tpm2sh 0.12.2

TPM 2.0 shell
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236

// SPDX-License-Identifier: GPL-3-0-or-later
// Copyright (c) 2025 Opinsys Oy
// Copyright (c) 2024-2025 Jarkko Sakkinen

//! Abstractions and logic for handling Platform Configuration Registers (PCRs).

use crate::{
    crypto::{crypto_digest, CryptoError},
    device::{Device, DeviceError},
    key::Tpm2shAlgId,
};
use std::{convert::TryFrom, fmt};
use thiserror::Error;
use tpm2_protocol::{
    constant::TPM_PCR_SELECT_MAX,
    data::{
        TpmAlgId, TpmCap, TpmCc, TpmlPcrSelection, TpmsPcrSelect, TpmsPcrSelection,
        TpmuCapabilities,
    },
    message::TpmPcrReadCommand,
    TpmError,
};

#[derive(Debug, Error)]
pub enum PcrError {
    #[error("device: {0}")]
    Device(#[from] DeviceError),
    #[error("invalid algorithm: {0:?}")]
    InvalidAlgorithm(TpmAlgId),
    #[error("invalid PCR selection: {0}")]
    InvalidPcrSelection(String),
    #[error("TPM: {0}")]
    Tpm(TpmError),
    #[error("crypto: {0}")]
    Crypto(#[from] CryptoError),
}

impl From<TpmError> for PcrError {
    fn from(err: TpmError) -> Self {
        Self::Tpm(err)
    }
}

/// Represents the state of a single PCR register.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Pcr {
    pub bank: TpmAlgId,
    pub index: u32,
    pub value: Vec<u8>,
}

/// Represents the properties of a single PCR bank.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct PcrBank {
    pub alg: TpmAlgId,
    pub count: usize,
}

/// Represents a user's selection of PCR indices for a specific bank.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct PcrSelection {
    pub alg: TpmAlgId,
    pub indices: Vec<u32>,
}

impl fmt::Display for PcrSelection {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let indices_str = self
            .indices
            .iter()
            .map(ToString::to_string)
            .collect::<Vec<_>>()
            .join(",");
        write!(f, "{}:{}", crate::key::Tpm2shAlgId(self.alg), indices_str)
    }
}

/// Discovers the list of available PCR banks and their sizes from the TPM.
///
/// # Errors
///
/// Returns a `PcrError` if the TPM capability query fails or if the TPM reports
/// no active PCR banks.
pub fn pcr_get_bank_list(device: &mut Device) -> Result<Vec<PcrBank>, PcrError> {
    let (_, cap_data) = device.get_capability_page(TpmCap::Pcrs, 0, 1)?;
    let mut banks = Vec::new();
    if let TpmuCapabilities::Pcrs(pcrs) = cap_data.data {
        for bank in pcrs.iter() {
            banks.push(PcrBank {
                alg: bank.hash,
                count: bank.pcr_select.len() * 8,
            });
        }
    }
    if banks.is_empty() {
        return Err(PcrError::InvalidPcrSelection(
            "TPM reported no active PCR banks.".to_string(),
        ));
    }
    banks.sort_by_key(|b| b.alg);
    Ok(banks)
}

/// Parses a PCR selection string (e.g., "sha256:0,7+sha1:1") into a vector of
/// `PcrSelection`.
///
/// # Errors
///
/// Returns a `PcrError` if the selection string is malformed, contains an
/// invalid algorithm name, or has non-numeric PCR indices.
pub fn pcr_selection_vec_from_str(selection_str: &str) -> Result<Vec<PcrSelection>, PcrError> {
    selection_str
        .split('+')
        .map(|part| {
            let (alg_str, indices_str) = part
                .split_once(':')
                .ok_or_else(|| PcrError::InvalidPcrSelection(part.to_string()))?;

            let alg = Tpm2shAlgId::try_from(alg_str)
                .map_err(|e| PcrError::InvalidPcrSelection(e.to_string()))?
                .0;

            let indices: Vec<u32> = indices_str
                .split(',')
                .map(|s| {
                    s.parse::<u32>()
                        .map_err(|_| PcrError::InvalidPcrSelection(indices_str.to_string()))
                })
                .collect::<Result<_, _>>()?;

