Add HSI check that PCR registers 0-7 are not empty

Some BIOSes forget add measurements to PCR registers, which results in
all-zero checksums and breaks measured boot guarantees.

Fixes #3901

docs/hsi.md

@@ -392,6 +392,28 @@ To meet HSI-2 on systems that run this test, the result must be `locked`. *[v1.5
 
 - [Intel Direct Connect Interface](https://www.intel.co.uk/content/www/uk/en/support/articles/000029393/processors.html)
 
+<a id="org.fwupd.hsi.Tpm.EmptyPcr"></a>
+
+### [Empty PCR in TPM](#org.fwupd.hsi.Tpm.EmptyPcr)
+
+The system firmware is responsible for measuring values about its boot stage in PCRs 0 through 7.
+Some firmwares have bugs that prevent them from measuring some of those values, breaking the fundamental assumption of the Measured Boot chain-of-trust.
+
+**Impact:** A local attacker could measure fake values into the empty PCR, corresponding to a firmware and OS that do not match the ones actually loaded.
+This allows hiding a compromised boot chain or fooling a remote-attestation server into believing that a different kernel is running.
+
+**Possible results:**
+
+- `valid`: all correct
+- `not-valid`: at least one empty checksum has been found
+- `not-found`: no TPM hardware could be found
+
+To meet HSI-1 on systems that run this test, all PCRs from 0 to 7 in all banks must have non-empty measurements *[v1.7.2]*
+
+**References:**
+
+- [CVE-2021-42299: TPM Carte Blanche](https://github.com/google/security-research/blob/master/pocs/bios/tpm-carte-blanche/writeup.md)
+
 <a id="org.fwupd.hsi.Tpm.ReconstructionPcr0"></a>
 
 ### [PCR0 TPM Event Log Reconstruction](#org.fwupd.hsi.Tpm.ReconstructionPcr0)

libfwupd/fwupd-security-attr-private.h

@@ -221,6 +221,14 @@ G_BEGIN_DECLS
  * Since: 1.5.0
  **/
 #define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM "org.fwupd.hsi.SuspendToRam"
+/**
+ * FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR:
+ *
+ * Host Security ID attribute for empty PCR
+ *
+ * Since: 1.7.2
+ **/
+#define FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR "org.fwupd.hsi.Tpm.EmptyPcr"
 /**
  * FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0:
  *

plugins/tpm/fu-plugin-tpm.c

@@ -153,8 +153,7 @@ fu_plugin_tpm_add_security_attr_eventlog(FuPlugin *plugin, FuSecurityAttrs *attr
 	fu_security_attrs_append(attrs, attr);
 
 	/* check reconstructed to PCR0 */
-	if (fu_plugin_has_flag(plugin, FWUPD_PLUGIN_FLAG_DISABLED) || data->bios_device == NULL ||
-	    data->ev_items == NULL) {
+	if (data->ev_items == NULL || data->bios_device == NULL) {
 		fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
 		return;
 	}
@@ -197,11 +196,59 @@ fu_plugin_tpm_add_security_attr_eventlog(FuPlugin *plugin, FuSecurityAttrs *attr
 	fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_VALID);
 }
 
