Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Daniel Kiper]

On Tue, Jun 25, 2024 at 02:42:31PM +0800, Gary Lin wrote:
> On Mon, Jun 24, 2024 at 07:28:14PM +0200, Daniel Kiper wrote:
> > On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> > > On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > > > Hey,
> > > >
> > > --8<--
> > > >
> > > > And I have attached the Coverity report. All issues reported there have
> > > > to be fixed. If you cannot fix an issue you have to explain why you
> > > > cannot do that and what is potential impact on the code stability,
> > > > security, etc.
> > > >
> > > I have went through all the coverity issues. There are 6 issues in the
> > > TPM2 stack and the utility:
> > >
> > > CID 435775, CID 435771, CID 435770, CID 435769, CID 435767, CID 435761
> > >
> > > Those will be fixed in the next version.
> > >
> > > The 9 issues are from libtasn1 and gnulib.
> > >
> > > There are two memory corruption issue: CID 435762 and CID 435766, and
> > > I've filed the issues in libtasn1 upstream.
> > >
> > > - CID 435762
> > >   https://gitlab.com/gnutls/libtasn1/-/issues/49
> > >   This is a valid case. However, the only exploitable function,
> > >   _asn1_insert_tag_der(), is disabled in grub2 patch, so the severity is
> > >   low. I have a quick fix but upstream would like to fix it in another
> > >   way.
> > > - CID 435766
> > >   https://gitlab.com/gnutls/libtasn1/-/issues/50
> > >   IMO, this is false positive, but I need libtasn1 upstream to confirm
> > >   that.
> > >
> > > Then, the remaining 7 Integer handling issues are involved with the macros
> > > from gnulib, and I believe those are false positive.
> > >
> > > The following are my analyses:
> > >
> > > 
> > > *** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> > > /grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()
> > > 475*/
> > > 476   if (leading != 0 && der[len_len + k] == 0x80)
> > > 477   return ASN1_DER_ERROR;
> > > 478   leading = 0;
> > > 479
> > > 480   /* check for wrap around */
> > > >>> CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> > > >>> "val < 1 ? 0 : val) - 1 < 0) ? ~1 ? 0 : val) + 1 << 62UL 
> > > >>> /* sizeof (+val) * 8 - 2 */) - 1) * 2 + 1) : ((1 ? 0 : val) + 0)) >> 
> > > >>> 7)" is always false regardless of the values of its operands. This 
> > > >>> occurs as the second operand of "?:".
> > > 481   if (INT_LEFT_SHIFT_OVERFLOW (val, 7))
> > > 482   return ASN1_DER_ERROR;
> > > 483
> > > 484   val = val << 7;
> > > 485   val |= der[len_len + k] & 0x7F;
> > > 486
> > >
> > > Here are the related macros:
> > >
> > > #define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
> > >
> > > #define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))
> > >
> > > #define _GL_SIGNED_INT_MAXIMUM(e)   \
> > >   (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)
> > >
> > > #define _GL_INT_MINIMUM(e)  \
> > >   (EXPR_SIGNED (e)  \
> > >? ~ _GL_SIGNED_INT_MAXIMUM (e)   \
> > >: _GL_INT_CONVERT (e, 0))
> > >
> > > #define INT_LEFT_SHIFT_OVERFLOW(a, b) \
> > >   INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
> > >  _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
> > >
> > > #define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max)   \
> > >   ((a) < 0  \
> > >? (a) < (min) >> (b) \
> > >: (max) >> (b) < (a))
> > >
> > > The statement in question is expanded "(a) < (min) >> (b)" of
> > > INT_LEFT_SHIFT_RANGE_OVERFLOW. Since 'val' is 'uint64_t', '(a) < 0' is 
> > > always
> > > false, so the result of that statement doen't matter.
> >
> > Something is missing and/or requires clarification/expansion here.
> > AFAICT at least your description completely ignores "(max) >> (b) < (a)"
> > expression result.
> >
> Because Coverity only complained "(a) < (min) >> (b)".
> "(max) >> (b) < (a)" does the right thing to check whether 'a' is
> overflowed after the left shift.

OK, then something like above should be added to the CID description then.