            Ok(PcrSelection { alg, indices })
        })
        .collect()
}

/// Converts a vector of `PcrSelection` into the low-level `TpmlPcrSelection`
/// format.
///
/// # Errors
///
/// Returns a `PcrError` if a selected algorithm is not present in the provided
/// list of banks, or if a selected PCR index is out of bounds for its bank.
pub fn pcr_selection_vec_to_tpml(
    selections: &[PcrSelection],
    banks: &[PcrBank],
) -> Result<TpmlPcrSelection, PcrError> {
    let mut list = TpmlPcrSelection::new();
    for selection in selections {
        let bank = banks
            .iter()
            .find(|b| b.alg == selection.alg)
            .ok_or_else(|| {
                PcrError::InvalidPcrSelection(format!(
                    "PCR bank for algorithm {:?} not found or supported by TPM",
                    selection.alg
                ))
            })?;
        let pcr_select_size = bank.count.div_ceil(8);
        if pcr_select_size > TPM_PCR_SELECT_MAX {
            return Err(PcrError::InvalidPcrSelection(format!(
                "invalid select size {pcr_select_size} (> {TPM_PCR_SELECT_MAX})"
            )));
        }
        let mut pcr_select_bytes = vec![0u8; pcr_select_size];
        for &pcr_index in &selection.indices {
            let pcr_index = pcr_index as usize;
            if pcr_index >= bank.count {
                return Err(PcrError::InvalidPcrSelection(format!(
                    "invalid index {pcr_index} for {:?} bank (max is {})",
                    bank.alg,
                    bank.count - 1
                )));
            }
            pcr_select_bytes[pcr_index / 8] |= 1 << (pcr_index % 8);
        }
        list.try_push(TpmsPcrSelection {
            hash: selection.alg,
            pcr_select: TpmsPcrSelect::try_from(pcr_select_bytes.as_slice())?,
        })?;
    }
    Ok(list)
}

/// Reads the selected PCRs and returns them in a structured format.
///
/// # Errors
///
/// Returns a `PcrError` if the `TPM2_PcrRead` command fails or if the TPM's
/// response does not contain the expected number of digests for the selection.
pub fn pcr_read(
    device: &mut Device,
    pcr_selection_in: &TpmlPcrSelection,
) -> Result<(Vec<Pcr>, u32), PcrError> {
    let cmd = TpmPcrReadCommand {
        pcr_selection_in: *pcr_selection_in,
    };
    let (resp, _) = device.execute(&cmd, &[])?;
    let pcr_read_resp = resp
        .PcrRead()
        .map_err(|_| DeviceError::ResponseMismatch(TpmCc::PcrRead))?;
    let mut pcrs = Vec::new();
    let mut digest_iter = pcr_read_resp.pcr_values.iter();
    for selection in pcr_read_resp.pcr_selection_out.iter() {
        for (byte_idx, &byte) in selection.pcr_select.iter().enumerate() {
            if byte == 0 {
                continue;
            }
            for bit_idx in 0..8 {
                if (byte >> bit_idx) & 1 == 1 {
                    let pcr_index = u32::try_from(byte_idx * 8 + bit_idx)
                        .map_err(|_| PcrError::InvalidPcrSelection("PCR index overflow".into()))?;
                    let value = digest_iter.next().ok_or_else(|| {
                        PcrError::InvalidPcrSelection("PCR selection mismatch".to_string())
                    })?;
                    pcrs.push(Pcr {
                        bank: selection.hash,
                        index: pcr_index,
                        value: value.to_vec(),
                    });
                }
            }
        }
    }
    Ok((pcrs, pcr_read_resp.pcr_update_counter))
}

/// Computes a composite digest from a set of PCRs using a specified algorithm.
///
/// # Errors
///
/// Returns a `PcrError` if the provided hash algorithm is not supported for
/// creating a composite digest.
pub fn pcr_composite_digest(pcrs: &[Pcr], alg: TpmAlgId) -> Result<Vec<u8>, PcrError> {
    let digests: Vec<&[u8]> = pcrs.iter().map(|p| p.value.as_slice()).collect();
    Ok(crypto_digest(alg, &digests)?)
}