TrenchBoot · SergiiDmytruk · Apr 17, 2024 · Apr 16, 2024 · Apr 16, 2024
diff --git a/anti-evil-maid.spec.in b/anti-evil-maid.spec.in
@@ -49,6 +49,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
 /usr/sbin/anti-evil-maid-lib-tpm2
 /usr/sbin/anti-evil-maid-seal
 /usr/sbin/anti-evil-maid-tpm-setup
+/usr/sbin/tpm-evt-log-utils.awk
 /usr/sbin/tpm2-evt-log-parser.awk
 /usr/sbin/txt-tpm1-evt-log-parser.awk
 /usr/share/doc/anti-evil-maid/README

diff --git a/sbin/tpm-evt-log-utils.awk b/sbin/tpm-evt-log-utils.awk
@@ -0,0 +1,103 @@
+# This file contains a set of utility functions common for TPM1.2 and 2.0
+
+function assert(condition, string)
+{
+	if (!condition) {
+		print string
+		exit 1
+	}
+}
+
+function ord_init(    _i)
+{
+	for (_i = 0; _i < 256; _i++) {
+		ord[sprintf("%c", _i)] = _i
+	}
+}
+
+function x2n(hex, width,    _i)
+{
+	mult = 1
+	num = 0
+	for (_i = 0; _i < width; _i++) {
+		num += ord[substr(hex, _i+1, 1)] * mult
+		mult *= 256
+	}
+	return num
+}
+
+function hex_noprint(hex, len,    _i, _str)
+{
+	_str = ""
+	for (_i = 0; _i < len; _i++) {
+		_str = _str sprintf("%02x", ord[substr(hex, _i+1, 1)])
+	}
+	return _str
+}
+
+function hexdump(hex, len)
+{
+	print hex_noprint(hex, len)
+}
+
+function alg_name(id)
+{
+	switch (id) {
+		case 0x0004: return "SHA1"
+		case 0x000b: return "SHA256"
+		case 0x000c: return "SHA384"
+		case 0x000d: return "SHA512"
+		case 0x0012: return "SM3-256"
+		case 0x0027: return "SHA3-256"
+		case 0x0028: return "SHA3-384"
+		case 0x0029: return "SHA3-512"
+		default: return sprintf("unknown (%#06x)", id)
+	}
+}
+
+function string_or_hex(str, len)
+{
+	_len = len
+	if (_len > 128)
+		_len = 128
+	# String must start with a series of printable characters ...
+	if (match(str, "[[:graph:][:blank:]]*", a) != 1) {
+		hexdump(str, _len)
+	# ... long until the end, with "optional" (i.e. bad implementation) \0.
+	} else if (len != a[0, "length"] &&
+		   (len != a[0, "length"] + 1 || index(str, "\0") != len)) {
+		hexdump(str, _len)
+	} else
+		printf("%.*s\n", _len, a[0])
+	if (_len != len)
+		printf("... (event truncated to %d first bytes, was %d)\n", _len, len)
+}
+
+function replay_sha(vals, len, c,    val, _i, n, arr, cmd)
+{
+	val = sprintf("%0" len "." len "x", 0)
+	n = split(vals, arr, "\n")
+	for (_i = 1; _i < n; _i++) {
+		cmd = "echo " val arr[_i] " | xxd -r -p | " c " > /tmp/sha"
+		system(cmd)
+		getline val <"/tmp/sha"
+		close("/tmp/sha")
+		close(cmd)
+		# Drop trailing file name and newline character
+		val = substr(val, 1, len)
+	}
+	system("rm /tmp/sha")
+	print val
+}
+
+function replay_sha1(pcr)
+{
+	printf "    %d: ", pcr
+	replay_sha(SYMTAB["SHA1_" pcr], 40, "sha1sum")
+}
+
+function replay_sha256(pcr)
+{
+	printf "    %d: ", pcr
+	replay_sha(SYMTAB["SHA256_" pcr], 64, "sha256sum")
+}
diff --git a/sbin/tpm2-evt-log-parser.awk b/sbin/tpm2-evt-log-parser.awk
@@ -1,76 +1,15 @@
 #!/usr/bin/gawk -bf
 @load "readfile"
-
-function assert(condition, string)
-{
-	if (!condition) {
-		print string
-		exit 1
-	}
-}
-
-function ord_init()
-{
-	for (_i = 0; _i < 256; _i++) {
-		ord[sprintf("%c", _i)] = _i
-	}
-}
-
-function x2n(hex, width)
-{
-	mult = 1
-	num = 0
-	for (_i = 0; _i < width; _i++) {
-		num += ord[substr(hex, _i+1, 1)] * mult
-		mult *= 256
-	}
-	return num
-}
-
-function hexdump(hex, len)
-{
-	for (_i = 0; _i < len; _i++) {
-		printf("%02x", ord[substr(hex, _i+1, 1)])
-	}
-}
-
-function alg_name(id)
-{
-	switch (id) {
-		case 0x0004: return "SHA1"
-		case 0x000b: return "SHA256"
-		case 0x000c: return "SHA384"
-		case 0x000d: return "SHA512"
-		case 0x0012: return "SM3-256"
-		case 0x0027: return "SHA3-256"
-		case 0x0028: return "SHA3-384"
-		case 0x0029: return "SHA3-512"
-		default: return sprintf("unknown (%#06x)", id)
-	}
-}
-
-function string_or_hex(str, len)
-{
-	_len = len
-	if (_len > 128)
-		_len = 128
-	# String must start with a series of printable characters ...
-	if (match(str, "[[:graph:][:blank:]]*", a) != 1) {
-		hexdump(str, _len)
-	# ... long until the end, with "optional" (i.e. bad implementation) \0.
-	} else if (len != a[0, "length"] &&
-		   (len != a[0, "length"] + 1 || index(str, "\0") != len)) {
-		hexdump(str, _len)
-	} else
-		printf("%.*s", _len, a[0])
-	if (_len != len)
-		printf("... (event truncated to %d first bytes, was %d)", _len, len)
-}
+@include "/sbin/tpm-evt-log-utils.awk"
 
