Add option to skip Calling EFI Application check

The server library supports a check that requires
EV_EFI_BOOT_SERVICES_APPLICATION to occur after a
"Calling EFI Application from Boot Option" event.
This check is generally useful for VMs and some physical firmware.

However, some vendors load services as PE/COFF EFI applications before
the OS loading process starts. This option will allow verifiers of those
platforms to skip the check above.

Closes google#535.

Author: alexmwu

internal/test/eventlogs/gdc-host.bin

@@ -26,6 +26,8 @@ var (
 	Cos93AmdSevEventLog []byte
 	//go:embed eventlogs/cos-101-amd-sev.bin
 	Cos101AmdSevEventLog []byte
+	//go:embed eventlogs/gdc-host.bin
+	GdcHost []byte
 )
 
 // Kernel command lines from event logs.

internal/test/test_data.go

@@ -43,7 +43,7 @@ var (
 // It is the caller's responsibility to ensure that the passed PCR values can be
 // trusted. Users can establish trust in PCR values by either calling
 // client.ReadPCRs() themselves or by verifying the values via a PCR quote.
-func parsePCClientEventLog(rawEventLog []byte, pcrs *tpmpb.PCRs, loader Bootloader) (*pb.MachineState, error) {
+func parsePCClientEventLog(rawEventLog []byte, pcrs *tpmpb.PCRs, opts VerifyOpts) (*pb.MachineState, error) {
 	var errors []error
 	events, err := parseReplayHelper(rawEventLog, pcrs)
 	if err != nil {
@@ -61,14 +61,14 @@ func parsePCClientEventLog(rawEventLog []byte, pcrs *tpmpb.PCRs, loader Bootload
 	if err != nil {
 		errors = append(errors, err)
 	}
-	efiState, err := getEfiState(cryptoHash, rawEvents)
+	efiState, err := getEfiState(cryptoHash, rawEvents, opts)
 	if err != nil {
 		errors = append(errors, err)
 	}
 
 	var grub *pb.GrubState
 	var kernel *pb.LinuxKernelState
-	if loader == GRUB {
+	if opts.Loader == GRUB {
 		grub, err = getGrubState(cryptoHash, rawEvents)
 		if err != nil {
 			errors = append(errors, err)
@@ -541,7 +541,7 @@ func verifyDataDigest(hasher hash.Hash, data []byte, digest []byte) error {
 	return nil
 }
 
-func getEfiState(hash crypto.Hash, events []*pb.Event) (*pb.EfiState, error) {
+func getEfiState(hash crypto.Hash, events []*pb.Event, opts VerifyOpts) (*pb.EfiState, error) {
 	// We pre-compute various event digests, and check if those event type have
 	// been modified. We only trust events that come before the
 	// ExitBootServices() request.
@@ -590,7 +590,7 @@ func getEfiState(hash crypto.Hash, events []*pb.Event) (*pb.EfiState, error) {
 			}
 
 			if evtType == EFIBootServicesApplication {
-				if !seenCallingEfiApp {
+				if !opts.AllowEFIAppBeforeCallingEvent && !seenCallingEfiApp {
 					return nil, fmt.Errorf("found EFIBootServicesApplication in PCR%d before CallingEFIApp event", index)
 				}
 				efiAppStates = append(efiAppStates, &pb.EfiApp{Digest: event.GetDigest()})

server/eventlog.go

@@ -33,7 +33,6 @@ type eventLog struct {
 // The Arch Linux event log has two known failures due to our parser's strict checks.
 var archLinuxKnownParsingFailures = []string{
 	"SecureBoot data len is 0, expected 1",
-	"found EFIBootServicesApplication in PCR4 before CallingEFIApp event",
 }
 
 // Agile Event Log from a RHEL 8 GCE instance with Secure Boot enabled
@@ -534,30 +533,59 @@ var COS101AmdSev = eventLog{
 	},
 }
 
