pcrlock: don't accept PCRs > 23 from firmware event log

Let's harden ourselves against shitty firmware which might report an
invalid PCR.

(This is not really a security issue, more a robustness issue, after all
firmware generally comes with highest privileges and trust, even though
it might just be shit)

Fixes an issue found with Claude code review

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index acf68d698b90feb3b0cbd230b62e8f67cd00162f..2d3c0862615a4f48f63959b166cff2e3fb056013 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -949,6 +949,11 @@ static int event_log_load_firmware(EventLog *el) {
                         continue;
                 }
 
+                if (event->pcrIndex >= TPM2_PCRS_MAX) {
+                        log_debug("Skipping event on PCR %" PRIu32 " (out of range).", event->pcrIndex);
+                        continue;
+                }
+
                 r = event_log_add_record(el, &record);
                 if (r < 0)
                         return log_error_errno(r, "Failed to add record to event log: %m");