 BEGIN {
 	PROCINFO["readfile"]
 	FIELDWIDTHS = "4 4 20 4 16 4 1 1 1 1 4 *"
 	ord_init()
+	SHA1_17 = ""
+	SHA1_18 = ""
+	SHA256_17 = ""
+	SHA256_18 = ""
 }
 {
 	# Header sanity checks
@@ -124,12 +63,20 @@ BEGIN {
 			$4 = substr($4, 3)
 			printf("      %s: ", alg_name(a[1]))
 			hexdump($4, a[2])
-			printf("\n")
+			sym = alg_name(a[1]) "_" x2n($1, 4)
+			SYMTAB[sym] = SYMTAB[sym] hex_noprint($4, a[2]) "\n"
 			$4 = substr($4, a[2]+1)
 		}
 		printf("    Event: ")
 		string_or_hex($6, x2n($5, 4))
 		printf("\n\n")
 		$0 = substr($6, x2n($5, 4) + 1)
 	}
+	print "Expected PCR values:"
+	print "  SHA1:"
+	replay_sha1(17)
+	replay_sha1(18)
+	print "  SHA256:"
+	replay_sha256(17)
+	replay_sha256(18)
 }
diff --git a/sbin/txt-tpm1-evt-log-parser.awk b/sbin/txt-tpm1-evt-log-parser.awk
@@ -1,62 +1,14 @@
 #!/usr/bin/gawk -bf
 @load "readfile"
-
-function assert(condition, string)
-{
-	if (!condition) {
-		print string
-		exit 1
-	}
-}
-
-function ord_init()
-{
-	for (_i = 0; _i < 256; _i++) {
-		ord[sprintf("%c", _i)] = _i
-	}
-}
-
-function x2n(hex, width)
-{
-	mult = 1
-	num = 0
-	for (_i = 0; _i < width; _i++) {
-		num += ord[substr(hex, _i+1, 1)] * mult
-		mult *= 256
-	}
-	return num
-}
-
-function hexdump(hex, len)
-{
-	for (_i = 0; _i < len; _i++) {
-		printf("%02x", ord[substr(hex, _i+1, 1)])
-	}
-}
-
-function string_or_hex(str, len)
-{
-	_len = len
-	if (_len > 128)
-		_len = 128
-	# String must start with a series of printable characters ...
-	if (match(str, "[[:graph:][:blank:]]*", a) != 1) {
-		hexdump(str, _len)
-	# ... long until the end, with "optional" (i.e. bad implementation) \0.
-	} else if (len != a[0, "length"] &&
-		   (len != a[0, "length"] + 1 || index(str, "\0") != len)) {
-		hexdump(str, _len)
-	} else
-		printf("%.*s", _len, a[0])
-	if (_len != len)
-		printf("... (event truncated to %d first bytes, was %d)", _len, len)
-}
+@include "/sbin/tpm-evt-log-utils.awk"
 
 BEGIN {
 	PROCINFO["readfile"]
 	# Start by assuming presence of a TCG-compatible header
 	FIELDWIDTHS = "4 4 20 4 16 4 1 1 1 1 1 *"
 	ord_init()
+	SHA1_17 = ""
+	SHA1_18 = ""
 }
 {
 	# TCG header is not present on Intel systems, so do nothing if it's not
@@ -119,10 +71,14 @@ BEGIN {
 		printf("    Digests:\n")
 		printf("      SHA1: ")
 		hexdump($3, 20)
-		printf("\n")
+		sym = "SHA1_" x2n($1, 4)
+		SYMTAB[sym] = SYMTAB[sym] hex_noprint($3, 20) "\n"
 		printf("    Event: ")
 		string_or_hex($5, x2n($4, 4))
-		printf("\n\n")
+		printf("\n")
 		$0 = substr($5, x2n($4, 4) + 1)
 	}
+	print "Expected PCR values:"
+	replay_sha1(17)
+	replay_sha1(18)
 }