+static void
+fu_plugin_tpm_add_security_attr_empty(FuPlugin *plugin, FuSecurityAttrs *attrs)
+{
+	FuPluginData *data = fu_plugin_get_data(plugin);
+	g_autoptr(FwupdSecurityAttr) attr = NULL;
+
+	/* no TPM device */
+	if (data->tpm_device == NULL)
+		return;
+
+	/* add attributes */
+	attr = fwupd_security_attr_new(FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR);
+	fwupd_security_attr_set_plugin(attr, fu_plugin_get_name(plugin));
+	fwupd_security_attr_set_level(attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL);
+	fwupd_security_attr_add_guids(attr, fu_device_get_guids(data->tpm_device));
+	fu_security_attrs_append(attrs, attr);
+
+	/* check PCRs 0 through 7 for empty checksums */
+	for (guint pcr = 0; pcr <= 7; pcr++) {
+		g_autoptr(GPtrArray) checksums = fu_tpm_device_get_checksums(data->tpm_device, pcr);
+		for (guint i = 0; i < checksums->len; i++) {
+			const gchar *checksum = g_ptr_array_index(checksums, i);
+			gboolean empty = TRUE;
+
+			/* empty checksum is zero, so made entirely of zeroes */
+			for (guint j = 0; checksum[j] != '\0'; j++) {
+				if (checksum[j] != '0') {
+					empty = FALSE;
+					break;
+				}
+			}
+			if (empty) {
+				fwupd_security_attr_set_result(
+				    attr,
+				    FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
+				return;
+			}
+		}
+	}
+
+	/* success */
+	fwupd_security_attr_add_flag(attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
+	fwupd_security_attr_set_result(attr, FWUPD_SECURITY_ATTR_RESULT_VALID);
+}
+
 static void
 fu_plugin_tpm_add_security_attrs(FuPlugin *plugin, FuSecurityAttrs *attrs)
 {
+	if (fu_plugin_has_flag(plugin, FWUPD_PLUGIN_FLAG_DISABLED))
+		return;
 	fu_plugin_tpm_add_security_attr_version(plugin, attrs);
 	fu_plugin_tpm_add_security_attr_eventlog(plugin, attrs);
+	fu_plugin_tpm_add_security_attr_empty(plugin, attrs);
 }
 
 static gchar *

plugins/tpm/fu-self-test.c

@@ -23,7 +23,6 @@ fu_tpm_device_1_2_func(void)
 	GPtrArray *devices;
 	gboolean ret;
 	g_autofree gchar *pluginfn = NULL;
-	g_autofree gchar *testdatadir = NULL;
 	g_autoptr(FuContext) ctx = fu_context_new();
 	g_autoptr(FuPlugin) plugin = fu_plugin_new(ctx);
 	g_autoptr(FuSecurityAttrs) attrs = fu_security_attrs_new();
@@ -60,13 +59,18 @@ fu_tpm_device_1_2_func(void)
 	g_assert_nonnull(pcrXs);
 	g_assert_cmpint(pcrXs->len, ==, 0);
 
-	/* verify HSI attr */
+	/* verify HSI attributes */
 	fu_plugin_runner_add_security_attrs(plugin, attrs);
 	attr = fu_security_attrs_get_by_appstream_id(attrs, FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20);
 	g_assert_nonnull(attr);
 	g_assert_cmpint(fwupd_security_attr_get_result(attr),
 			==,
 			FWUPD_SECURITY_ATTR_RESULT_NOT_ENABLED);
+
+	attr = fu_security_attrs_get_by_appstream_id(attrs, FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR);
+	g_assert_nonnull(attr);
+	/* Some PCRs are empty, but PCRs 0-7 are set (tests/tpm0/pcrs) */
+	g_assert_cmpint(fwupd_security_attr_get_result(attr), ==, FWUPD_SECURITY_ATTR_RESULT_VALID);
 }
 
 static void
@@ -84,6 +88,7 @@ fu_tpm_device_2_0_func(void)
 	if (tpm_server_running == NULL && (getuid() != 0 || geteuid() != 0)) {
 		g_test_skip("TPM2.0 tests require simulated TPM2.0 running or need root access "
 			    "with physical TPM");
+		g_unsetenv("FWUPD_FORCE_TPM2");
 		return;
 	}
 #endif
@@ -92,6 +97,7 @@ fu_tpm_device_2_0_func(void)
 		if (tpm_server_running == NULL &&
 		    g_error_matches(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND)) {
 			g_test_skip("no physical or simulated TPM 2.0 device available");
+			g_unsetenv("FWUPD_FORCE_TPM2");
 			return;
 		}
 	}
@@ -179,6 +185,53 @@ fu_tpm_eventlog_parse_v2_func(void)
 			"6d9fed68092cfb91c9552bcb7879e75e1df36efd407af67690dc3389a5722fab");
 }
 