+var GdcHost = eventLog{
+	RawLog: test.GdcHost,
+	Banks: []*pb.PCRs{{
+		Hash: pb.HashAlgo_SHA256,
+		Pcrs: map[uint32][]byte{
+			0:  decodeHex("dab77c454bd12c27ff6b6ce1f9adca90b7a330c1cef0b5cd01cb89fb3bd0dffa"),
+			1:  decodeHex("e9c706539943b2d9770715914f9b3946fab0265327bace4c479913acb9014051"),
+			2:  decodeHex("7fde57284c6a0eabdc9b829db4e2ab0bb565c4189410de2474dd116bc18bafcc"),
+			3:  decodeHex("3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
+			4:  decodeHex("ded8b5d91a09c328b9859d8c9db5a346f1065224616b0ba66d6c83dba2b465e8"),
+			5:  decodeHex("163ee251955b844012f1493aa962b2a18acbec194ea4856cdc45cd54c8540058"),
+			6:  decodeHex("3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969"),
+			7:  decodeHex("2c9252609eda09899d96abe16b947d0e736c43271997c1fa5189e9bcd37ba516"),
+			8:  decodeHex("8edecd4daa5194ea70a2a9f2c71c7c816bd3b1e0a1ca6f4abea7306250191eba"),
+			9:  decodeHex("731d336f9f3255e80b429de54fb77b2ad5e485829eb386d661c668245f30f44b"),
+			14: decodeHex("306f9d8b94f17d93dc6e7cf8f5c79d652eb4c6c4d13de2dddc24af416e13ecaf"),
+		},
+	}},
+	ExpectedEFIAppDigests: map[pb.HashAlgo][]string{
+		pb.HashAlgo_SHA256: {
+			"c7ac5d44444affd8d4a7c5d3dea0ce20a71e05812fc18777a428d092f78ae3ff",
+			"c5d3b47de11a9a2a4a15ef5cb7202d7800a10609c0dcecc46e3e963d476b76ce",
+			"af4161084115c9d5c1872f4473fe974b535e3a9a767688293720ac2cc6f7f9a3",
+			"af4161084115c9d5c1872f4473fe974b535e3a9a767688293720ac2cc6f7f9a3",
+		},
+	},
+}
+
 func TestParseEventLogs(t *testing.T) {
 	sbatErrorStr := "asn1: structure error: tags don't match (16 vs {class:0 tag:24 length:10 isCompound:true})"
 	logs := []struct {
 		eventLog
 		name string
-		Bootloader
+		opts VerifyOpts
 		// This field handles known issues with event log parsing or bad event
 		// logs.
 		// Set to nil when the event log has no known issues.
 		errorSubstrs []string
 	}{
-		{Debian10GCE, "Debian10GCE", UnsupportedLoader, nil},
-		{Rhel8GCE, "Rhel8GCE", GRUB, nil},
-		{UbuntuAmdSevGCE, "UbuntuAmdSevGCE", GRUB, nil},
+		{Debian10GCE, "Debian10GCE", VerifyOpts{Loader: UnsupportedLoader}, nil},
+		{Rhel8GCE, "Rhel8GCE", VerifyOpts{Loader: GRUB}, nil},
+		{UbuntuAmdSevGCE, "UbuntuAmdSevGCE", VerifyOpts{Loader: GRUB}, nil},
 		// TODO: remove once the fix is pulled in
 		// https://github.com/google/go-attestation/pull/222
-		{Ubuntu2104NoDbxGCE, "Ubuntu2104NoDbxGCE", GRUB, []string{sbatErrorStr}},
-		{Ubuntu2104NoSecureBootGCE, "Ubuntu2104NoSecureBootGCE", GRUB, []string{sbatErrorStr}},
+		{Ubuntu2104NoDbxGCE, "Ubuntu2104NoDbxGCE", VerifyOpts{Loader: GRUB}, []string{sbatErrorStr}},
+		{Ubuntu2104NoSecureBootGCE, "Ubuntu2104NoSecureBootGCE", VerifyOpts{Loader: GRUB}, []string{sbatErrorStr}},
 		// This event log has a SecureBoot variable length of 0.
-		{ArchLinuxWorkstation, "ArchLinuxWorkstation", UnsupportedLoader, archLinuxKnownParsingFailures},
-		{COS85AmdSev, "COS85AmdSev", GRUB, nil},
-		{COS93AmdSev, "COS93AmdSev", GRUB, nil},
-		{COS101AmdSev, "COS101AmdSev", GRUB, nil},
-		{Ubuntu2404AmdSevSnp, "Ubuntu2404AmdSevSnp", GRUB, nil},
+		{ArchLinuxWorkstation, "ArchLinuxWorkstation", VerifyOpts{Loader: UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true}, archLinuxKnownParsingFailures},
+		{COS85AmdSev, "COS85AmdSev", VerifyOpts{Loader: GRUB}, nil},
+		{COS93AmdSev, "COS93AmdSev", VerifyOpts{Loader: GRUB}, nil},
+		{COS101AmdSev, "COS101AmdSev", VerifyOpts{Loader: GRUB}, nil},
+		{Ubuntu2404AmdSevSnp, "Ubuntu2404AmdSevSnp", VerifyOpts{Loader: GRUB}, nil},
+		{GdcHost, "GdcHost", VerifyOpts{Loader: GRUB, AllowEFIAppBeforeCallingEvent: true}, []string{"invalid SCRTM version event for PCR0"}},
 	}
 
