signed-off-by: Daniel Maslowski --- pkg/provisioning/bootguard/bootguard.go | 58 ++++++++++++------------- pkg/test/bootguard_tests.go | 14 +++--- pkg/test/test.go | 2 +- 3 files changed, 37 insertions(+), 37 deletions(-) diff --git a/pkg/provisioning/bootguard/bootguard.go b/pkg/provisioning/bootguard/bootguard.go index 49d3dbfe..4b69e6e9 100644 --- a/pkg/provisioning/bootguard/bootguard.go +++ b/pkg/provisioning/bootguard/bootguard.go @@ -800,27 +800,27 @@ func (b *BootGuard) BPMCryptoSecure() (bool, error) { case bgheader.Version10: hash := b.VData.BGbpm.SE[0].Digest.HashAlg if hash == bg.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("signed IBB hash in BPM uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("signed IBB hash in BPM uses insecure hash algorithm SHA1/Null")) } hash = b.VData.BGbpm.PMSE.Signature.HashAlg if hash == bg.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null")) } case bgheader.Version20: for _, hash := range b.VData.CBNTbpm.SE[0].DigestList.List { if hash.HashAlg == cbnt.AlgSHA1 || hash.HashAlg.IsNull() { if b.VData.CBNTbpm.SE[0].DigestList.Size < 2 { - errs = multierr.Append(errs, fmt.Errorf("signed IBB hash list in BPM uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("signed IBB hash list in BPM uses insecure hash algorithm SHA1/Null")) } } } hash := b.VData.CBNTbpm.PMSE.Signature.HashAlg if hash == cbnt.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("BPM signature uses insecure hash algorithm SHA1/Null")) } } if errs != nil { - return false, errs + return false, fmt.Errorf("%+v", errs) } return true, nil } @@ -832,25 +832,25 @@ func (b *BootGuard) KMCryptoSecure() (bool, error) { case bgheader.Version10: hash := b.VData.BGkm.KeyAndSignature.Signature.HashAlg if hash == bg.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null")) } hash = b.VData.BGkm.BPKey.HashAlg if hash == bg.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("signed BPM hash in KM uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("signed BPM hash in KM uses insecure hash algorithm SHA1/Null")) } case bgheader.Version20: hash := b.VData.CBNTkm.PubKeyHashAlg if hash == cbnt.AlgSHA1 || hash.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null")) + errs = multierr.Combine(errs, fmt.Errorf("KM signature uses insecure hash algorithm SHA1/Null")) } for _, hash := range b.VData.CBNTkm.Hash { if hash.Digest.HashAlg == cbnt.AlgSHA1 || hash.Digest.HashAlg.IsNull() { - errs = multierr.Append(errs, fmt.Errorf("the KM hash %s uses insecure hash algorithm SHA1/Null", hash.Usage.String())) + errs = multierr.Combine(errs, fmt.Errorf("the KM hash %s uses insecure hash algorithm SHA1/Null", hash.Usage.String())) } } } if errs != nil { - return false, errs + return false, fmt.Errorf("%+v", errs) } return true, nil } @@ -905,47 +905,47 @@ func (b *BootGuard) SaneBPMSecurityProps() (bool, error) { case bgheader.Version10: flags := b.VData.BGbpm.SE[0].Flags if !flags.DMAProtection() { - errs = multierr.Append(errs, fmt.Errorf("dma protection should be enabled for bootguard")) + errs = multierr.Combine(errs, fmt.Errorf("dma protection should be enabled for bootguard")) } if !flags.AuthorityMeasure() { - errs = multierr.Append(errs, fmt.Errorf("pcr-7 data should extended for OS security")) + errs = multierr.Combine(errs, fmt.Errorf("pcr-7 data should extended for OS security")) } if !flags.TPMFailureLeavesHierarchiesEnabled() { - errs = multierr.Append(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7")) + errs = multierr.Combine(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7")) } if b.VData.BGbpm.SE[0].PBETValue.PBETValue() == 0 { - errs = multierr.Append(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened")) + errs = multierr.Combine(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened")) } case bgheader.Version20: bgFlags := b.VData.CBNTbpm.SE[0].Flags if !bgFlags.DMAProtection() { if b.VData.CBNTbpm.SE[0].DMAProtBase0 == 0 && b.VData.CBNTbpm.SE[0].VTdBAR == 0 { - errs = multierr.Append(errs, fmt.Errorf("dma protection should be enabled for bootguard")) + errs = multierr.Combine(errs, fmt.Errorf("dma protection should be enabled for bootguard")) } } if !bgFlags.AuthorityMeasure() { - errs = multierr.Append(errs, fmt.Errorf("PCR-7 data should extended for OS security")) + errs = multierr.Combine(errs, fmt.Errorf("PCR-7 data should extended for OS security")) } if !bgFlags.TPMFailureLeavesHierarchiesEnabled() { - errs = multierr.Append(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7")) + errs = multierr.Combine(errs, fmt.Errorf("tpm failure should lead to default measurements from PCR0 to PCR7")) } pm := b.VData.BGbpm if pm == nil { - errs = multierr.Append(errs, fmt.Errorf("no BootGuard boot policy manifest found")) + errs = multierr.Combine(errs, fmt.Errorf("no