Set device to maintenance mode if TPM Quote error is detected

If TPM Quote error is detected, set the device to maintenance mode. Quote errors can lead to issues when device is attesting to the controler to recover the vault key. Signed-off-by: Shahriyar Jalayeri <[email protected]>
lf-edge · Feb 5, 2025 · da10da5 · da10da5
1 parent f0f6fdb
commit da10da5
Show file tree

Hide file tree

Showing 6 changed files with 1,094 additions and 1,071 deletions.
diff --git a/pkg/pillar/cmd/tpmmgr/tpmmgr.go b/pkg/pillar/cmd/tpmmgr/tpmmgr.go
@@ -1651,11 +1651,11 @@ func publishTpmStatus(ctx *tpmMgrContext, status types.TpmSanityStatus) {
 
 // tpmSanityCheck checks if the TPM fails in a way that is not detectable during the
 // common TPM operations but affects EVE's ability to manage itself.
-// * encrypt/decrypt (ECDHZGen) : checked here
-// * seal/unseal : checked during vault creation, no need to check here
-// * quote : checked during attestation, no need to check here
-// * certificate and key creation : checked during device step, no need to check here
-// * device key signing : checked during onboarding, no need to check here
+// * encrypt/decrypt (ECDHZGen) : checked here.
+// * quote : checked during attestation and also here.
+// * seal/unseal : checked during vault creation, failure will set device in MaintenanceModeReasonVaultLockedUp.
+// * certificate and key creation : checked during device step.
+// * device key signing : checked during onboarding.
 func tpmSanityCheck() *tpmSanityCheckError {
 	// sanity check TPM encrypt/decrypt (ECDHZGen), if this fails we can't
 	// encrypt/decrypt the vualt key and send/received it from controller.
@@ -1682,13 +1682,25 @@ func tpmSanityCheck() *tpmSanityCheckError {
 		}
 	}
 
+	// sanity check TPM quote operation, this is key to successful attestation
+	// and if this fails we can't attest the device and recover the vault key.
+	_, _, _, err = getQuote([]byte(message))
+	if err != nil {
+		return &tpmSanityCheckError{
+			fmt.Errorf("failed to get quote using TPM: %w", err),
+			types.MaintenanceModeReasonTpmQuoteFailure,
+		}
+	}
+
 	return nil
 }
 
 func getTpmSanityStatus(status types.MaintenanceModeReason) string {
 	switch status {
 	case types.MaintenanceModeReasonTpmEncFailure:
 		return "TPM error can possibly affect device upgrade"
+	case types.MaintenanceModeReasonTpmQuoteFailure:
+		return "TPM error can affect attestation process and vault key retrieval"
 	default:
 		return ""
 	}

diff --git a/pkg/pillar/go.mod b/pkg/pillar/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/jaypipes/ghw v0.8.0
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.5.0
 	github.com/lf-edge/edge-containers v0.0.0-20240207093504-5dfda0619b80
-	github.com/lf-edge/eve-api/go v0.0.0-20250102213900-786246223024
+	github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433
 	github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c
 	github.com/lf-edge/eve/pkg/kube/cnirpc v0.0.0-20240315102754-0f6d1f182e0d
 	github.com/lf-edge/go-qemu v0.0.0-20231121152149-4c467eda0c56

diff --git a/pkg/pillar/go.sum b/pkg/pillar/go.sum
@@ -1454,6 +1454,8 @@ github.com/lf-edge/eve-api/go v0.0.0-20241213165007-1a8f9be485b1 h1:FEWskrHaPtLa
 github.com/lf-edge/eve-api/go v0.0.0-20241213165007-1a8f9be485b1/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
 github.com/lf-edge/eve-api/go v0.0.0-20250102213900-786246223024 h1:C+Xj3QOl+RMOVub78IcP07s6fqExFh21vjWwZgC9WGM=
 github.com/lf-edge/eve-api/go v0.0.0-20250102213900-786246223024/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
+github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433 h1:GqgH3pRJKDgnpTVq2vIS2xz4lQVn2jFK/CzSKCBdQGM=
+github.com/lf-edge/eve-api/go v0.0.0-20250204190553-54ee503d1433/go.mod h1:ot6MhAhBXapUDl/hXklaX4kY88T3uC4PTg0D2wD8DzA=
 github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c h1:PN0cNV+Rwq6T358PYyuaFr3MU9xjUCPTHtUwepMACac=
 github.com/lf-edge/eve-libs v0.0.0-20241210085709-fc89dcac7f3c/go.mod h1:32koNJxwKDrVL7rBLy35QzjIuMvGy6+BmLjf8Y38MQU=
 github.com/lf-edge/eve/pkg/kube/cnirpc v0.0.0-20240315102754-0f6d1f182e0d h1:tUBb9M6u42LXwHAYHyh22wJeUUQlTpDkXwRXalpRqbo=

diff --git a/pkg/pillar/types/zedagenttypes.go b/pkg/pillar/types/zedagenttypes.go
@@ -395,11 +395,12 @@ type MaintenanceModeMultiReason []MaintenanceModeReason
 // MaintenanceModeReason codes for storing reason for getting into maintenance mode,
 // this should match the values in api/proto/info/info.proto.MaintenanceModeReason
 const (
-	MaintenanceModeReasonNone          = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_NONE)
-	MaintenanceModeReasonUserRequested = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_USER_REQUESTED)
-	MaintenanceModeReasonVaultLockedUp = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_VAULT_LOCKED_UP)
-	MaintenanceModeReasonNoDiskSpace   = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_LOW_DISK_SPACE)
-	MaintenanceModeReasonTpmEncFailure = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_TPM_ENCRYPTION_FAILURE)
+	MaintenanceModeReasonNone            = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_NONE)
+	MaintenanceModeReasonUserRequested   = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_USER_REQUESTED)
+	MaintenanceModeReasonVaultLockedUp   = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_VAULT_LOCKED_UP)
+	MaintenanceModeReasonNoDiskSpace     = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_LOW_DISK_SPACE)
+	MaintenanceModeReasonTpmEncFailure   = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_TPM_ENCRYPTION_FAILURE)
+	MaintenanceModeReasonTpmQuoteFailure = MaintenanceModeReason(info.MaintenanceModeReason_MAINTENANCE_MODE_REASON_TPM_QUOTE_FAILURE)
 )
 
 // String returns the verbose equivalent of MaintenanceModeMultiReason code