Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-state-manager / b454d8bea43b303b9de2ac3262aea0225763d732^! / . / secure_boot_check.cpp
commitb454d8bea43b303b9de2ac3262aea0225763d732[log] [tgz]
authorLakshmi Yadlapati <lakshmiy@us.ibm.com>Mon Mar 27 16:11:41 2023 -0500
committerLakshmi Yadlapati <lakshmiy@us.ibm.com>Tue Mar 28 10:42:38 2023 -0500
tree26c7c74a59b687ae8fe2718391a7d1a05165a7bf
parente960184d378a4f735315a65a01d560158b555542 [diff] [blame]
secure-boot: Log an error if TPM measurement fails

Log an error if the TPM measurement fails due to the absence or
invalid value of the file '/sys/class/tpm/tpm0/pcr-sha256/0'.

Tested:
Verified that an error is logged when '/sys/class/tpm/tpm0/pcr-sha256/0'
is absent, empty, or has a value of 0, indicating that the TPM
measurement has failed.
```
"Severity" : {
	"type" : "s",
	"data" : "xyz.openbmc_project.Logging.Entry.Level.Error"
},
"Message" : {
	"type" : "s",
	"data" : "xyz.openbmc_project.State.Error.TpmMeasurementFail"
},
"AdditionalData" : {
	"type" : "as",
	"data" : [
		"ERROR=TPM measurement value is empty: /sys/class/tpm/tpm0/pcr-sha256/0",
		"_PID=501"
	]
},
```

Change-Id: I9be610a9b473a529b09feec6643ec65b58a62907
Signed-off-by: Lakshmi Yadlapati <lakshmiy@us.ibm.com>

diff --git a/secure_boot_check.cpp b/secure_boot_check.cpp
index fc5cec0..edbd8ff 100644
--- a/secure_boot_check.cpp
+++ b/secure_boot_check.cpp

@@ -12,6 +12,55 @@
 
 constexpr auto PROPERTY_INTERFACE = "org.freedesktop.DBus.Properties";
 
+// Check if the TPM measurement file exists and has a valid value.
+// If the TPM measurement is invalid, it logs an error message.
+void checkTpmMeasurement()
+{
+    bool tpmError = false;
+    std::string errorMsg;
+    if (!std::filesystem::exists(std::string(SYSFS_TPM_MEASUREMENT_PATH)))
+    {
+        tpmError = true;
+        errorMsg = "TPM measurement file does not exist: " +
+                   std::string(SYSFS_TPM_MEASUREMENT_PATH);
+    }
+    else
+    {
+        std::string tpmValueStr;
+        std::ifstream tpmFile(std::string(SYSFS_TPM_MEASUREMENT_PATH));
+
+        tpmFile >> tpmValueStr;
+        if (tpmValueStr.empty())
+        {
+            tpmError = true;
+            errorMsg = "TPM measurement value is empty: " +
+                       std::string(SYSFS_TPM_MEASUREMENT_PATH);
+        }
+        else if (tpmValueStr == "0")
+        {
+            tpmError = true;
+            errorMsg = "TPM measurement value is 0: " +
+                       std::string(SYSFS_TPM_MEASUREMENT_PATH);
+        }
+        tpmFile.close();
+    }
+
+    if (tpmError)
+    {
+        // Doesn't have valid TPM measurement, log an error message
+        std::map<std::string, std::string> additionalData;
+        error("{ERROR}", "ERROR", errorMsg);
+        additionalData.emplace("ERROR", errorMsg);
+        auto bus = sdbusplus::bus::new_default();
+        phosphor::state::manager::utils::createError(
+            bus, "xyz.openbmc_project.State.Error.TpmMeasurementFail",
+            sdbusplus::xyz::openbmc_project::Logging::server::Entry::Level::
+                Error,
+            additionalData);
+    }
+    return;
+}
+
 // Utilize the QuiesceOnHwError setting as an indication that the system
 // is operating in an environment where the user should be notified of
 // security settings (i.e. "Manufacturing")
@@ -139,5 +188,8 @@
         }
     }
 
+    // Check the TPM measurement
+    checkTpmMeasurement();
+
     return 0;
 }