 	for _, log := range logs {
@@ -566,7 +594,7 @@ func TestParseEventLogs(t *testing.T) {
 			hashName := pb.HashAlgo_name[int32(bank.Hash)]
 			subtestName := fmt.Sprintf("%s-%s", log.name, hashName)
 			t.Run(subtestName, func(t *testing.T) {
-				if _, err := parsePCClientEventLog(rawLog, bank, log.Bootloader); err != nil {
+				if _, err := parsePCClientEventLog(rawLog, bank, log.opts); err != nil {
 					gErr, ok := err.(*GroupedError)
 					if !ok {
 						t.Errorf("ParseMachineState should return a GroupedError")
@@ -589,7 +617,7 @@ func TestParseMachineStateReplayFail(t *testing.T) {
 	pcrMap[0] = []byte{0, 0, 0, 0}
 	badPcrs.Pcrs = pcrMap
 
-	_, err := parsePCClientEventLog(Debian10GCE.RawLog, &badPcrs, UnsupportedLoader)
+	_, err := parsePCClientEventLog(Debian10GCE.RawLog, &badPcrs, VerifyOpts{Loader: UnsupportedLoader})
 	if err == nil {
 		t.Errorf("ParseMachineState should fail to replay the event log")
 	}
@@ -614,7 +642,7 @@ func TestSystemParseEventLog(t *testing.T) {
 		t.Fatalf("failed to read PCRs: %v", err)
 	}
 
-	if _, err = parsePCClientEventLog(evtLog, pcrs, UnsupportedLoader); err != nil {
+	if _, err = parsePCClientEventLog(evtLog, pcrs, VerifyOpts{Loader: UnsupportedLoader}); err != nil {
 		t.Errorf("failed to parse MachineState: %v", err)
 	}
 }
@@ -652,7 +680,7 @@ func TestEmptyEventlog(t *testing.T) {
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			state, err := parsePCClientEventLog(emptyLog, c.pcrs, UnsupportedLoader)
+			state, err := parsePCClientEventLog(emptyLog, c.pcrs, VerifyOpts{Loader: UnsupportedLoader})
 			if err != nil {
 				t.Errorf("parsing empty eventlog: %v", err)
 			}
@@ -665,7 +693,7 @@ func TestEmptyEventlog(t *testing.T) {
 
