Getting PCR properties with tpm2_getcap

[whooo]

It would be useful to display the different PCR properties, such as which PCRs can have an auth value set.

[idesai]

I believe a Startup(clear) or TPM2_CC_Clear would return PCRs to empty auth.
Auth can be (re)established under platform hierarchy authorization - Normally, platform auth closes very early in boot.
RC_AUTH return code when extending PCRs-with-auth-set would be same as indicating in the getcap readout.

Are you setting the auth and trying to validate that?

[whooo]

I mostly want to have a quick glance on what the TPM/simulator supports, while my use case is mostly related to auth policy/value there are other properties as well.
The background is that a recent commit (stefanberger/libtpms@af4fc0e) to libtpms broke some tests, so I wanted to check if an simulator says it supports setting PCR auths, not just if it works.

[idesai]

For integration testing need to implement #3333 and #3334

[idesai]

@whooo, @stefanberger it appears that PCR index 20, 21, 22 are in the authorization set for swtpm. Is that right?

[stefanberger]

@whooo, @stefanberger it appears that PCR index 20, 21, 22 are in the authorization set for swtpm. Is that right?

That's what it is now. Per the commit description:

Since none of the authValuesGroup'd and policyAuthGroup's are != 0,
the two functions will now always return false even though they
returned TRUE before for 20 <= PCR <= 22.

I wasn't sure whether this was a bugfix or introduced a bug. If there's a TPM 2 PC profile that says what these PCRs are supposed to be I will match it to the profile. References to documents welcome...

[idesai]

@whooo, @stefanberger it appears that PCR index 20, 21, 22 are in the authorization set for swtpm. Is that right?

That's what it is now. Per the commit description:

Since none of the authValuesGroup'd and policyAuthGroup's are != 0,
the two functions will now always return false even though they
returned TRUE before for 20 <= PCR <= 22.

I wasn't sure whether this was a bugfix or introduced a bug. If there's a TPM 2 PC profile that says what these PCRs are supposed to be I will match it to the profile. References to documents welcome...

@stefanberger thanks for confirming. Yeah the architecture-doc section 17.7 only mentions one set for the reference implementation but doesn't specify which one. @AndreasFuchsTPM @williamcroberts do you know?

[stefanberger]

When I look at the below document Table 6 then my interpretation is that the patch I applied was a bugfix... which breaks backwards compatibility.

https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf

[idesai]

When I look at the below document Table 6 then my interpretation is that the patch I applied was a bugfix... which breaks backwards compatibility.

https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2p0-v1p05p_r14_pub.pdf

It sure likes like it. Perhaps add a command line option to swtpm to retain the old behavior.

[stefanberger]

It sure likes like it. Perhaps add a command line option to swtpm to retain the old behavior.

I won't support this with a command line option but may change the table so the function behaves as before...