> > > 
> > > *** CID 435773:  Integer handling issues  (NO_EFFECT)
> > > /grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()
> > > 433 return ASN1_DER_ERROR;
> > > 434
> > > 435   val0 = 0;
> > > 436
> > > 437   for (k = 0; k < len; k++)
> > > 438 {
> > > >>> CID 435773:  Integer handling issues  (NO_EFFECT)
> > > >>> This less-than-zero comparison of an unsigned value is never 
> > > >>> true. "(1 ? 0UL : val0) - 1UL < 0UL".
>

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Gary Lin via Grub-devel]

On Mon, Jun 24, 2024 at 07:28:14PM +0200, Daniel Kiper wrote:
> On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> > On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > > Hey,
> > >
> > --8<--
> > >
> > > And I have attached the Coverity report. All issues reported there have
> > > to be fixed. If you cannot fix an issue you have to explain why you
> > > cannot do that and what is potential impact on the code stability,
> > > security, etc.
> > >
> > I have went through all the coverity issues. There are 6 issues in the
> > TPM2 stack and the utility:
> >
> > CID 435775, CID 435771, CID 435770, CID 435769, CID 435767, CID 435761
> >
> > Those will be fixed in the next version.
> >
> > The 9 issues are from libtasn1 and gnulib.
> >
> > There are two memory corruption issue: CID 435762 and CID 435766, and
> > I've filed the issues in libtasn1 upstream.
> >
> > - CID 435762
> >   https://gitlab.com/gnutls/libtasn1/-/issues/49
> >   This is a valid case. However, the only exploitable function,
> >   _asn1_insert_tag_der(), is disabled in grub2 patch, so the severity is
> >   low. I have a quick fix but upstream would like to fix it in another
> >   way.
> > - CID 435766
> >   https://gitlab.com/gnutls/libtasn1/-/issues/50
> >   IMO, this is false positive, but I need libtasn1 upstream to confirm
> >   that.
> >
> > Then, the remaining 7 Integer handling issues are involved with the macros
> > from gnulib, and I believe those are false positive.
> >
> > The following are my analyses:
> >
> > 
> > *** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> > /grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()
> > 475*/
> > 476   if (leading != 0 && der[len_len + k] == 0x80)
> > 477 return ASN1_DER_ERROR;
> > 478   leading = 0;
> > 479
> > 480   /* check for wrap around */
> > >>> CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> > >>> "val < 1 ? 0 : val) - 1 < 0) ? ~1 ? 0 : val) + 1 << 62UL /* 
> > >>> sizeof (+val) * 8 - 2 */) - 1) * 2 + 1) : ((1 ? 0 : val) + 0)) >> 7)" 
> > >>> is always false regardless of the values of its operands. This occurs 
> > >>> as the second operand of "?:".
> > 481   if (INT_LEFT_SHIFT_OVERFLOW (val, 7))
> > 482 return ASN1_DER_ERROR;
> > 483
> > 484   val = val << 7;
> > 485   val |= der[len_len + k] & 0x7F;
> > 486
> >
> > Here are the related macros:
> >
> > #define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
> >
> > #define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))
> >
> > #define _GL_SIGNED_INT_MAXIMUM(e)   \
> >   (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)
> >
> > #define _GL_INT_MINIMUM(e)  \
> >   (EXPR_SIGNED (e)  \
> >? ~ _GL_SIGNED_INT_MAXIMUM (e)   \
> >: _GL_INT_CONVERT (e, 0))
> >
> > #define INT_LEFT_SHIFT_OVERFLOW(a, b) \
> >   INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
> >  _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
> >
> > #define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max)   \
> >   ((a) < 0  \
> >? (a) < (min) >> (b) \
> >: (max) >> (b) < (a))
> >
> > The statement in question is expanded "(a) < (min) >> (b)" of
> > INT_LEFT_SHIFT_RANGE_OVERFLOW. Since 'val' is 'uint64_t', '(a) < 0' is 
> > always
> > false, so the result of that statement doen't matter.
> 
> Something is missing and/or requires clarification/expansion here.
> AFAICT at least your description completely ignores "(max) >> (b) < (a)"
> expression result.
> 
Because Coverity only complained "(a) < (min) >> (b)".
"(max) >> (b) < (a)" does the right thing to check whether 'a' is
overflowed after the left shift.

