tpm2_getcap: Add capability to print PCR handles in the authorization set

idesai · idesai · commit 7526f82f515b · 2024-01-12T11:07:24.000-07:00
Signed-off-by: Imran Desai &lt;imran.desai@intel.com&gt;
diff --git a/lib/pcr.c b/lib/pcr.c
@@ -426,6 +426,25 @@ bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcr_select, tpm2_pcrs *pcrs) {
     return pcr_print_values(pcr_select, pcrs);
 }
 
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties) {
+
+    tpm2_tool_output("  - PCR-Handles: [");
+    /* Iterate through the PCRs of the bank */
+    bool first = true;
+    unsigned j;
+    for (j = 0; j < pcrProperties->pcrProperty->sizeofSelect * 8; j++) {
+        if ((pcrProperties->pcrProperty->pcrSelect[j / 8] & 1 << (j % 8)) != 0) {
+            if (first) {
+                tpm2_tool_output(" %i", j);
+                first = false;
+            } else {
+                tpm2_tool_output(", %i", j);
+            }
+        }
+    }
+    tpm2_tool_output(" ]\n");
+}
+
 bool pcr_print_pcr_selections(TPML_PCR_SELECTION *pcr_selections) {
     tpm2_tool_output("selected-pcrs:\n");
 
diff --git a/lib/pcr.h b/lib/pcr.h
@@ -44,6 +44,15 @@ typedef struct tpm2_forwards {
  */
 bool pcr_print_pcr_struct(TPML_PCR_SELECTION *pcrSelect, tpm2_pcrs *pcrs);
 
+/**
+ * Echo out all the PCR indices that satisy a PCR property
+ * @param pcrProperties
+ *  Description of the selected pcr properties
+ * @return
+ *  None
+ */
+void pcr_print_taggedpcr_selections(TPML_TAGGED_PCR_PROPERTY *pcrProperties);
+
 /**
  * Echo out all PCR banks according to g_pcrSelection & g_pcrs->.
  * Assume that data structures are all little endian.
diff --git a/man/tpm2_getcap.1.md b/man/tpm2_getcap.1.md
@@ -53,6 +53,9 @@ argument to the tool. Currently supported capability groups are:
 - **handles-saved-session**:
   Display handles about saved sessions.
 
+- **pcrhandles-with-auth**:
+  Display PCR handles that are in the authorization set.
+
 - **vendor[:num]**:
   Displays the vendor properties as a hex buffer output. The string "vendor"
   can be suffixed with a colon followed by a number as understood by strtoul(3)
diff --git a/tools/tpm2_getcap.c b/tools/tpm2_getcap.c
@@ -123,6 +123,12 @@ capability_map_entry_t capability_map[] = {
         .property          = TPM2_ACTIVE_SESSION_FIRST,
         .count             = TPM2_MAX_CAP_HANDLES,
     },
+    {
+        .capability_string = "pcrhandles-with-auth",
+        .capability        = TPM2_CAP_PCR_PROPERTIES,
+        .property          = TPM2_PT_PCR_AUTH,
+        .count             = TPM2_MAX_PCR_PROPERTIES,
+    },
 #if defined(ESYS_4_0)
     {
         .capability_string = "vendor",
@@ -812,6 +818,12 @@ static bool dump_tpm_capability(TPMU_CAPABILITIES *capabilities) {
     case TPM2_CAP_PCRS:
         pcr_print_pcr_selections(&capabilities->assignedPCR);
         break;
+    case TPM2_CAP_PCR_PROPERTIES:
+        if(options.property == TPM2_PT_PCR_AUTH) {
+            tpm2_tool_output("TPM2_PT_PCR_AUTH:\n");
+            pcr_print_taggedpcr_selections(&capabilities->pcrProperties);
+        }
+        break;
 #if defined(ESYS_4_0)
     case TPM2_CAP_VENDOR_PROPERTY: {
 