BootGuard boot policy manifest found")) } if pm != nil && pm.SE[0].PBETValue.PBETValue() == 0 { - errs = multierr.Append(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened")) + errs = multierr.Combine(errs, fmt.Errorf("firmware shall not allowed to run infinitely after incident happened")) } txtFlags := b.VData.CBNTbpm.TXTE.ControlFlags if txtFlags.MemoryScrubbingPolicy() != cbntbootpolicy.MemoryScrubbingPolicySACM { - errs = multierr.Append(errs, fmt.Errorf("S-ACM memory scrubbing should be used over the BIOS")) + errs = multierr.Combine(errs, fmt.Errorf("S-ACM memory scrubbing should be used over the BIOS")) } if !txtFlags.IsSACMRequestedToExtendStaticPCRs() { - errs = multierr.Append(errs, fmt.Errorf("S-ACM shall always extend static PCRs")) + errs = multierr.Combine(errs, fmt.Errorf("S-ACM shall always extend static PCRs")) } } if errs != nil { - return false, errs + return false, fmt.Errorf("%+v", errs) } return true, nil } @@ -975,27 +975,27 @@ func (b *BootGuard) ValidateMEAgainstManifests(fws *FirmwareStatus6) (bool, erro switch b.Version { case bgheader.Version10: if fws.BPMSVN != uint32(b.VData.BGbpm.BPMSVN) { - errs = multierr.Append(errs, fmt.Errorf("bpm svn doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("bpm svn doesn't match me configuration")) } if fws.KMSVN != uint32(b.VData.BGkm.KMSVN) { - errs = multierr.Append(errs, fmt.Errorf("km svn doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("km svn doesn't match me configuration")) } if fws.KMID != uint32(b.VData.BGkm.KMID) { - errs = multierr.Append(errs, fmt.Errorf("km KMID doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("km KMID doesn't match me configuration")) } case bgheader.Version20: if fws.BPMSVN != uint32(b.VData.CBNTbpm.BPMSVN) { - errs = multierr.Append(errs, fmt.Errorf("bpm svn doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("bpm svn doesn't match me configuration")) } if fws.KMSVN != uint32(b.VData.CBNTkm.KMSVN) { - errs = multierr.Append(errs, fmt.Errorf("km svn doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("km svn doesn't match me configuration")) } if fws.KMID != uint32(b.VData.CBNTkm.KMID) { - errs = multierr.Append(errs, fmt.Errorf("km KMID doesn't match me configuration")) + errs = multierr.Combine(errs, fmt.Errorf("km KMID doesn't match me configuration")) } } if errs != nil { - return false, errs + return false, fmt.Errorf("%+v", errs) } return true, nil } diff --git a/pkg/test/bootguard_tests.go b/pkg/test/bootguard_tests.go index 233ab229..d00c8693 100644 --- a/pkg/test/bootguard_tests.go +++ b/pkg/test/bootguard_tests.go @@ -224,28 +224,28 @@ func BootGuardBPM(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, var errs error b, err := bootguard.NewBPMAndKM(bpmReader, kmReader) if b == nil || err != nil { - errs = multierr.Append(errs, fmt.Errorf("couldn't parse KM and BPM")) + errs = multierr.Combine(errs, fmt.Errorf("couldn't parse KM and BPM\n")) } if err := b.ValidateBPM(); err != nil { - errs = multierr.Append(errs, fmt.Errorf("couldn't validate BPM")) + errs = multierr.Combine(errs, fmt.Errorf("couldn't validate BPM")) } if err := b.VerifyBPM(); err != nil { - errs = multierr.Append(errs, fmt.Errorf("couldn't verify BPM signature")) + errs = multierr.Combine(errs, fmt.Errorf("couldn't verify BPM signature")) } secure, err := b.BPMCryptoSecure() if !secure || err != nil { - errs = multierr.Append(errs, fmt.Errorf("bpm crypto parameters are insecure")) + errs = multierr.Combine(errs, fmt.Errorf("bpm crypto parameters are insecure")) } secure, err = b.SaneBPMSecurityProps() if !secure || err != nil { - errs = multierr.Append(errs, fmt.Errorf("bpm hasn't sane security properties: %v", err)) + errs = multierr.Combine(errs, fmt.Errorf("bpm hasn't sane security properties: %v", err)) } secure, err = b.BPMKeyMatchKMHash() if !secure || err != nil { - errs = multierr.Append(errs, fmt.Errorf("bpm doesn't match km hash: %v", err)) + errs = multierr.Combine(errs, fmt.Errorf("bpm doesn't match km hash: %v", err)) } if errs != nil { - return false, fmt.Errorf("multiple errors"), errs + return false, fmt.Errorf("multiple errors"), fmt.Errorf("%+v", errs) } return true, nil, nil } diff --git a/pkg/test/test.go b/pkg/test/test.go index 0cf54ff9..d6fe763f 100644 --- a/pkg/test/test.go +++ b/pkg/test/test.go @@ -111,7 +111,7 @@ func (t *Test) Run(hw hwapi.LowLevelHardwareInterfaces, preset *PreSet) bool { } t.Result = ResultFail } else if testerror != nil && internalerror != nil { - t.ErrorText = testerror.Error() + ": " + internalerror.Error() + t.ErrorText = fmt.Sprintf("\n %v:\n %+v\n", testerror.Error(), internalerror) if t.SpecificiationTitle != "" || t.SpecificationDocumentID != "" { t.ErrorTextSpec = "Please have a look at " if t.SpecificiationTitle != "" {