New issue
Advanced search Search tips

Issue 882049 link

Starred by 1 user
Status: Fixed
Owner:
drcrash@chromium.org
Closed: Oct 31
Cc:
dkalin@google.com
drcrash@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

attestation: PCA doesn't expect empty vNVRAM quotes (FinishEnrollInternal: Error received from CA: Invalid NVRAM quote)

Project Member Reported by apronin@chromium.org, Sep 7 
With https://crrev.com/c/1156337, which landed in 11033.0.0, we now always send two vNVRAM quotes to PCA.

Current cr50 doesn't expose any vNVRAM indexes, so we get errors from NV_CertifySync -> "Attestation: Failed to certify board id NV data" -> continue with sending empty quotes.

PCA doesn't expect such empty quotes and per reports we get back "Invalid NVRAM quote" error from it. [In logs as "FinishEnrollInternal: Error received from CA: Invalid NVRAM quote"]

attestationd should be fixed to only send quotes, which were successfully obtained from cr50.

Comment 1 by drcrash@chromium.org, Sep 10

Owner: drcrash@chromium.org
Status: Started (was: Untriaged)
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 19 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/0a7d8e73273a6bddd07870d2c04d2c003948a965

commit 0a7d8e73273a6bddd07870d2c04d2c003948a965
Author: Yves Arrouye <drcrash@google.com>
Date: Wed Sep 19 19:18:22 2018

attestation: do not insert empty NVRAM quotes into the identity data

The ACA does not expect empty quotes and will reject them as
erroneous, preventing enrollment. We also only have code setting
NVRAM quotes if USE_TPM2 is defined (mainly because the Cr50 NVRAM
constants are defined in a package that is only a dependency for
TPM 2).

This CL also quotes both PCRs and NVRAM indices using a loop, allowing
both sets of quotes to easily be extended without copying and pasting
the same logic over and over as was done until now.

BUG= chromium:882049 
TEST=enroll with the ACA on a device without NVRAM data, e.g. eve

Change-Id: I218a1fdfd062215f32a05e427379312d07fb7af7
Reviewed-on: https://chromium-review.googlesource.com/1214643
Commit-Ready: Yves Arrouye <drcrash@chromium.org>
Tested-by: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>

[modify] https://crrev.com/0a7d8e73273a6bddd07870d2c04d2c003948a965/attestation/server/attestation_service.cc
[modify] https://crrev.com/0a7d8e73273a6bddd07870d2c04d2c003948a965/attestation/server/attestation_service_test.cc
[modify] https://crrev.com/0a7d8e73273a6bddd07870d2c04d2c003948a965/attestation/common/mock_tpm_utility.cc

Comment 3 by apronin@chromium.org, Oct 12

Components: OS>Systems>Security

Comment 4 by apronin@chromium.org, Oct 17 

Fixed?

Comment 5 by apronin@chromium.org, Oct 31

Status: Fixed (was: Started)

Sign in to add a comment