> > 
> > *** CID 435773:  Integer handling issues  (NO_EFFECT)
> > /grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()
> > 433 return ASN1_DER_ERROR;
> > 434
> > 435   val0 = 0;
> > 436
> > 437   for (k = 0; k < len; k++)
> > 438 {
> > >>> CID 435773:  Integer handling issues  (NO_EFFECT)
> > >>> This less-than-zero comparison of an unsigned value is never true. 
> > >>> "(1 ? 0UL : val0) - 1UL < 0UL".
> > 439   if (INT_LEFT_SHIFT_OVERFLOW (val0, 7))
> > 440 return ASN1_DER_ERROR;
> > 441
> > 442   val0 <<= 7;
> > 443   val0 |= der[len_len + k] & 0x7F;
> > 444   if (!(der[len_len + k] & 0x80))
> >
> > Here are the related macros:
> >
> > #define _GL_INT_NEGATE_CONVERT(e, v) ((1 ? 0 : (e)) - (v))
> > #d

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Daniel Kiper]

On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > Hey,
> >
> --8<--
> >
> > And I have attached the Coverity report. All issues reported there have
> > to be fixed. If you cannot fix an issue you have to explain why you
> > cannot do that and what is potential impact on the code stability,
> > security, etc.
> >
> I have went through all the coverity issues. There are 6 issues in the
> TPM2 stack and the utility:
>
> CID 435775, CID 435771, CID 435770, CID 435769, CID 435767, CID 435761
>
> Those will be fixed in the next version.
>
> The 9 issues are from libtasn1 and gnulib.
>
> There are two memory corruption issue: CID 435762 and CID 435766, and
> I've filed the issues in libtasn1 upstream.
>
> - CID 435762
>   https://gitlab.com/gnutls/libtasn1/-/issues/49
>   This is a valid case. However, the only exploitable function,
>   _asn1_insert_tag_der(), is disabled in grub2 patch, so the severity is
>   low. I have a quick fix but upstream would like to fix it in another
>   way.
> - CID 435766
>   https://gitlab.com/gnutls/libtasn1/-/issues/50
>   IMO, this is false positive, but I need libtasn1 upstream to confirm
>   that.
>
> Then, the remaining 7 Integer handling issues are involved with the macros
> from gnulib, and I believe those are false positive.
>
> The following are my analyses:
>
> 
> *** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> /grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()
> 475*/
> 476   if (leading != 0 && der[len_len + k] == 0x80)
> 477   return ASN1_DER_ERROR;
> 478   leading = 0;
> 479
> 480   /* check for wrap around */
> >>> CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
> >>> "val < 1 ? 0 : val) - 1 < 0) ? ~1 ? 0 : val) + 1 << 62UL /* 
> >>> sizeof (+val) * 8 - 2 */) - 1) * 2 + 1) : ((1 ? 0 : val) + 0)) >> 7)" is 
> >>> always false regardless of the values of its operands. This occurs as the 
> >>> second operand of "?:".
> 481   if (INT_LEFT_SHIFT_OVERFLOW (val, 7))
> 482   return ASN1_DER_ERROR;
> 483
> 484   val = val << 7;
> 485   val |= der[len_len + k] & 0x7F;
> 486
>
> Here are the related macros:
>
> #define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
>
> #define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))
>
> #define _GL_SIGNED_INT_MAXIMUM(e)   \
>   (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)
>
> #define _GL_INT_MINIMUM(e)  \
>   (EXPR_SIGNED (e)  \
>? ~ _GL_SIGNED_INT_MAXIMUM (e)   \
>: _GL_INT_CONVERT (e, 0))
>
> #define INT_LEFT_SHIFT_OVERFLOW(a, b) \
>   INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
>  _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))
>
> #define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max)   \
>   ((a) < 0  \
>? (a) < (min) >> (b) \
>: (max) >> (b) < (a))
>
> The statement in question is expanded "(a) < (min) >> (b)" of
> INT_LEFT_SHIFT_RANGE_OVERFLOW. Since 'val' is 'uint64_t', '(a) < 0' is always
> false, so the result of that statement doen't matter.

Something is missing and/or requires clarification/expansion here.
AFAICT at least your description completely ignores "(max) >> (b) < (a)"
expression result.