+static void
+fu_tpm_empty_pcr_func(void)
+{
+	gboolean ret;
+	g_autofree gchar **environ = NULL;
+	g_autofree gchar *pluginfn = NULL;
+	g_autofree gchar *testdatadir = NULL;
+	g_autoptr(FuContext) ctx = fu_context_new();
+	g_autoptr(FuPlugin) plugin = fu_plugin_new(ctx);
+	g_autoptr(FuSecurityAttrs) attrs = fu_security_attrs_new();
+	g_autoptr(FwupdSecurityAttr) attr = NULL;
+	g_autoptr(GError) error = NULL;
+	g_autoptr(GPtrArray) pcr0s = NULL;
+	g_autoptr(GPtrArray) pcrXs = NULL;
+
+	/* do not save silo */
+	ret = fu_context_load_quirks(ctx, FU_QUIRKS_LOAD_FLAG_NO_CACHE, &error);
+	g_assert_no_error(error);
+	g_assert_true(ret);
+
+	/* save environment and set broken PCR data */
+	environ = g_get_environ();
+	testdatadir = g_test_build_filename(G_TEST_DIST, "tests", "empty_pcr", NULL);
+	g_setenv("FWUPD_SYSFSTPMDIR", testdatadir, TRUE);
+
+	/* load the plugin */
+	pluginfn = g_test_build_filename(G_TEST_BUILT, "libfu_plugin_tpm." G_MODULE_SUFFIX, NULL);
+	ret = fu_plugin_open(plugin, pluginfn, &error);
+	g_assert_no_error(error);
+	g_assert_true(ret);
+	ret = fu_plugin_runner_startup(plugin, &error);
+	g_assert_no_error(error);
+	g_assert_true(ret);
+
+	/* verify HSI attr */
+	fu_plugin_runner_add_security_attrs(plugin, attrs);
+	attr = fu_security_attrs_get_by_appstream_id(attrs, FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR);
+	g_assert_nonnull(attr);
+	/* PCR 6 is empty (tests/empty_pcr/tpm0/pcrs) */
+	g_assert_cmpint(fwupd_security_attr_get_result(attr),
+			==,
+			FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
+
+	/* restore default environment */
+	g_setenv("FWUPD_SYSFSTPMDIR", g_environ_getenv(environ, "FWUPD_SYSFSTPMDIR"), TRUE);
+}
+
 int
 main(int argc, char **argv)
 {
@@ -187,8 +240,6 @@ main(int argc, char **argv)
 	g_test_init(&argc, &argv, NULL);
 
 	testdatadir = g_test_build_filename(G_TEST_DIST, "tests", NULL);
-	g_setenv("FWUPD_SYSFSFWDIR", testdatadir, TRUE);
-	g_setenv("FWUPD_SYSFSDRIVERDIR", testdatadir, TRUE);
 	g_setenv("FWUPD_SYSFSTPMDIR", testdatadir, TRUE);
 	g_setenv("FWUPD_UEFI_TEST", "1", TRUE);
 
@@ -199,6 +250,7 @@ main(int argc, char **argv)
 	/* tests go here */
 	g_test_add_func("/tpm/pcrs1.2", fu_tpm_device_1_2_func);
 	g_test_add_func("/tpm/pcrs2.0", fu_tpm_device_2_0_func);
+	g_test_add_func("/tpm/empty-pcr", fu_tpm_empty_pcr_func);
 	g_test_add_func("/tpm/eventlog-parse{v1}", fu_tpm_eventlog_parse_v1_func);
 	g_test_add_func("/tpm/eventlog-parse{v2}", fu_tpm_eventlog_parse_v2_func);
 	return g_test_run();

plugins/tpm/tests/empty_pcr/tpm0/active

@@ -0,0 +1 @@
+1

plugins/tpm/tests/empty_pcr/tpm0/caps

@@ -0,0 +1,3 @@
+Manufacturer: 0x49465800
+TCG version: 1.2
+Firmware version: 6.40