 func TestParseSecureBootState(t *testing.T) {
 	for _, bank := range UbuntuAmdSevGCE.Banks {
-		msState, err := parsePCClientEventLog(UbuntuAmdSevGCE.RawLog, bank, UnsupportedLoader)
+		msState, err := parsePCClientEventLog(UbuntuAmdSevGCE.RawLog, bank, VerifyOpts{Loader: UnsupportedLoader})
 		if err != nil {
 			t.Errorf("failed to parse and replay log: %v", err)
 		}
@@ -1071,7 +1099,7 @@ func TestParseLinuxKernelState(t *testing.T) {
 			hashName := pb.HashAlgo_name[int32(bank.Hash)]
 			subtestName := fmt.Sprintf("%s-%s", log.name, hashName)
 			t.Run(subtestName, func(t *testing.T) {
-				msState, err := parsePCClientEventLog(log.RawLog, bank, GRUB)
+				msState, err := parsePCClientEventLog(log.RawLog, bank, VerifyOpts{Loader: GRUB})
 				if err != nil {
 					t.Errorf("failed to parse and replay log: %v", err)
 				}
@@ -1145,7 +1173,7 @@ func TestParseGrubState(t *testing.T) {
 			hashName := pb.HashAlgo_name[int32(bank.Hash)]
 			subtestName := fmt.Sprintf("%s-%s", log.name, hashName)
 			t.Run(subtestName, func(t *testing.T) {
-				msState, err := parsePCClientEventLog(log.RawLog, bank, GRUB)
+				msState, err := parsePCClientEventLog(log.RawLog, bank, VerifyOpts{Loader: GRUB})
 				if err != nil {
 					t.Errorf("failed to parse and replay log: %v", err)
 				}
@@ -1175,7 +1203,7 @@ func TestParseGrubStateFail(t *testing.T) {
 		hashName := pb.HashAlgo_name[int32(bank.Hash)]
 		subtestName := fmt.Sprintf("GlinuxNoSecureBootLaptop-%s", hashName)
 		t.Run(subtestName, func(t *testing.T) {
-			_, err := parsePCClientEventLog(eventlog.RawLog, bank, GRUB)
+			_, err := parsePCClientEventLog(eventlog.RawLog, bank, VerifyOpts{Loader: GRUB})
 			if err == nil {
 				t.Error("expected error when parsing GRUB state")
 			}
@@ -1207,7 +1235,7 @@ func TestParseEfiState(t *testing.T) {
 			hashName := pb.HashAlgo_name[int32(bank.Hash)]
 			subtestName := fmt.Sprintf("%s-%s", log.name, hashName)
 			t.Run(subtestName, func(t *testing.T) {
-				msState, err := parsePCClientEventLog(log.RawLog, bank, UnsupportedLoader)
+				msState, err := parsePCClientEventLog(log.RawLog, bank, VerifyOpts{Loader: UnsupportedLoader})
 				if err != nil {
 					t.Errorf("parsePCClientEventLog(%v, %v) got err = %v, want nil", log.name, bank.GetHash().String(), err)
 				}
@@ -1271,6 +1299,25 @@ func TestGetGrubStateWithModifiedNullTerminator(t *testing.T) {
 	}
 }
 
+func TestParseEventLogCallingEFIAppError(t *testing.T) {
+	tests := []struct {
+		eventLog
+		name string
+	}{
+		{ArchLinuxWorkstation, "ArchLinuxWorkstation"},
+		{GdcHost, "GdcHost"},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			for _, bank := range test.Banks {
+				if _, err := parsePCClientEventLog(test.RawLog, bank, VerifyOpts{AllowEFIAppBeforeCallingEvent: false}); err == nil || !strings.Contains(err.Error(), "before CallingEFIApp event") {
+					t.Errorf("parsePCClientEventLog(%s): expected Calling EFI App error, received %v", test.name, err)
+				}
+			}
+		})
+	}
+}
+
 func decodeHex(hexStr string) []byte {
 	bytes, err := hex.DecodeString(hexStr)
 	if err != nil {