> 
> *** CID 435773:  Integer handling issues  (NO_EFFECT)
> /grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()
> 433 return ASN1_DER_ERROR;
> 434
> 435   val0 = 0;
> 436
> 437   for (k = 0; k < len; k++)
> 438 {
> >>> CID 435773:  Integer handling issues  (NO_EFFECT)
> >>> This less-than-zero comparison of an unsigned value is never true. 
> >>> "(1 ? 0UL : val0) - 1UL < 0UL".
> 439   if (INT_LEFT_SHIFT_OVERFLOW (val0, 7))
> 440   return ASN1_DER_ERROR;
> 441
> 442   val0 <<= 7;
> 443   val0 |= der[len_len + k] & 0x7F;
> 444   if (!(der[len_len + k] & 0x80))
>
> Here are the related macros:
>
> #define _GL_INT_NEGATE_CONVERT(e, v) ((1 ? 0 : (e)) - (v))
> #define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)
>
> The statement in question is the expanded 'EXPR_SIGNED'. Since that macro is
> to test whether the variable is signed or not. For 'uint64_t val0', it's
> expected to be always false.
>
> 
> *** CID 435772:  Integer handling issues  (NO_EFFECT)
> /grub-core/lib/libtasn1/lib/decod

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Gary Lin via Grub-devel]

On Thu, Apr 04, 2024 at 11:03:47PM +0200, Daniel Kiper wrote:
> On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> > On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > > Hey,
> > >
> > --8<--
> > >
> > > And I have attached the Coverity report. All issues reported there have
> > > to be fixed. If you cannot fix an issue you have to explain why you
> > > cannot do that and what is potential impact on the code stability,
> > > security, etc.
> > >
> > I have went through all the coverity issues. There are 6 issues in the
> > TPM2 stack and the utility:
> 
> [...]
> 
> Any progress on this? You are blocking another patch set which depends
> on some code which you introduce. If there is no progress here I will
> ask an author of the other patch set to resume the work and queue your
> patch set as a second one to merge.
> 
I was waiting for upstream fix for CID 435762(*). It can be fixed by
tweaking an if statement slightly but upstream prefers code refactoring
to remove the loops. Anyway, the only potentially vulnerable call path
is disabled in my patch set, so we can choose to leave the issue for the
later update or just apply a quick fix.

Cheers,

Gary Lin

(*) https://gitlab.com/gnutls/libtasn1/-/issues/49

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Daniel Kiper]

On Thu, Mar 07, 2024 at 04:59:05PM +0800, Gary Lin via Grub-devel wrote:
> On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > Hey,
> >
> --8<--
> >
> > And I have attached the Coverity report. All issues reported there have
> > to be fixed. If you cannot fix an issue you have to explain why you
> > cannot do that and what is potential impact on the code stability,
> > security, etc.
> >
> I have went through all the coverity issues. There are 6 issues in the
> TPM2 stack and the utility:

[...]

Any progress on this? You are blocking another patch set which depends
on some code which you introduce. If there is no progress here I will
ask an author of the other patch set to resume the work and queue your
patch set as a second one to merge.

Daniel

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Gary Lin via Grub-devel]

On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> Hey,
> 
--8<--
> 
> And I have attached the Coverity report. All issues reported there have
> to be fixed. If you cannot fix an issue you have to explain why you
> cannot do that and what is potential impact on the code stability,
> security, etc.
> 
I have went through all the coverity issues. There are 6 issues in the
TPM2 stack and the utility:

CID 435775, CID 435771, CID 435770, CID 435769, CID 435767, CID 435761 

Those will be fixed in the next version.

The 9 issues are from libtasn1 and gnulib.

There are two memory corruption issue: CID 435762 and CID 435766, and
I've filed the issues in libtasn1 upstream.

- CID 435762
  https://gitlab.com/gnutls/libtasn1/-/issues/49
  This is a valid case. However, the only exploitable function,
  _asn1_insert_tag_der(), is disabled in grub2 patch, so the severity is
  low. I have a quick fix but upstream would like to fix it in another
  way.
- CID 435766
  https://gitlab.com/gnutls/libtasn1/-/issues/50
  IMO, this is false positive, but I need libtasn1 upstream to confirm
  that.

Then, the remaining 7 Integer handling issues are involved with the macros
from gnulib, and I believe those are false positive.

The following are my analyses:


*** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()
475*/
476   if (leading != 0 && der[len_len + k] == 0x80)
477 return ASN1_DER_ERROR;
478   leading = 0;
479 
480   /* check for wrap around */
>>> CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>> "val < 1 ? 0 : val) - 1 < 0) ? ~1 ? 0 : val) + 1 << 62UL /* 
>>> sizeof (+val) * 8 - 2 */) - 1) * 2 + 1) : ((1 ? 0 : val) + 0)) >> 7)" is 
>>> always false regardless of the values of its operands. This occurs as the 
>>> second operand of "?:".
481   if (INT_LEFT_SHIFT_OVERFLOW (val, 7))
482 return ASN1_DER_ERROR;
483 
484   val = val << 7;
485   val |= der[len_len + k] & 0x7F;
486 

Here are the related macros:

#define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)

#define _GL_INT_CONVERT(e, v) ((1 ? 0 : (e)) + (v))

#define _GL_SIGNED_INT_MAXIMUM(e)   \
  (((_GL_INT_CONVERT (e, 1) << (TYPE_WIDTH (+ (e)) - 2)) - 1) * 2 + 1)

#define _GL_INT_MINIMUM(e)  \
  (EXPR_SIGNED (e)  \
   ? ~ _GL_SIGNED_INT_MAXIMUM (e)   \
   : _GL_INT_CONVERT (e, 0))

#define INT_LEFT_SHIFT_OVERFLOW(a, b) \
  INT_LEFT_SHIFT_RANGE_OVERFLOW (a, b, \
 _GL_INT_MINIMUM (a), _GL_INT_MAXIMUM (a))

#define INT_LEFT_SHIFT_RANGE_OVERFLOW(a, b, min, max)   \
  ((a) < 0  \
   ? (a) < (min) >> (b) \
   : (max) >> (b) < (a))

The statement in question is expanded "(a) < (min) >> (b)" of
INT_LEFT_SHIFT_RANGE_OVERFLOW. Since 'val' is 'uint64_t', '(a) < 0' is always
false, so the result of that statement doen't matter.


*** CID 435773:  Integer handling issues  (NO_EFFECT)
/grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()
433 return ASN1_DER_ERROR;
434 
435   val0 = 0;
436 
437   for (k = 0; k < len; k++)
438 {
>>> CID 435773:  Integer handling issues  (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "(1 
>>> ? 0UL : val0) - 1UL < 0UL".
439   if (INT_LEFT_SHIFT_OVERFLOW (val0, 7))
440 return ASN1_DER_ERROR;
441 
442   val0 <<= 7;
443   val0 |= der[len_len + k] & 0x7F;
444   if (!(der[len_len + k] & 0x80))

Here are the related macros:

#define _GL_INT_NEGATE_CONVERT(e, v) ((1 ? 0 : (e)) - (v))
#define EXPR_SIGNED(e) (_GL_INT_NEGATE_CONVERT (e, 1) < 0)

The statement in question is the expanded 'EXPR_SIGNED'. Since that macro is
to test whether the variable is signed or not. For 'uint64_t val0', it's
expected to be always false.


*** CID 435772:  Integer handling issues  (NO_EFFECT)
/grub-core/lib/libtasn1/lib/decoding.c: 204 in asn1_get_tag_der()
198   /* Long form */
199   punt = 1;
200   ris = 0;
201   while (punt < der_len && der[punt] & 128)
202 {
203 
>>> CID 435772:  Integer handling issues  (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "(1 
>>> ? 0U : ((1 ? 0U : ris) + 128U)) - 1U < 0U".
204   if (INT_

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Daniel Kiper]

On Wed, Feb 21, 2024 at 04:10:14PM +0800, Gary Lin via Grub-devel wrote:
> On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> > Hey,
> >
> > Adding Patrick...
> >
> > On Mon, Feb 05, 2024 at 03:39:33PM +0800, Gary Lin wrote:
> > > GIT repo for v9: https://github.com/lcp/grub2/tree/tpm2-unlock-v9
> > >
> > > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
> > > Hernan Gatta to introduce the key protector framework and TPM2 stack
> > > to GRUB2, and this could be a useful feature for the systems to
> > > implement full disk encryption.
> >
> > Sadly this patch set have many issues...
> >
> > The git complains in the following way...
> >
> >   Applying: asn1_test: test module for libtasn1
> >   .git/rebase-apply/patch:1374: new blank line at EOF.
> >   warning: 1 line adds whitespace errors.
> Will be fixed in v10.
>
> >   Applying: libtasn1: Add the documentation
> >   .git/rebase-apply/patch:90: trailing whitespace.
> >   .git/rebase-apply/patch:92: trailing whitespace.
> >   .git/rebase-apply/patch:99: trailing whitespace.
> >   .git/rebase-apply/patch:102: trailing whitespace.
> >   .git/rebase-apply/patch:108: trailing whitespace.
> >   warning: squelched 80 whitespace errors
> >   warning: 85 lines add whitespace errors.
> >
> Those whitespaces naturally exist in the two 'patch' files added in this
> commit, so it's hard to avoid the warning.

