Proposal to add tpm_event package in an experimental directory #319
Description
Proposing to add google-internal package called tpm_event to an experimental folder
Package tpm_event extends TPM based disk encryption event to PCR8 and writes event log to disk. It turns TPM-bound disk encryption into an attestable property.
The event's data section is as follows. The package extends a digest of it to SHA1 and SHA256 banks of PCR8.
message EventData {
enum FdeType {
UNSPECIFIED = 0;
LOCKED = 1; // initrd failed to unlock using the TPM
UNLOCKED = 2; // initrd was able to unlock using the TPM
}
FdeType fde_type = 1; // full disk encryption type
string cmdline = 2; // extra info from /proc/cmdline
}
The eventlog created consists of a specID header followed by a single event in the standard binary format for TPM 2.0 event logs.
dataBytes, err := eventDataBytes(*unlocked) // unlocked is a binary value input
err := ExtendEventToPCR(dataBytes) // extends data hashes to PCR 8
specIDEvent := buildSpecIDEvent() // Returns specID header of the form "TCG_EfiSpecIDEventStruct" https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf#page=18
event2 := buildInitrdEvent(dataBytes) // Returns event of the form "TCG_PCR_EVENT2" https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf#page=16
err := WriteEventlog(specIDEvent, event2) // Writes log to disk
Currently the binary can be called as: /bin/tpm_event --unlocked="$unlocked". Open to suggestions for exposing as an API.