server/eventlog_test.go

@@ -65,7 +65,7 @@ func TestEvaluatePolicy(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			machineState, err := parsePCClientEventLog(test.log.RawLog, test.log.Banks[0], UnsupportedLoader)
+			machineState, err := parsePCClientEventLog(test.log.RawLog, test.log.Banks[0], VerifyOpts{Loader: UnsupportedLoader})
 			if err != nil {
 				t.Fatalf("failed to get machine state: %v", err)
 			}
@@ -83,7 +83,7 @@ func TestEvaluatePolicySCRTM(t *testing.T) {
 				0x4e, 0xf4, 0xbf, 0x17, 0xb8, 0x3a}},
 		},
 	}
-	machineState, err := parsePCClientEventLog(ArchLinuxWorkstation.RawLog, ArchLinuxWorkstation.Banks[0], UnsupportedLoader)
+	machineState, err := parsePCClientEventLog(ArchLinuxWorkstation.RawLog, ArchLinuxWorkstation.Banks[0], VerifyOpts{Loader: UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true})
 	if err != nil {
 		gErr := err.(*GroupedError)
 		if !gErr.containsKnownSubstrings(archLinuxKnownParsingFailures) {
@@ -123,22 +123,23 @@ func TestEvaluatePolicyFailure(t *testing.T) {
 		name   string
 		log    eventLog
 		policy *pb.Policy
+		opts   VerifyOpts
 		// This field handles known issues with event log parsing or bad event
 		// logs.
 		// Set to nil when the event log has no known issues.
 		errorSubstrs []string
 	}{
-		{"Debian10-SHA1", Debian10GCE, &badGcePolicyVersion, nil},
-		{"Debian10-SHA1", Debian10GCE, &badGcePolicySEV, nil},
+		{"Debian10-SHA1", Debian10GCE, &badGcePolicyVersion, VerifyOpts{Loader: UnsupportedLoader}, nil},
+		{"Debian10-SHA1", Debian10GCE, &badGcePolicySEV, VerifyOpts{Loader: UnsupportedLoader}, nil},
 		{"Ubuntu1804AmdSev-CryptoAgile", UbuntuAmdSevGCE, &badGcePolicySEVES,
-			nil},
+			VerifyOpts{Loader: UnsupportedLoader}, nil},
 		{"ArchLinuxWorkstation-CryptoAgile", ArchLinuxWorkstation,
-			&badPhysicalPolicy, archLinuxKnownParsingFailures},
+			&badPhysicalPolicy, VerifyOpts{Loader: UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true}, archLinuxKnownParsingFailures},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			machineState, err := parsePCClientEventLog(test.log.RawLog, test.log.Banks[0], UnsupportedLoader)
+			machineState, err := parsePCClientEventLog(test.log.RawLog, test.log.Banks[0], test.opts)
 			if err != nil {
 				gErr := err.(*GroupedError)
 				if len(test.errorSubstrs) == 0 || !gErr.containsKnownSubstrings(test.errorSubstrs) {

server/policy_test.go

@@ -63,6 +63,11 @@ type VerifyOpts struct {
 	// Deprecated: go-tpm-tools no longer verifies SNP or TDX attestation.
 	// Please use go-sev-guest and go-tdx-guest.
 	TEEOpts interface{}
+	// AllowEFIAppBeforeCallingEvent skips a check that requires
+	// EV_EFI_BOOT_SERVICES_APPLICATION to occur after a
+	// "Calling EFI Application from Boot Option". This option is useful when
+	// the host platform loads EFI Applications unrelated to OS boot.
+	AllowEFIAppBeforeCallingEvent bool
 }
 
 // Bootloader refers to the second-stage bootloader that loads and transfers
@@ -353,7 +358,7 @@ func makePool(certs []*x509.Certificate) *x509.CertPool {
 // 2. verify GceTechnology since the GCE Technology event is directly related to the TPM.
 // 3. populate the machineState TeeAttestatation field with the verified TDX/SNP attestation data.
 func parseMachineStateFromTPM(attestation *pb.Attestation, pcrs *tpmpb.PCRs, opts VerifyOpts) (*pb.MachineState, error) {
-	ms, err := parsePCClientEventLog(attestation.GetEventLog(), pcrs, opts.Loader)
+	ms, err := parsePCClientEventLog(attestation.GetEventLog(), pcrs, opts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate the PCClient event log: %w", err)
 	}