mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
boot: measure loader.conf in PCR5
Results in: - EventNum: 26 PCRIndex: 5 EventType: EV_EVENT_TAG DigestCount: 4 Digests: - AlgorithmId: sha1 Digest: 155fb999ca61ba8c7b1f1d87cee821f772ef084a - AlgorithmId: sha256 Digest: 4c26adf231603613afc00bb3d5cad046aec6a525ca01262417c7085caab452b5 - AlgorithmId: sha384 Digest: 3e0758cb6605ac274e55d747bf29ee3474fc4413cd5e7a451d1375219cd7f08a30fc915a8df7131657ca78b82b9ccec8 - AlgorithmId: sha512 Digest: e32d905b9092c543802f386db9a397d9b6593bdb8360fb747a6d23e491a09595fec8699184cc790d0873a3d52ed16d045538f0c73ece48278fae0fb6ed9b4ed6 EventSize: 32 Event: 2a58bcf5180000006c006f0061006400650072002e0063006f006e0066000000
This commit is contained in:
parent
3e6f010e03
commit
12de4ed1ca
|
@ -16,8 +16,8 @@ measurements listed below are (by default) only done if a system is booted with
|
||||||
to systemd's UEFI-mode measurements, and if the latter are not done the former
|
to systemd's UEFI-mode measurements, and if the latter are not done the former
|
||||||
aren't made either.
|
aren't made either.
|
||||||
|
|
||||||
systemd will measure to PCRs 11 (`kernel-boot`), 12 (`kernel-config`), 13
|
systemd will measure to PCRs 5 (`boot-loader-config`), 11 (`kernel-boot`),
|
||||||
(`sysexts`), 15 (`system-identity`).
|
12 (`kernel-config`), 13 (`sysexts`), 15 (`system-identity`).
|
||||||
|
|
||||||
Currently, four components will issue TPM2 PCR measurements:
|
Currently, four components will issue TPM2 PCR measurements:
|
||||||
|
|
||||||
|
@ -31,6 +31,17 @@ maintained in `/run/log/systemd/tpm2-measure.log`.
|
||||||
|
|
||||||
## PCR Measurements Made by `systemd-boot` (UEFI)
|
## PCR Measurements Made by `systemd-boot` (UEFI)
|
||||||
|
|
||||||
|
### PCS 5, `EV_EVENT_TAG`, "loader.conf"
|
||||||
|
|
||||||
|
The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
|
||||||
|
measured as a tagged event.
|
||||||
|
|
||||||
|
→ **Event Tag** `0xf5bc582a`
|
||||||
|
|
||||||
|
→ **Description** in the event log record is the file name, `loader.conf`.
|
||||||
|
|
||||||
|
→ **Measured hash** covers the content of `loader.conf` as it is read from the ESP.
|
||||||
|
|
||||||
### PCR 12, `EV_IPL`, "Kernel Command Line"
|
### PCR 12, `EV_IPL`, "Kernel Command Line"
|
||||||
|
|
||||||
If the kernel command line was specified explicitly (by the user or in a Boot
|
If the kernel command line was specified explicitly (by the user or in a Boot
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
#include "secure-boot.h"
|
#include "secure-boot.h"
|
||||||
#include "shim.h"
|
#include "shim.h"
|
||||||
#include "ticks.h"
|
#include "ticks.h"
|
||||||
|
#include "tpm2-pcr.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
#include "vmm.h"
|
#include "vmm.h"
|
||||||
|
@ -38,6 +39,8 @@ DECLARE_NOALLOC_SECTION(
|
||||||
|
|
||||||
DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
|
DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
|
||||||
|
|
||||||
|
#define LOADER_CONF_CONTENT_EVENT_TAG_ID UINT32_C(0xf5bc582a)
|
||||||
|
|
||||||
typedef enum LoaderType {
|
typedef enum LoaderType {
|
||||||
LOADER_UNDEFINED,
|
LOADER_UNDEFINED,
|
||||||
LOADER_AUTO,
|
LOADER_AUTO,
|
||||||
|
@ -1621,7 +1624,7 @@ static EFI_STATUS efivar_get_timeout(const char16_t *var, uint32_t *ret_value) {
|
||||||
|
|
||||||
static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
|
static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
|
||||||
_cleanup_free_ char *content = NULL;
|
_cleanup_free_ char *content = NULL;
|
||||||
size_t value = 0; /* avoid false maybe-uninitialized warning */
|
size_t content_size, value = 0; /* avoid false maybe-uninitialized warning */
|
||||||
EFI_STATUS err;
|
EFI_STATUS err;
|
||||||
|
|
||||||
assert(root_dir);
|
assert(root_dir);
|
||||||
|
@ -1638,9 +1641,19 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
|
||||||
.timeout_sec_efivar = TIMEOUT_UNSET,
|
.timeout_sec_efivar = TIMEOUT_UNSET,
|
||||||
};
|
};
|
||||||
|
|
||||||
err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, NULL);
|
err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, &content_size);
|
||||||
if (err == EFI_SUCCESS)
|
if (err == EFI_SUCCESS) {
|
||||||
config_defaults_load_from_file(config, content);
|
config_defaults_load_from_file(config, content);
|
||||||
|
err = tpm_log_tagged_event(
|
||||||
|
TPM2_PCR_BOOT_LOADER_CONFIG,
|
||||||
|
POINTER_TO_PHYSICAL_ADDRESS(content),
|
||||||
|
content_size,
|
||||||
|
LOADER_CONF_CONTENT_EVENT_TAG_ID,
|
||||||
|
u"loader.conf",
|
||||||
|
/* ret_measured= */ NULL);
|
||||||
|
if (err != EFI_SUCCESS)
|
||||||
|
log_error_status(err, "Error measuring loader.conf into TPM: %m");
|
||||||
|
}
|
||||||
|
|
||||||
err = efivar_get_timeout(u"LoaderConfigTimeout", &config->timeout_sec_efivar);
|
err = efivar_get_timeout(u"LoaderConfigTimeout", &config->timeout_sec_efivar);
|
||||||
if (err == EFI_SUCCESS)
|
if (err == EFI_SUCCESS)
|
||||||
|
|
Loading…
Reference in a new issue