Improve cve detection and tooling

Signed-off-by: Philipp Deppenwiese <[email protected]>
immune-gmbh · Mar 9, 2023 · 0677e2c · 0677e2c
1 parent bc70273
commit 0677e2c
Show file tree

Hide file tree

Showing 7 changed files with 72 additions and 36 deletions.
diff --git a/cmd/tpm-vuln-checker/cmds.go b/cmd/tpm-vuln-checker/cmds.go
@@ -24,8 +24,9 @@ import (
 )
 
 var (
-	NonVulnerableStyle = color.New(color.FgGreen, color.BgBlack, color.Bold).SprintFunc()
-	VulnerableStyle    = color.New(color.FgRed, color.BgBlack, color.Bold).SprintFunc()
+	NonVulnerableStyle   = color.New(color.FgGreen, color.BgBlack, color.Bold).SprintFunc()
+	VulnerableStyle      = color.New(color.FgRed, color.BgBlack, color.Bold).SprintFunc()
+	MaybeVulnerableStyle = color.New(color.FgYellow, color.BgBlack, color.Bold).SprintFunc()
 )
 
 type context struct {
@@ -57,17 +58,21 @@ func (v *checkCmd) Run(ctx *context) error {
 	if err != nil {
 		return err
 	}
-	fmt.Printf("TPM Manufacturer: \t%s\nTPM Spec Revision: \t%s\nTPM Family: \t\t%s\nTPM Firmware: \t\t0x%s,0x%s\n",
-		tpmInfo.Manufacturer.String(), tpmInfo.SpecRevision.String(), tpmInfo.Family.String(),
-		tpmInfo.FWVersion1.String(), tpmInfo.FWVersion2.String())
+	fmt.Printf("TPM Manufacturer: \t%s\nTPM Spec Revision: \t%s\nTPM Family: \t\t%s\n",
+		tpmInfo.Manufacturer.String(), tpmInfo.SpecRevision.String(), tpmInfo.Family.String())
 	vulnerable, cveData, err := cve.Detect(socket)
 	if err != nil {
-		return err
-	}
-	if vulnerable {
-		fmt.Printf("CVE 2023-1017-1018: \t%s", VulnerableStyle("Vulnerable"))
+		if err.Error() == "unknown" {
+			fmt.Printf("CVE 2023-1017/2023-1018: \t%s", MaybeVulnerableStyle("Probably Not Vulnerable"))
+		} else {
+			return err
+		}
 	} else {
-		fmt.Printf("CVE 2023-1017-1018: \t%s", NonVulnerableStyle("Not Vulnerable"))
+		if vulnerable {
+			fmt.Printf("CVE 2023-1017/2023-1018: \t%s", VulnerableStyle("Vulnerable"))
+		} else {
+			fmt.Printf("CVE 2023-1017/2023-1018: \t%s", NonVulnerableStyle("Not Vulnerable"))
+		}
 	}
 	fmt.Println()
 	if v.NonInteractive {

diff --git a/cmd/tpm-vuln-checker/main.go b/cmd/tpm-vuln-checker/main.go
@@ -51,6 +51,5 @@ func main() {
 		}))
 	err := ctx.Run(&context{Emulator: cli.Emulator})
 	fmt.Println()
-	fmt.Println()
 	ctx.FatalIfErrorf(err)
 }
diff --git a/go.mod b/go.mod
@@ -17,5 +17,5 @@ require (
 
 require (
 	github.com/google/uuid v1.3.0
-	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/sys v0.3.0
 )
diff --git a/pkg/cloud/cloud.go b/pkg/cloud/cloud.go
@@ -1,3 +1,16 @@
+// Copyright (c) 2018, Google LLC All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 package cloud
 
 import (

diff --git a/pkg/cve/cve.go b/pkg/cve/cve.go
@@ -14,6 +14,7 @@
 package cve
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"strconv"
@@ -26,7 +27,8 @@ import (
 
 type CVEData struct {
 	RawString string
-	Err       tpm2.ParameterError
+	Valid     int
+	Code      uint64
 }
 
 func hex2int(hexStr string) uint64 {
@@ -35,7 +37,7 @@ func hex2int(hexStr string) uint64 {
 	return uint64(result)
 }
 
