fix: handle secure boot state policy pcr digest error

This does not fix the underlying digest mismatch issue, but does handle the error and should provide further insight into issues (if present). Refs: #7828 Signed-off-by: Thomas Way <thomas@6f.io> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
siderolabs · Oct 9, 2023 · b87092a · b87092a
1 parent 498aeb8
commit b87092a
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 14 deletions.
diff --git a/internal/pkg/secureboot/tpm2/pcr.go b/internal/pkg/secureboot/tpm2/pcr.go
@@ -40,7 +40,7 @@ func CreateSelector(pcrs []int) ([]byte, error) {
 func ReadPCR(t transport.TPM, pcr int) ([]byte, error) {
 	pcrSelector, err := CreateSelector([]int{pcr})
 	if err != nil {
-		return nil, fmt.Errorf("failed to create PCR selection: %v", err)
+		return nil, fmt.Errorf("failed to create PCR selection: %w", err)
 	}
 
 	pcrRead := tpm2.PCRRead{
@@ -56,7 +56,7 @@ func ReadPCR(t transport.TPM, pcr int) ([]byte, error) {
 
 	pcrValue, err := pcrRead.Execute(t)
 	if err != nil {
-		return nil, fmt.Errorf("failed to read PCR: %v", err)
+		return nil, fmt.Errorf("failed to read PCR: %w", err)
 	}
 
 	return pcrValue.PCRValues.Digests[0].Buffer, nil
@@ -111,7 +111,7 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection
 	}
 
 	if _, err := policyPCR.Execute(t); err != nil {
-		return nil, fmt.Errorf("failed to execute policyPCR: %v", err)
+		return nil, fmt.Errorf("failed to execute policyPCR: %w", err)
 	}
 
 	policyGetDigest := tpm2.PolicyGetDigest{
@@ -120,7 +120,7 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection
 
 	policyGetDigestResponse, err := policyGetDigest.Execute(t)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get policy digest: %v", err)
+		return nil, fmt.Errorf("failed to get policy digest: %w", err)
 	}
 
 	return &policyGetDigestResponse.PolicyDigest, nil
@@ -130,7 +130,7 @@ func PolicyPCRDigest(t transport.TPM, policyHandle tpm2.TPMHandle, pcrSelection
 func validatePCRBanks(t transport.TPM) error {
 	pcrValue, err := ReadPCR(t, secureboot.UKIPCR)
 	if err != nil {
-		return fmt.Errorf("failed to read PCR: %v", err)
+		return fmt.Errorf("failed to read PCR: %w", err)
 	}
 
 	if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.UKIPCR); err != nil {
@@ -139,7 +139,7 @@ func validatePCRBanks(t transport.TPM) error {
 
 	pcrValue, err = ReadPCR(t, secureboot.SecureBootStatePCR)
 	if err != nil {
-		return fmt.Errorf("failed to read PCR: %v", err)
+		return fmt.Errorf("failed to read PCR: %w", err)
 	}
 
 	if err = validatePCRNotZeroAndNotFilled(pcrValue, secureboot.SecureBootStatePCR); err != nil {
@@ -154,12 +154,12 @@ func validatePCRBanks(t transport.TPM) error {
 
 	capsResp, err := caps.Execute(t)
 	if err != nil {
-		return fmt.Errorf("failed to get PCR capabilities: %v", err)
+		return fmt.Errorf("failed to get PCR capabilities: %w", err)
 	}
 
 	assignedPCRs, err := capsResp.CapabilityData.Data.AssignedPCR()
 	if err != nil {
-		return fmt.Errorf("failed to parse assigned PCRs: %v", err)
+		return fmt.Errorf("failed to parse assigned PCRs: %w", err)
 	}
 
 	for _, s := range assignedPCRs.PCRSelections {

diff --git a/internal/pkg/secureboot/tpm2/unseal.go b/internal/pkg/secureboot/tpm2/unseal.go
@@ -104,7 +104,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 		tpm2.Salted(createPrimaryResponse.ObjectHandle, *outPub),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("failed to create policy session: %v", err)
+		return nil, fmt.Errorf("failed to create policy session: %w", err)
 	}
 
 	defer policyCloseFunc() //nolint:errcheck
@@ -121,7 +121,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 
 	loadExternalResponse, err := loadExternal.Execute(t)
 	if err != nil {
-		return nil, fmt.Errorf("failed to load external key: %v", err)
+		return nil, fmt.Errorf("failed to load external key: %w", err)
 	}
 
 	defer func() {
@@ -149,7 +149,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 		},
 	})
 	if err != nil {
-		return nil, fmt.Errorf("failed to retrieve policy digest: %v", err)
+		return nil, fmt.Errorf("failed to retrieve policy digest: %w", err)
 	}
 
 	sigJSON, err := ParsePCRSignature()
@@ -210,7 +210,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 
 	verifySignatureResponse, err := verifySignature.Execute(t)
 	if err != nil {
-		return nil, fmt.Errorf("failed to verify signature: %v", err)
+		return nil, fmt.Errorf("failed to verify signature: %w", err)
 	}
 
 	policyAuthorize := tpm2.PolicyAuthorize{
@@ -221,7 +221,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 	}
 
 	if _, err = policyAuthorize.Execute(t); err != nil {
-		return nil, fmt.Errorf("failed to execute policy authorize: %v", err)
+		return nil, fmt.Errorf("failed to execute policy authorize: %w", err)
 	}
 
 	secureBootStatePCRSelector, err := CreateSelector([]int{secureboot.SecureBootStatePCR})
@@ -237,6 +237,9 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 			},
 		},
 	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to calculate policy PCR digest: %w", err)
+	}
 
 	if !bytes.Equal(secureBootStatePolicyDigest.Buffer, sealed.PolicyDigest) {
 		return nil, fmt.Errorf("sealing policy digest does not match")
@@ -258,7 +261,7 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 		tpm2.Bound(loadResponse.ObjectHandle, loadResponse.Name, nil),
 	))
 	if err != nil {
-		return nil, fmt.Errorf("failed to unseal op: %v", err)
+		return nil, fmt.Errorf("failed to unseal op: %w", err)
 	}
 
 	return unsealResponse.OutData.Buffer, nil