OK, please ignore my comment then...

Daniel

___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Gary Lin via Grub-devel]

On Thu, Feb 08, 2024 at 08:58:43PM +0100, Daniel Kiper wrote:
> Hey,
> 
> Adding Patrick...
> 
> On Mon, Feb 05, 2024 at 03:39:33PM +0800, Gary Lin wrote:
> > GIT repo for v9: https://github.com/lcp/grub2/tree/tpm2-unlock-v9
> >
> > This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
> > Hernan Gatta to introduce the key protector framework and TPM2 stack
> > to GRUB2, and this could be a useful feature for the systems to
> > implement full disk encryption.
> 
> Sadly this patch set have many issues...
> 
> The git complains in the following way...
> 
>   Applying: asn1_test: test module for libtasn1
>   .git/rebase-apply/patch:1374: new blank line at EOF.
>   warning: 1 line adds whitespace errors.
Will be fixed in v10.

>   Applying: libtasn1: Add the documentation
>   .git/rebase-apply/patch:90: trailing whitespace.
>   .git/rebase-apply/patch:92: trailing whitespace.
>   .git/rebase-apply/patch:99: trailing whitespace.
>   .git/rebase-apply/patch:102: trailing whitespace.
>   .git/rebase-apply/patch:108: trailing whitespace.
>   warning: squelched 80 whitespace errors
>   warning: 85 lines add whitespace errors.
> 
Those whitespaces naturally exist in the two 'patch' files added in this
commit, so it's hard to avoid the warning.

> The developers manual does not build due to following errors...
> 
>   grub-dev.texi:616: misplaced {
>   grub-dev.texi:616: misplaced }
>   grub-dev.texi:617: misplaced {
>   grub-dev.texi:617: misplaced }
>   grub-dev.texi:580: warning: node `libtasn1' is next for `minilzo' in 
> sectioning but not in menu
>   grub-dev.texi:599: warning: unreferenced node `libtasn1'
>   grub-dev.texi:599: warning: node `minilzo' is prev for `libtasn1' in 
> sectioning but not in menu
>   grub-dev.texi:599: warning: node `Updating External Code' is up for 
> `libtasn1' in sectioning but not in menu
>   grub-dev.texi:499: node `Updating External Code' lacks menu item for 
> `libtasn1' despite being its Up target
> 
Will be fixed in v10.

> And I have attached the Coverity report. All issues reported there have
> to be fixed. If you cannot fix an issue you have to explain why you
> cannot do that and what is potential impact on the code stability,
> security, etc.
> 
I'm working on that and will fix them in v10.

> Please do not forget to check code which you add adhere to GRUB coding
> style [1]. Good example is in grub-core/kern/efi/sb.c too. Of course
> this requirement does not apply to the libs which you import.
> 
> Additionally, please CC patrick.c...@oracle.com next time. He is
> interested in this patch set development.
> 
Added Patrick to my patch sending script.

Thanks,

Gary Lin

> Daniel
> 
> [1] 
> https://www.gnu.org/software/grub/manual/grub-dev/grub-dev.html#Coding-style


___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Daniel Kiper]

Hey,

Adding Patrick...

On Mon, Feb 05, 2024 at 03:39:33PM +0800, Gary Lin wrote:
> GIT repo for v9: https://github.com/lcp/grub2/tree/tpm2-unlock-v9
>
> This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
> Hernan Gatta to introduce the key protector framework and TPM2 stack
> to GRUB2, and this could be a useful feature for the systems to
> implement full disk encryption.

Sadly this patch set have many issues...

The git complains in the following way...

  Applying: asn1_test: test module for libtasn1
  .git/rebase-apply/patch:1374: new blank line at EOF.
  warning: 1 line adds whitespace errors.
  Applying: libtasn1: Add the documentation
  .git/rebase-apply/patch:90: trailing whitespace.
  .git/rebase-apply/patch:92: trailing whitespace.
  .git/rebase-apply/patch:99: trailing whitespace.
  .git/rebase-apply/patch:102: trailing whitespace.
  .git/rebase-apply/patch:108: trailing whitespace.
  warning: squelched 80 whitespace errors
  warning: 85 lines add whitespace errors.