-func parserParameterError(err error) (*CVEData, error) {
+func parserError(err error) (*CVEData, error) {
 	var cveData CVEData
 	strErr := err.Error()
 	if err == nil {
@@ -55,8 +57,8 @@ func parserParameterError(err error) (*CVEData, error) {
 			return nil, fmt.Errorf("couldn't parse parameter error code")
 		}
 		code := hex2int(info[4])
-		cveData.Err.Parameter = tpm2.RCIndex(param)
-		cveData.Err.Code = tpm2.RCFmt1(code)
+		cveData.Valid = param
+		cveData.Code = code
 		return &cveData, nil
 	}
 	return nil, fmt.Errorf("couldn't parse error strings: %s", strErr)
@@ -88,19 +90,21 @@ func Detect(rwc io.ReadWriteCloser) (bool, *CVEData, error) {
 	if err == nil {
 		return false, nil, fmt.Errorf("no tpm error returned")
 	}
-	cveData, err := parserParameterError(err)
+	cveData, err := parserError(err)
 	if err != nil {
 		return false, nil, fmt.Errorf("couldn't parse parameter error %v", err)
 	}
-	if cveData != nil && cveData.Err.Parameter == 1 {
-		switch cveData.Err.Code {
+	if cveData != nil && cveData.Valid == 1 {
+		switch cveData.Code {
 		case 0x1a:
 			return false, cveData, nil
 		case 0x15:
 			return true, cveData, nil
 		}
+	} else if cveData != nil && cveData.Valid != 1 {
+		return false, cveData, errors.New("unknown")
 	}
-	return false, cveData, nil
+	return false, cveData, fmt.Errorf("no cve data")
 }
 
 func oobRead(rwc io.ReadWriteCloser, owner, sess tpmutil.Handle, payload []byte) error {

diff --git a/pkg/system/system.go b/pkg/system/system.go
diff --git a/pkg/tss/tpm.go b/pkg/tss/tpm.go
@@ -65,26 +65,22 @@ var families = map[TCGFamily]string{
 }
 
 type TCGSpecRevision uint32
-type TCGFirmwareVersion1 uint32
-type TCGFirmwareVersion2 uint32
+type TCGFirmwareVersion uint32
+type TCGVendorString uint32
 
 type TPM20Info struct {
 	Manufacturer TCGVendorID
 	Family       TCGFamily
 	SpecRevision TCGSpecRevision
-	FWVersion1   TCGFirmwareVersion1
-	FWVersion2   TCGFirmwareVersion2
+	FWVersion1   TCGFirmwareVersion
+	FWVersion2   TCGFirmwareVersion
+	VendorData1  TCGVendorString
+	VendorData2  TCGVendorString
+	VendorData3  TCGVendorString
+	VendorData4  TCGVendorString
 }
 
-func (version TCGFirmwareVersion1) String() string {
-	if version == 0 {
-		return "0"
-	} else {
-		return strconv.FormatUint(uint64(version), 16)
-	}
-}
-
-func (version TCGFirmwareVersion2) String() string {
+func (version TCGFirmwareVersion) String() string {
 	if version == 0 {
 		return "0"
 	} else {
@@ -256,12 +252,32 @@ func ReadTPM2VendorAttributes(tpm io.ReadWriteCloser) (*TPM20Info, error) {
 	if err != nil {
 		return nil, err
 	}
+	vendor1, err := Property(tpm, uint32(tpm2.VendorString1))
+	if err != nil {
+		return nil, err
+	}
+	vendor2, err := Property(tpm, uint32(tpm2.VendorString2))
+	if err != nil {
+		return nil, err
+	}
+	vendor3, err := Property(tpm, uint32(tpm2.VendorString3))
+	if err != nil {
+		return nil, err
+	}
+	vendor4, err := Property(tpm, uint32(tpm2.VendorString4))
+	if err != nil {
+		return nil, err
+	}
 	return &TPM20Info{
 		Manufacturer: TCGVendorID(manu),
 		Family:       TCGFamily(family),
 		SpecRevision: TCGSpecRevision(spec),
-		FWVersion1:   TCGFirmwareVersion1(version1),
-		FWVersion2:   TCGFirmwareVersion2(version2),
+		FWVersion1:   TCGFirmwareVersion(version1),
+		FWVersion2:   TCGFirmwareVersion(version2),
+		VendorData1:  TCGVendorString(vendor1),
+		VendorData2:  TCGVendorString(vendor2),
+		VendorData3:  TCGVendorString(vendor3),
+		VendorData4:  TCGVendorString(vendor4),
 	}, nil
 }