Lock PCR range

Author: raoulstrackx

fortanix-vme/nsm/src/lib.rs

@@ -4,7 +4,7 @@ pub use serde_bytes::ByteBuf;
 
 pub struct Nsm(i32);
 
-#[derive(Debug)]
+#[derive(Debug, PartialEq)]
 pub enum Error {
     AttestationError(AttestationError),
     BufferTooSmall,
@@ -105,7 +105,6 @@ impl TryFrom<Response> for Pcr {
 impl Nsm {
     pub fn new() -> Result<Self, Error> {
         let fd = nsm_driver::nsm_init();
-
         if fd < 0 {
             Err(Error::CannotOpenDriver)
         } else {
@@ -151,6 +150,18 @@ impl Nsm {
             _                     => Err(Error::InvalidResponse),
         }
     }
+
+    /// Lock PlatformConfigurationRegisters at indexes `[0, range)` from further modifications
+    pub fn lock_pcrs(&self, range: u16) -> Result<(), Error> {
+        let req = Request::LockPCRs {
+            range,
+        };
+        match nsm_driver::nsm_process_request(self.0, req) {
+            Response::LockPCRs    => Ok(()),
+            Response::Error(code) => Err(code.into()),
+            _                     => Err(Error::InvalidResponse),
+        }
+    }
 }
 
 impl Drop for Nsm {

fortanix-vme/tests/nsm-test/src/main.rs

@@ -38,4 +38,10 @@ fn main() {
     nsm.lock_pcr(16).unwrap();
     println!("pcr16 = {:?}", nsm.describe_pcr(10));
     assert_eq!(nsm.describe_pcr(16).unwrap().locked, true);
+
+    nsm.lock_pcrs(18).unwrap();
+    for pcr in 0..=18 {
+        println!("#pcr{} = {:?}", pcr, nsm.describe_pcr(pcr));
+        assert_eq!(nsm.describe_pcr(pcr).map(|val| val.locked), Ok(pcr < 18));
+    }
 }