tpm2_getcap: Add capability to print PCR handles in the authorization…

… set Signed-off-by: Imran Desai <[email protected]>
idesai · Jan 11, 2024 · 35c0cc7 · 35c0cc7
1 parent ff2e561
commit 35c0cc7
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/lib/pcr.c b/lib/pcr.c
@@ -426,6 +426,25 @@ bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcr_select, tpm2_pcrs *pcrs) {
     return pcr_print_values(pcr_select, pcrs);
 }
 
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties) {
+
+    tpm2_tool_output("PCR Indices: [");
+    /* Iterate through the PCRs of the bank */
+    bool first = true;
+    unsigned j;
+    for (j = 0; j < pcrProperties->pcrProperty->sizeofSelect * 8; j++) {
+        if ((pcrProperties->pcrProperty->pcrSelect[j / 8] & 1 << (j % 8)) != 0) {
+            if (first) {
+                tpm2_tool_output(" %i", j);
+                first = false;
+            } else {
+                tpm2_tool_output(", %i", j);
+            }
+        }
+    }
+    tpm2_tool_output(" ]\n");
+}
+
 bool pcr_print_pcr_selections(TPML_PCR_SELECTION *pcr_selections) {
     tpm2_tool_output("selected-pcrs:\n");
 

diff --git a/lib/pcr.h b/lib/pcr.h
@@ -44,6 +44,15 @@ typedef struct tpm2_forwards {
  */
 bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcrSelect, tpm2_pcrs *pcrs);
 
+/**
+ * Echo out all the PCR indices that satisy a PCR property
+ * @param pcrProperties
+ *  Description of the selected pcr properties
+ * @return
+ *  None
+ */
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties);
+
 /**
  * Echo out all PCR banks according to g_pcrSelection & g_pcrs->.
  * Assume that data structures are all little endian.

diff --git a/man/tpm2_getcap.1.md b/man/tpm2_getcap.1.md
@@ -53,6 +53,9 @@ argument to the tool. Currently supported capability groups are:
 - **handles-saved-session**:
   Display handles about saved sessions.
 
+- **pcrhandles-with-auth**:
+  Display PCR handles that are in the authorization set.
+
 - **vendor[:num]**:
   Displays the vendor properties as a hex buffer output. The string "vendor"
   can be suffixed with a colon followed by a number as understood by strtoul(3)

diff --git a/tools/tpm2_getcap.c b/tools/tpm2_getcap.c
@@ -123,6 +123,12 @@ capability_map_entry_t capability_map[] = {
         .property          = TPM2_ACTIVE_SESSION_FIRST,
         .count             = TPM2_MAX_CAP_HANDLES,
     },
+    {
+        .capability_string = "pcrhandles-with-auth",
+        .capability        = TPM2_CAP_PCR_PROPERTIES,
+        .property          = TPM2_PT_PCR_AUTH,
+        .count             = TPM2_MAX_PCR_PROPERTIES,
+    },
 #if defined(ESYS_4_0)
     {
         .capability_string = "vendor",
@@ -812,6 +818,12 @@ static bool dump_tpm_capability(TPMU_CAPABILITIES *capabilities) {
     case TPM2_CAP_PCRS:
         pcr_print_pcr_selections(&capabilities->assignedPCR);
         break;
+    case TPM2_CAP_PCR_PROPERTIES:
+        if(options.property == TPM2_PT_PCR_AUTH) {
+            tpm2_tool_output("PCR-Property = Authorization\n");
+            pcr_print_taggedpcr_selections(&capabilities->pcrProperties);
+        }
+        break;
 #if defined(ESYS_4_0)
     case TPM2_CAP_VENDOR_PROPERTY: {