The developers manual does not build due to following errors...

  grub-dev.texi:616: misplaced {
  grub-dev.texi:616: misplaced }
  grub-dev.texi:617: misplaced {
  grub-dev.texi:617: misplaced }
  grub-dev.texi:580: warning: node `libtasn1' is next for `minilzo' in 
sectioning but not in menu
  grub-dev.texi:599: warning: unreferenced node `libtasn1'
  grub-dev.texi:599: warning: node `minilzo' is prev for `libtasn1' in 
sectioning but not in menu
  grub-dev.texi:599: warning: node `Updating External Code' is up for 
`libtasn1' in sectioning but not in menu
  grub-dev.texi:499: node `Updating External Code' lacks menu item for 
`libtasn1' despite being its Up target

And I have attached the Coverity report. All issues reported there have
to be fixed. If you cannot fix an issue you have to explain why you
cannot do that and what is potential impact on the code stability,
security, etc.

Please do not forget to check code which you add adhere to GRUB coding
style [1]. Good example is in grub-core/kern/efi/sb.c too. Of course
this requirement does not apply to the libs which you import.

Additionally, please CC patrick.c...@oracle.com next time. He is
interested in this patch set development.

Daniel

[1] https://www.gnu.org/software/grub/manual/grub-dev/grub-dev.html#Coding-style
Hi,

Please find the latest report on new defect(s) introduced to GRUB found with 
Coverity Scan.

15 new defect(s) introduced to GRUB found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)


** CID 435775:  Resource leaks  (RESOURCE_LEAK)
/util/grub-protect.c: 982 in grub_protect_tpm2_add()



*** CID 435775:  Resource leaks  (RESOURCE_LEAK)
/util/grub-protect.c: 982 in grub_protect_tpm2_add()
976 
977   if (key_size > TPM_MAX_SYM_DATA)
978   {
979 fprintf (stderr,
980  _("Input key is too long, maximum allowed size is %u 
bytes.\n"),
981  TPM_MAX_SYM_DATA);
>>> CID 435775:  Resource leaks  (RESOURCE_LEAK)
>>> Variable "key" going out of scope leaks the storage it points to.
982 return GRUB_ERR_OUT_OF_RANGE;
983   }
984 
985   err = grub_protect_tpm2_get_srk (args, &srk);
986   if (err != GRUB_ERR_NONE)
987 goto exit2;

** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()



*** CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/grub-core/lib/libtasn1/lib/decoding.c: 481 in asn1_get_object_id_der()
475*/
476   if (leading != 0 && der[len_len + k] == 0x80)
477 return ASN1_DER_ERROR;
478   leading = 0;
479 
480   /* check for wrap around */
>>> CID 435774:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>> "val < 1 ? 0 : val) - 1 < 0) ? ~1 ? 0 : val) + 1 << 62UL /* 
>>> sizeof (+val) * 8 - 2 */) - 1) * 2 + 1) : ((1 ? 0 : val) + 0)) >> 7)" is 
>>> always false regardless of the values of its operands. This occurs as the 
>>> second operand of "?:".
481   if (INT_LEFT_SHIFT_OVERFLOW (val, 7))
482 return ASN1_DER_ERROR;
483 
484   val = val << 7;
485   val |= der[len_len + k] & 0x7F;
486 

** CID 435773:  Integer handling issues  (NO_EFFECT)
/grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()



*** CID 435773:  Integer handling issues  (NO_EFFECT)
/grub-core/lib/libtasn1/lib/decoding.c: 439 in asn1_get_object_id_der()
433 return ASN1_DER_ERROR;
434 
435   val0 = 0;
436 
437   for (k = 0; k < len; k++)
438 {
>>> CID 435773:  

[PATCH v9 00/22] Automatic Disk Unlock with TPM2

[Gary Lin via Grub-devel]

GIT repo for v9: https://github.com/lcp/grub2/tree/tpm2-unlock-v9

This patch series is based on "Automatic TPM Disk Unlock"(*1) posted by
Hernan Gatta to introduce the key protector framework and TPM2 stack
to GRUB2, and this could be a useful feature for the systems to
implement full disk encryption.

