tcg: skip SignatureHeader vendor bytes in parseEfiSignatureList (hash injection)

[evilgensec]

What

parseEfiSignatureList (tcg/events.go) iterated EFI_SIGNATURE_DATA entries starting at sigOffset := 0 instead of SignatureHeaderSize, and never skipped the vendor SignatureHeader bytes. Per the UEFI spec (§31.4.1), SignatureHeaderSize bytes of vendor data sit between the fixed list header and the actual signature entries and must be skipped.

As a result, a crafted EFI_SIGNATURE_LIST with zero real entries but attacker-chosen vendor-header bytes has those bytes misread as EFI_SIGNATURE_DATA entries. Through the exported UEFIVariableData.SignatureData() — which extract/secureboot.go calls for PK/KEK/db/dbx while building SecureBootState from an attestation event log — this injects attacker-chosen hashes/certs into the trusted secure-boot signature database. The event log is attacker-controlled attestation evidence (e.g. a confidential-VM guest's own CCEL + RTMR), so a malicious attester can make the verifier accept a forged secure-boot db/dbx and still return success.

Minimal reproduction (a list whose only content is a 16-byte owner GUID + a 32-byte attacker hash, declared entirely as the vendor header):

v := &UEFIVariableData{VariableData: data}
_, hashes, err := v.SignatureData()
// before this fix: err == nil and hashes == [4141...41]
//   — a "trusted" SHA256 db/dbx hash that was never a real signature entry

The missing SignatureSize - 16 / SignatureListSize - 28 lower-bound guards additionally allow uint32 underflow (infinite loop, or a ~4 GiB make([]byte, ...)).

Why

This is the same defect — and the same fix — as GHSA-9r4w-jg96-92mv in google/go-attestation, whose copy of parseEfiSignatureList received these guards in PRs #502 / #486 / #500. This repository forked the pre-patch version of the function and never picked them up. (go-attestation's patched loop is for sigOffset := int(SignatureHeaderSize); ... with a SignatureHeaderSize >= remainingListSize guard and a buf.Seek(SignatureHeaderSize); this fork still had for sigOffset := 0; ... with none. The sibling parser parseDevicePathElement in this same file does have a lower-bound guard, so the omission here is a genuine gap.)

Fix

Port the guards: reject SignatureListSize < 28, SignatureSize < 16, and SignatureSize / SignatureHeaderSize exceeding the remaining list space; Seek past the vendor header; and start both entry loops at SignatureHeaderSize. Adds a regression test asserting the vendor bytes are no longer returned as a trusted hash.

Testing

go test ./tcg/... ./extract/... passes (existing real-event-log tests unaffected), plus the new regression test.