Add PCRReset command for tpm2 (#268)

google · Jan 26, 2022 · 77d0de8 · 77d0de8
1 parent 90fb624
commit 77d0de8
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 0 deletions.
diff --git a/tpm2/constants.go b/tpm2/constants.go
@@ -454,6 +454,7 @@ const (
 	CmdDictionaryAttackLockReset  tpmutil.Command = 0x00000139
 	CmdDictionaryAttackParameters tpmutil.Command = 0x0000013A
 	CmdPCREvent                   tpmutil.Command = 0x0000013C
+	CmdPCRReset                   tpmutil.Command = 0x0000013D
 	CmdSequenceComplete           tpmutil.Command = 0x0000013E
 	CmdStartup                    tpmutil.Command = 0x00000144
 	CmdShutdown                   tpmutil.Command = 0x00000145

diff --git a/tpm2/test/tpm2_test.go b/tpm2/test/tpm2_test.go
@@ -1102,6 +1102,39 @@ func TestReadPCR(t *testing.T) {
 	}
 }
 
+func TestPCRReset(t *testing.T) {
+	rw := openTPM(t)
+	defer rw.Close()
+	allZeroBytes := make([]byte, 32)
+	debugPCR := 16
+
+	var fakeHashSum [32]byte
+	err := PCRExtend(rw, tpmutil.Handle(debugPCR), AlgSHA256, fakeHashSum[:], "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pcrVal, err := ReadPCR(rw, debugPCR, AlgSHA256)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if bytes.Equal(allZeroBytes, pcrVal) {
+		t.Fatal("PCR shouldn't be all zeros after PCRExtend")
+	}
+
+	err = PCRReset(rw, tpmutil.Handle(debugPCR))
+	if err != nil {
+		t.Fatal(err)
+	}
+	pcrVal, err = ReadPCR(rw, debugPCR, AlgSHA256)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(allZeroBytes, pcrVal) {
+		t.Fatal("PCR should be all zeros after PCRReset")
+	}
+}
+
 func makeAttestationData() AttestationData {
 	signer := tpmutil.Handle(100)
 	return AttestationData{

diff --git a/tpm2/tpm2.go b/tpm2/tpm2.go
@@ -1930,6 +1930,29 @@ func ReadPCR(rw io.ReadWriter, pcr int, hashAlg Algorithm) ([]byte, error) {
 	return pcrVal, nil
 }
 
+func encodePCRReset(pcr tpmutil.Handle) ([]byte, error) {
+	ha, err := tpmutil.Pack(pcr)
+	if err != nil {
+		return nil, err
+	}
+	auth, err := encodeAuthArea(AuthCommand{Session: HandlePasswordSession, Attributes: AttrContinueSession, Auth: EmptyAuth})
+	if err != nil {
+		return nil, err
+	}
+	return concat(ha, auth)
+}
+
+// PCRReset resets the value of the given PCR. Usually, only PCR 16 (Debug) and
+// PCR 23 (Application) are resettable on the default locality.
+func PCRReset(rw io.ReadWriter, pcr tpmutil.Handle) error {
+	Cmd, err := encodePCRReset(pcr)
+	if err != nil {
+		return err
+	}
+	_, err = runCommand(rw, TagSessions, CmdPCRReset, tpmutil.RawBytes(Cmd))
+	return err
+}
+
 // EncryptSymmetric encrypts data using a symmetric key.
 //
 // WARNING: This command performs low-level cryptographic operations.