plugins/tpm/tests/empty_pcr/tpm0/enabled

@@ -0,0 +1 @@
+1

plugins/tpm/tests/empty_pcr/tpm0/owned

@@ -0,0 +1 @@
+1

plugins/tpm/tests/empty_pcr/tpm0/pcrs

@@ -0,0 +1,24 @@
+PCR-00: 3C 97 99 20 C9 00 99 60 09 27 D5 DA B3 81 EB 95 1E 7F C8 68 
+PCR-01: CE 9F A4 B2 01 09 D8 81 14 EA 1A 6D 13 94 CD 45 5F 52 69 23 
+PCR-02: 47 09 7A 9A AD C3 26 A4 93 91 26 63 A1 6F DF 53 D7 88 96 8E 
+PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9 55 AD 72 36 
+PCR-04: A4 A5 87 4C 59 94 8D 9B 93 66 0A F4 19 D8 6F F8 94 36 20 CC 
+PCR-05: 00 0B 58 00 89 72 EF 6C 2A AC 79 33 C4 AE 67 6B A6 EF CF 6A 
+PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-07: 0A 2A 68 15 85 0D AC B2 D1 F4 E0 C1 F4 56 D5 E2 81 08 6D EA 
+PCR-08: DB A7 29 4E 49 BA D7 9E 53 99 0A 6E 3A CB 52 97 B9 08 3A 66 
+PCR-09: 19 F9 6F 10 83 F5 5B 50 98 26 C3 14 73 43 35 21 1F E6 39 E9 
+PCR-10: 37 3D 89 9E 10 0D DD 2D 21 B5 F4 96 8D 4F DC A7 6D 1A C7 BD 
+PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
+PCR-17: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-18: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-19: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-20: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-21: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-22: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
+PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

src/fu-security-attr.c

@@ -113,6 +113,10 @@ fu_security_attr_get_name(FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: SB is a way of locking down UEFI */
 		return g_strdup(_("UEFI secure boot"));
 	}
+	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_EMPTY_PCR) == 0) {
+		/* TRANSLATORS: Title: PCRs (Platform Configuration Registers) shouldn't be empty */
+		return g_strdup(_("TPM empty PCRs"));
+	}
 	if (g_strcmp0(appstream_id, FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0) == 0) {
 		/* TRANSLATORS: Title: the PCR is rebuilt from the TPM event log */
 		return g_strdup(_("TPM PCR0 reconstruction"));

src/fu-util-common.c

@@ -2012,6 +2012,22 @@ fu_util_security_event_to_string(FwupdSecurityAttr *attr)
 		      FWUPD_SECURITY_ATTR_RESULT_ENABLED,
 		      /* TRANSLATORS: HSI event title */
 		      _("Secure Boot enabled")},
+		     /* ------------------------------------------*/
+		     {"org.fwupd.hsi.Tpm.EmptyPcr",
+		      FWUPD_SECURITY_ATTR_RESULT_UNKNOWN,
+		      FWUPD_SECURITY_ATTR_RESULT_VALID,
+		      /* TRANSLATORS: HSI event title */
+		      _("All TPM PCRs are valid")},
+		     {"org.fwupd.hsi.Tpm.EmptyPcr",
+		      FWUPD_SECURITY_ATTR_RESULT_VALID,
+		      FWUPD_SECURITY_ATTR_RESULT_NOT_VALID,
+		      /* TRANSLATORS: HSI event title */
+		      _("All TPM PCRs are now valid")},
+		     {"org.fwupd.hsi.Uefi.SecureBoot",
+		      FWUPD_SECURITY_ATTR_RESULT_NOT_VALID,
+		      FWUPD_SECURITY_ATTR_RESULT_VALID,
+		      /* TRANSLATORS: HSI event title */
+		      _("A TPM PCR is now an invalid value")},
 		     {NULL, 0, 0, NULL}};
 
 	/* sanity check */