To support TPM 2.0 Key File format(*2), patch 1~6 are grabbed from
Daniel Axtens's "appended signature secure boot support" (*3) to import
libtasn1 into grub2. Besides, the libtasn1 version is upgraded to
4.19.0 instead of 4.16.0 in the original patch.

Patch 7 adds the document for libtasn1 and the steps to upgrade the
library.

Patch 8~12 are Hernan Gatta's patches with the follow-up fixes and
improvements:
- Converting 8 spaces into 1 tab
- Merging the minor build fix from Michael Chang
  - Replacing "lu" with "PRIuGRUB_SIZE" for grub_dprintf
  - Adding "enable = efi" to the tpm2 module in grub-core/Makefile.core.def
- Rebasing "cryptodisk: Support key protectors" to the git master
- Removing the measurement on the sealed key
  - Based on the patch from Olaf Kirch 
- Adjusting the input parameters of TPM2_EvictControl to match the order
  in "TCG TPM2 Part3 Commands"
- Declaring the input arguments of TPM2 functions as const
- Resending TPM2 commands on TPM_RC_RETRY
- Adding checks for the parameters of TPM2 commands
- Packing the missing authorization command for TPM2_PCR_Read
- Tweaking the TPM2 command functions to allow some parameters to be
  NULL so that we don't have to declare empty variables
- Only enabling grub-protect for "efi" since the TPM2 stack currently
  relies on the EFI TCG2 protocol to send TPM2 commands
- Using grub_cpu_to_be*() in the TPM2 stack instead of grub_swap_bytes*()
  which may cause problems in big-indian machines
- Changing the short name of "--protector" of "cryptomount" from "-k" to
  "-P" to avoid the conflict with "--key-file"
- Supporting TPM 2.0 Key File Format besides the raw sealed key
- Adding the external libtasn1 dependency to grub-protect to write the
  TPM 2.0 Key files

Patch 13~16 implement the authorized policy support.

Patch 17 implements the missing NV index mode. (Thanks to Patrick Colp)

Patch 18 improves the 'cryptomount' command to fall back to the
passphrase mode when the key protector fails to unlock the encrypted
partition. (Another patch from Patrick Colp)

Patch 19~20 fix the potential security issues spotted by Fabian Vogt.

Patch 21~22 add the TPM key unsealing testcase.

To utilize the TPM2 key protector to unlock the encrypted partition
(sdb1), here are the sample steps:

1. Add an extra random key for LUKS (luks-key)
   $ dd if=/dev/urandom of=luks-key bs=1 count=32
   $ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2

2. Seal the key
   $ sudo grub-protect --action=add \
   --protector=tpm2 \
   --tpm2key \
   --tpm2-keyfile=luks-key \
   --tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm

3. Unseal the key with the proper commands in grub.cfg:
   tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
   cryptomount -u  -P tpm2

(*1) https://lists.gnu.org/archive/html/grub-devel/2022-02/msg6.html
(*2) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
(*3) https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00044.html

v9:
- Introducing c-ctype.h to posix_wrap and implementing strncat
- Adding the descriptive comments to the disabled code in libtasn1
- Replacing strcat with the bound-checked _asn1_str_cat in libtasn1 and
  including c-ctype.h directly
- Integrating the asn1 testcases into "functional_test"
- Updating the libtasn1 patches mentioned in the documentation 
- Moving the key protector to a module
- Amending configure.ac to enable/disable grub-protect
- Fixing an timeout issue in the tpm2_test script by feeding the config
  through stdin

v8:
- https://lists.gnu.org/archive/html/grub-devel/2024-01/msg00013.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v8
- Introducing TPM device support to grub-emu and adding the TPM key
  unsealing testcase

v7:
- https://lists.gnu.org/archive/html/grub-devel/2023-11/msg00127.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v7
- Stopping reading SRK from the well-known persistent handle (TPM2_SRK_HANDLE,
  i.e. 0x8101) by default since the persistent handle may be created
  by other OS and causes unsealing failure due to SRK mismatching
  - The user now has to specify the persistent handle with "--srk"
explicitly.
- Utilizing grub_error() to print more error messages 
- Unifying the format of the error messages from TPM2 commands

v6:
- https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00026.html
- GIT repo: https://github.com/lcp/grub2/tree/tpm2-unlock-v6
- Supporting more SRK types than RSA2048 and ECC_NIST_P256
- Documenting SHA512 as the supported PCR bank type in the tpm2
  protector
- Removing the redundant error message