utility/chromeos_tpm_recovery_test - Issue 4183005: Add NVRAM size limit to nano-emulator and add test to recover from NVRAM hog attack.

Unified Diff: utility/chromeos_tpm_recovery_test

Issue 4183005: Add NVRAM size limit to nano-emulator and add test to recover from NVRAM hog attack. (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/vboot_reference.git

Patch Set: Created 10 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: utility/chromeos_tpm_recovery_test

diff --git a/utility/chromeos_tpm_recovery_test b/utility/chromeos_tpm_recovery_test

index 817bd04377f9679a48ec627007fac089db03dff1..b73bfe6e1905bc15f8df5e91f720c86ec61129c6 100755

--- a/utility/chromeos_tpm_recovery_test

+++ b/utility/chromeos_tpm_recovery_test

@@ -23,6 +23,8 @@ echo > .recovery

echo 3 > BINF.0

echo 0 > CRSW

+space_overhead=200

# build tpmc

cat > tpmc <<"EOF"

#!/bin/sh -u

@@ -32,17 +34,27 @@ definespace () {

index=$2

size=$3

permissions=$4

+ space_overhead=200

if [ -e space.$index.data -a -e tpm-owned ]; then

echo "cannot redefine space without auth"

+ totalsize=$(( $size + $space_overhead ))

+ free=$(cat nvram.freespace)

+ if [ $totalsize -gt $free ]; then

+ echo "tpmc: definespace: need $totalsize, available $free"

+ return 17 # NO_SPACE

+ fi

if [ $index != 0xf004 ]; then

echo $size > space.$index.size

echo $permissions > space.$index.perm

for i in $(seq 1 $(($size))); do

echo -n "ff " >> space.$index.data

done

+ echo $(( $free - $totalsize )) > nvram.freespace

return 0

}

@@ -130,9 +142,11 @@ EOF

cat > tpm-nvtool <<"EOF"

#!/bin/sh -u

+space_overhead=200

print_space () {

index=$1

- echo "# NV Index $index"

+ printf "# NV Index 0x%08x" $(( $index ))

echo " uninteresting random garbage"

echo " further random garbage"

echo ""

@@ -149,7 +163,10 @@ if [ "$1" = "--release" ]; then

echo "tpm is unowned"

exit 1

+ size=$(cat space.$index.size)

+ free=$(cat nvram.freespace)

rm space.$index.*

+ echo $(( $size + $space_overhead + $free )) > nvram.freespace

elif [ "$1" = "--list" ]; then

for s in space.*.data; do

print_space $(echo $s | sed -e "s/[^.]*\.//" -e "s/\..*//")

@@ -180,34 +197,54 @@ chmod 755 tpmc tpm-nvtool tpm_takeownership tcsd

echo "starting TPM recovery test" > log

# normal run

+echo "TEST: normal run" > log

+echo 1500 > nvram.freespace

./tpmc definespace 0x1007 0xa 0x8001

./tpmc definespace 0x1008 0xd 0x1

./tpmc write 0x1008 01 4c 57 52 47

touch tpm-owned

-echo "TEST: normal run" > log

$ctr log

-# attempt to hijack kernel space

+# Kernel space with wrong ID

+echo "TEST: bad kernel space ID" >> log

rm space.*

+echo 1500 > nvram.freespace

./tpmc definespace 0x1007 0xa 0x8001

./tpmc definespace 0x1008 0xd 0x1

touch tpm-owned

-echo "TEST: bad kernel space ID" >> log

$ctr log

-# attempt to hijack kernel space

+# Kernel space with wrong size

+echo "TEST: bad kernel space size" >> log

rm space.*

+echo 1500 > nvram.freespace

./tpmc definespace 0x1007 0xa 0x8001

./tpmc definespace 0x1008 0xc 0x1

touch tpm-owned

-echo "TEST: bad kernel space size" >> log

$ctr log

+# Kernel space with wrong size AND bogus space to exhaust nvram

+echo "TEST: bad kernel space size and no room" >> log

+rm space.*

+echo 1500 > nvram.freespace

+./tpmc definespace 0x1007 0xa 0x8001

+./tpmc definespace 0x1008 0x1 0x1

+space_hog_size=$(printf "0x%x" \

+ $(( $(cat nvram.freespace) - $space_overhead - 1 )) )

+echo "remaining $(cat nvram.freespace) bytes" >> log

+echo "hogging $(( $space_hog_size )) bytes" >> log

+./tpmc definespace 0xcafe $space_hog_size 0x1 || echo "hogging failed!" >> log

+touch tpm-owned

+$ctr log

« no previous file with comments | « utility/chromeos_tpm_recovery ('k') | no next file » | no next file with comments »