Make tpm2 quote functions accept PCR selections for multiple banks #274
Conversation
hansinator
force-pushed
the
quote_many_pcr_banks
branch
2 times, most recently
from
9a7fe02
to
7c3f43d
Compare
hansinator
force-pushed
the
quote_many_pcr_banks
branch
from
7c3f43d
to
81a80ca
Compare
|
Hi, |
|
@jkl73 Are you sure? Your example does contain an array of PCR indices, but no array for PCR banks. It requires an array of arrays, like this The way the library represents the data structure in quote info right now is not matching the spec, but my PR does. |
|
Ah I see, I misunderstood. I was thinking multiple PCR indices... (instead of banks/hashes). |
|
Quote and QuoteRaw already have an unused parameter and accompanying comments that say to remove them on the next breaking API change. Release history shows that this library doesn't forever keep its API stable and the last point release had a breaking change. So I wanted to propose a more tidy but breaking solution first. I could also change the PR and introduce something like QuoteEx and QuoteRawEx having the new signatures and let the other two functions forward to these. |
|
I agree that matching the spec here would be reasonable when we next make a breaking change to Quote/QuoteRaw/etc... I'm just not sure when that will be. We would probably want to clean up some other minor things at the same time (like the unused parameter @hansinator mentioned. @chrisfenner do we think we'll have another breaking change before the TPM-direct stuff is ready? |
|
Is there a use-case for quoting multiple banks of PCRs in one invocation? I agree with the doubt that we should introduce a breaking change here. I've written about a related topic but sadly quoting multiple banks is only part of the solution to problems involving multiple PCR banks. I strongly think that TPM users should only have one bank of PCRs allocated at a time. The Direct API could do this, @hansinator would you be interested in trying out that development branch? I'd be more than happy to add Quote and anything else you might need real quick (as adding commands there is, by design, fairly cheap). |
|
We are using the library in a production setting with customers. Unfortunately, we can't use a dev branch. In practice our customers are having systems where We can advise people to configure their UEFI settings correctly, but they typically won't want to when they deploy our software to their servers. So we have to work with what we get and that is the use-case for quoting multiple PCR banks. We have >10MB of extra data in a quote and we don't want round-trips with our remote attestation servers, so we need to quote everything there is in one go. Personally, I feel a library should act as a tool and not impose policies, so I'd reason that way when thinking about making it possible to quote multiple PCR banks. |
|
@hansinator that seems reasonable, and we get you need to work with what you have. We would be in favor of making this change the next time we release a breaking change for go-tpm. I think that it will at least be a little bit before the Direct API is ready, so I don't want you to have to wait on that. So I can get a sense of urgency here, what is the cost to calling Re: this:
That's very weird to me, and it implies a firmware bug if not exactly the same issue I was worried about (CVE-2021-42299). I'd like to follow up about it, would you be willing to shoot me a mail? |
|
@chrisfenner We are prepared to use a soft-fork in the meantime, even if it takes a while. |
The TPM quote commands accept an array of PCR selections but the go-tpm library did not reflect this in its public API, so I added some brackets and dots here and there.