You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
get_ek.sh gathers the EK certificate with the assumption that the NVRAM index contains only the certificate. We recently encountered a case where the index contained pad bytes after the certificate. Querying the size of the NVRAM index area showed the EC was 1600 bytes. The EC itself was only 1169 bytes. An attempt to give the 1600 byte file as the EC to the paccor signer resulted in Bouncycastle returning an IOException due to the extra data in the stream.
The fix:
get_ek.sh can detect the ASN1 length sequence in the data returned from NVRAM. The script can then truncate anything after the specific number of bytes from the data.
The text was updated successfully, but these errors were encountered:
iadgovuser29
changed the title
Update the EKC gathering script to handle extra data
Update the EKC gathering script to handle extra data in NVRAM index
Oct 9, 2018
Problem:
get_ek.sh gathers the EK certificate with the assumption that the NVRAM index contains only the certificate. We recently encountered a case where the index contained pad bytes after the certificate. Querying the size of the NVRAM index area showed the EC was 1600 bytes. The EC itself was only 1169 bytes. An attempt to give the 1600 byte file as the EC to the paccor signer resulted in Bouncycastle returning an IOException due to the extra data in the stream.
The fix:
get_ek.sh can detect the ASN1 length sequence in the data returned from NVRAM. The script can then truncate anything after the specific number of bytes from the data.
The text was updated successfully, but these errors were encountered: