[yocto] [PATCH] tpm2-tools: fix CVE-2024-29039

dchellam via lists.yoctoproject.org Tue, 27 Aug 2024 02:31:17 -0700

From: Divya Chellam <divya.chel...@windriver.com>

tpm2 is the source repository for the Trusted Platform Module (TPM2.0)
tools. This vulnerability allows attackers to manipulate tpm2_checkquote
outputs by altering the TPML_PCR_SELECTION in the PCR input file.
As a result, digest values are incorrectly mapped to PCR slots and banks,
providing a misleading picture of the TPM state. This issue has been
patched in version 5.7.


Reference:
https://security-tracker.debian.org/tracker/CVE-2024-29039

Upstream-patch:
https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb

Signed-off-by: Divya Chellam <divya.chel...@windriver.com>
---
 .../tpm2-tools/CVE-2024-29039.patch           | 92 +++++++++++++++++++
 .../recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb |  4 +-
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 
meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/CVE-2024-29039.patch

diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/CVE-2024-29039.patch 
b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/CVE-2024-29039.patch
new file mode 100644
index 0000000..e3dc5c9
--- /dev/null
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools/CVE-2024-29039.patch
@@ -0,0 +1,92 @@
+From 98599df9392a346216c5a059b8d35271286100bb Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_r...@web.de>
+Date: Tue, 5 Mar 2024 22:11:38 +0100
+Subject: [PATCH] tpm2_checkquote: Add comparison of pcr selection. 
+
+The pcr selection which is passed with the --pcr parameter it not 
+compared with the attest. So it's possible to fake a valid 
+attestation.
+
+Fixes: CVE-2024-29039
+
+Signed-off-by: Juergen Repp <juergen_r...@web.de>
+Signed-off-by: Andreas Fuchs <andreas.fu...@infineon.com>
+
+CVE: CVE-2024-29039
+
+Upstream-Status: Backport 
[https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb]
+
+Signed-off-by: Divya Chellam <divya.chel...@windriver.com>
+---
+ tools/misc/tpm2_checkquote.c | 41 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/tools/misc/tpm2_checkquote.c b/tools/misc/tpm2_checkquote.c
+index 9225b25..d682f48 100644
+--- a/tools/misc/tpm2_checkquote.c
++++ b/tools/misc/tpm2_checkquote.c
+@@ -48,6 +48,37 @@ static tpm2_verifysig_ctx ctx = {
+         .pcr_hash = TPM2B_TYPE_INIT(TPM2B_DIGEST, buffer),
+ };
+ 
++static bool compare_pcr_selection(TPML_PCR_SELECTION *attest_sel, 
TPML_PCR_SELECTION *pcr_sel) {
++    if (attest_sel->count != pcr_sel->count) {
++        LOG_ERR("Selection sizes do not match.");
++        return false;
++    }
++    for (uint32_t i = 0; i < attest_sel->count; i++) {
++        for (uint32_t j = 0; j < pcr_sel->count; j++) {
++            if (attest_sel->pcrSelections[i].hash ==
++                pcr_sel->pcrSelections[j].hash) {
++                if (attest_sel->pcrSelections[i].sizeofSelect !=
++                        pcr_sel->pcrSelections[j].sizeofSelect) {
++                    LOG_ERR("Bitmask size does not match");
++                    return false;
++                }
++                if (memcmp(&attest_sel->pcrSelections[i].pcrSelect[0],
++                           &pcr_sel->pcrSelections[j].pcrSelect[0],
++                           attest_sel->pcrSelections[i].sizeofSelect) != 0) {
++                    LOG_ERR("Selection bitmasks do not match");
++                    return false;
++                }
++                break;
++            }
++            if (j == pcr_sel->count - 1) {
++                LOG_ERR("Hash selections to not match.");
++                return false;
++            }
++        }
++    }
++    return true;
++}
++
+ static bool verify_signature() {
+ 
+     bool result = false;
+@@ -212,7 +243,7 @@ static tool_rc init(void) {
+     }
+ 
+     TPM2B_ATTEST *msg = NULL;
+-    TPML_PCR_SELECTION pcr_select;
++    TPML_PCR_SELECTION pcr_select = { 0 };
+     tpm2_pcrs * pcrs;
+     tool_rc return_value = tool_rc_general_error;
+ 
+@@ -279,6 +310,14 @@ static tool_rc init(void) {
+         goto err;
+     }
+ 
++    if (ctx.flags.pcr) {
++        if (!compare_pcr_selection(&ctx.attest.attested.quote.pcrSelect,
++                                   &pcr_select)) {
++            LOG_ERR("PCR selection does not match PCR slection from attest!");
++            goto err;
++        }
++    }
++
+     // Figure out the digest for this message
+     bool res = tpm2_openssl_hash_compute_data(ctx.halg, msg->attestationData,
+             msg->size, &ctx.msg_hash);
+-- 
+2.40.0
+
diff --git a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb 
b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
index c20af7e..e4966d7 100644
--- a/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
+++ b/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.2.bb
@@ -6,7 +6,9 @@ SECTION = "tpm"
 
 DEPENDS = "tpm2-abrmd tpm2-tss openssl curl autoconf-archive"
 
-SRC_URI = 
"https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz";
+SRC_URI = 
"https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz
 \
+           file://CVE-2024-29039.patch \
+          "
 
 SRC_URI[sha256sum] = 
"c0b402f6a7b3456e8eb2445211e2d41c46c7e769e05fe4d8909ff64119f7a630"
 
-- 
2.40.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#63746): https://lists.yoctoproject.org/g/yocto/message/63746
Mute This Topic: https://lists.yoctoproject.org/mt/108120247/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] [PATCH] tpm2-tools: fix CVE-2024-29039

Reply via email to