Have azure/gcp dump their event logs on init.

signalapp · Mar 19, 2024 · 1f6b3ea · 1f6b3ea
1 parent 7a29bae
commit 1f6b3ea
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/enclave/env/azuresnp/azuresnp.cc b/enclave/env/azuresnp/azuresnp.cc
@@ -24,6 +24,7 @@
 #include "util/mutex.h"
 #include "util/endian.h"
 #include "util/log.h"
+#include "util/base64.h"
 #include "attestation/tpm2snp/tpm2snp.h"
 #include "hmac/hmac.h"
 #include "fs/fs.h"
@@ -179,6 +180,11 @@ class Environment : public ::svr2::env::socket::Environment {
       LOG(FATAL) << "Failure to attest evidence in Init: " << err;
     }
     LOG(INFO) << "Successfully retrieved and attested evidence";
+    if (auto [elog, err] = fs::FileContents("/sys/kernel/security/tpm0/binary_bios_measurements"); err != error::OK) {
+      LOG(ERROR) << "Unable to retrieve event log: " << err;
+    } else {
+      LOG(INFO) << "Event log: " << util::Base64Encode(elog, util::B64STD, true);
+    }
   }
 
  private:

diff --git a/enclave/env/gcpsnp/gcpsnp.cc b/enclave/env/gcpsnp/gcpsnp.cc
@@ -29,6 +29,7 @@
 #include "util/hex.h"
 #include "util/mutex.h"
 #include "util/endian.h"
+#include "util/base64.h"
 #include "util/log.h"
 #include "hmac/hmac.h"
 #include "fs/fs.h"
@@ -145,6 +146,11 @@ class Environment : public ::svr2::env::socket::Environment {
       LOG(FATAL) << "Failure to attest evidence in Init: " << err;
     }
     LOG(INFO) << "Base evidence and endorsements created successfully";
+    if (auto [elog, err] = fs::FileContents("/sys/kernel/security/tpm0/binary_bios_measurements"); err != error::OK) {
+      LOG(ERROR) << "Unable to retrieve event log: " << err;
+    } else {
+      LOG(INFO) << "Event log: " << util::Base64Encode(elog, util::B64STD, true);
+    }
   }
 
  private: