tpm2_checkquote: Add comparison of pcr selection.

The pcr selection which is passed with the --pcr parameter it not compared with the attest. So it's possible to fake a valid attestation. Fixes: CVE-2024-29039 Signed-off-by: Juergen Repp <[email protected]> Signed-off-by: Andreas Fuchs <[email protected]>
AndreasFuchsTPM · Apr 26, 2024 · 98599df · 98599df
1 parent db307eb
commit 98599df
Showing 1 changed file with 39 additions and 1 deletion.
diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
@@ -66,6 +66,36 @@ static tpm2_verifysig_ctx ctx = {
 static const int rsaPadding[N_PADDING] = { -1 , /*<< no padding */
                                            RSA_PKCS1_PADDING, RSA_PKCS1_PSS_PADDING };
 
+static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, TPML_PCR_SELECTION *pcr_sel) {
+    if (attest_sel->count != pcr_sel->count) {
+        LOG_ERR("Selection sizes do not match.");
+        return false;
+    }
+    for (uint32_t i = 0; i < attest_sel->count; i++) {
+        for (uint32_t j = 0; j < pcr_sel->count; j++) {
+            if (attest_sel->pcrSelections[i].hash ==
+                pcr_sel->pcrSelections[j].hash) {
+                if (attest_sel->pcrSelections[i].sizeofSelect !=
+                        pcr_sel->pcrSelections[j].sizeofSelect) {
+                    LOG_ERR("Bitmask size does not match");
+                    return false;
+                }
+                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
+                           &pcr_sel->pcrSelections[j].pcrSelect[0],
+                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
+                    LOG_ERR("Selection bitmasks do not match");
+                    return false;
+                }
+                break;
+            }
+            if (j == pcr_sel->count - 1) {
+                LOG_ERR("Hash selections to not match.");
+                return false;
+            }
+        }
+    }
+    return true;
+}
 
 static bool verify(void) {
 
@@ -423,7 +453,7 @@ static tool_rc init(void) {
     }
 
     TPM2B_ATTEST *msg = NULL;
-    TPML_PCR_SELECTION pcr_select;
+    TPML_PCR_SELECTION pcr_select = { 0 };
     tpm2_pcrs *pcrs;
     tpm2_pcrs temp_pcrs = {};
     tool_rc return_value = tool_rc_general_error;
@@ -586,6 +616,14 @@ static tool_rc init(void) {
         goto err;
     }
 
+    if (ctx.flags.pcr) {
+        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
+                                   &pcr_select)) {
+            LOG_ERR("PCR selection does not match PCR slection from attest!");
+            goto err;
+        }
+    }
+
     // Figure out the digest for this message
     res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
             msg->size, &ctx.msg_hash);