diff --git a/NEWS b/NEWS index bcf42ffd8e2..1cac8d4ad79 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,13 @@ CHANGES WITH 256 in spe: a private VLAN variant of the proxy ARP supported by the kernel under the name IPv4ProxyARPPrivateVLAN=. + * TPM 1.2 PCR measurement support has been removed from + systemd-stub. TPM 1.2 is obsolete and — due to the (by today's + standards) weak cryptographic algorithms it only supports — does not + actually provide the security benefits it's supposed to + provide. Given that the rest of systemd's codebase never supported + TPM 1.2 the support has now been removed from systemd-stub as well. + CHANGES WITH 255: Announcements of Future Feature Removals and Incompatible Changes: diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c index 7e440b714e5..2591c52f220 100644 --- a/src/boot/efi/measure.c +++ b/src/boot/efi/measure.c @@ -10,39 +10,6 @@ #include "tpm2-pcr.h" #include "util.h" -static EFI_STATUS tpm1_measure_to_pcr_and_event_log( - const EFI_TCG_PROTOCOL *tcg, - uint32_t pcrindex, - EFI_PHYSICAL_ADDRESS buffer, - size_t buffer_size, - const char16_t *description) { - - _cleanup_free_ TCG_PCR_EVENT *tcg_event = NULL; - EFI_PHYSICAL_ADDRESS event_log_last; - uint32_t event_number = 1; - size_t desc_len; - - assert(tcg); - assert(description); - - desc_len = strsize16(description); - tcg_event = xmalloc(offsetof(TCG_PCR_EVENT, Event) + desc_len); - *tcg_event = (TCG_PCR_EVENT) { - .EventSize = desc_len, - .PCRIndex = pcrindex, - .EventType = EV_IPL, - }; - memcpy(tcg_event->Event, description, desc_len); - - return tcg->HashLogExtendEvent( - (EFI_TCG_PROTOCOL *) tcg, - buffer, buffer_size, - TCG_ALG_SHA, - tcg_event, - &event_number, - &event_log_last); -} - static EFI_STATUS tpm2_measure_to_pcr_and_tagged_event_log( EFI_TCG2_PROTOCOL *tcg, uint32_t pcrindex, @@ -187,37 +154,6 @@ static EFI_CC_MEASUREMENT_PROTOCOL *cc_interface_check(void) { return cc; } -static EFI_TCG_PROTOCOL *tcg1_interface_check(void) { - EFI_PHYSICAL_ADDRESS event_log_location, event_log_last_entry; - EFI_TCG_BOOT_SERVICE_CAPABILITY capability = { - .Size = sizeof(capability), - }; - EFI_STATUS err; - uint32_t features; - EFI_TCG_PROTOCOL *tcg; - - err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_TCG_PROTOCOL), NULL, (void **) &tcg); - if (err != EFI_SUCCESS) - return NULL; - - err = tcg->StatusCheck( - tcg, - &capability, - &features, - &event_log_location, - &event_log_last_entry); - if (err != EFI_SUCCESS) - return NULL; - - if (capability.TPMDeactivatedFlag) - return NULL; - - if (!capability.TPMPresentFlag) - return NULL; - - return tcg; -} - static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) { EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = { .Size = sizeof(capability), @@ -248,7 +184,7 @@ static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) { } bool tpm_present(void) { - return tcg2_interface_check() || tcg1_interface_check(); + return tcg2_interface_check(); } EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) { @@ -271,25 +207,18 @@ EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t if (tpm2) err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description); else { - EFI_TCG_PROTOCOL *tpm1; + EFI_CC_MEASUREMENT_PROTOCOL *cc; - tpm1 = tcg1_interface_check(); - if (tpm1) - err = tpm1_measure_to_pcr_and_event_log(tpm1, pcrindex, buffer, buffer_size, description); + cc = cc_interface_check(); + if (cc) + err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description); else { - EFI_CC_MEASUREMENT_PROTOCOL *cc; + /* No active TPM found, so don't return an error */ - cc = cc_interface_check(); - if (cc) - err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description); - else { - /* No active TPM found, so don't return an error */ + if (ret_measured) + *ret_measured = false; - if (ret_measured) - *ret_measured = false; - - return EFI_SUCCESS; - } + return EFI_SUCCESS; } } diff --git a/src/boot/efi/proto/tcg.h b/src/boot/efi/proto/tcg.h index b4b82962ef6..e243bf8b72b 100644 --- a/src/boot/efi/proto/tcg.h +++ b/src/boot/efi/proto/tcg.h @@ -3,12 +3,9 @@ #include "efi.h" -#define EFI_TCG_PROTOCOL_GUID \ - GUID_DEF(0xf541796d, 0xa62e, 0x4954, 0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd) #define EFI_TCG2_PROTOCOL_GUID \ GUID_DEF(0x607f766c, 0x7455, 0x42be, 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f) -#define TCG_ALG_SHA 0x4 #define EFI_TCG2_EVENT_HEADER_VERSION 1 #define EV_IPL 13 #define EV_EVENT_TAG UINT32_C(6) @@ -48,16 +45,6 @@ typedef struct { uint32_t ActivePcrBanks; } EFI_TCG2_BOOT_SERVICE_CAPABILITY; -typedef struct { - uint32_t PCRIndex; - uint32_t EventType; - struct { - uint8_t Digest[20]; - } Digest; - uint32_t EventSize; - uint8_t Event[]; -} _packed_ TCG_PCR_EVENT; - typedef struct { uint32_t HeaderSize; uint16_t HeaderVersion; @@ -77,27 +64,6 @@ typedef struct { uint8_t Event[]; } _packed_ EFI_TCG2_TAGGED_EVENT; -typedef struct EFI_TCG_PROTOCOL EFI_TCG_PROTOCOL; -struct EFI_TCG_PROTOCOL { - EFI_STATUS (EFIAPI *StatusCheck)( - EFI_TCG_PROTOCOL *This, - EFI_TCG_BOOT_SERVICE_CAPABILITY *ProtocolCapability, - uint32_t *TCGFeatureFlags, - EFI_PHYSICAL_ADDRESS *EventLogLocation, - EFI_PHYSICAL_ADDRESS *EventLogLastEntry); - void *HashAll; - void *LogEvent; - void *PassThroughToTpm; - EFI_STATUS (EFIAPI *HashLogExtendEvent)( - EFI_TCG_PROTOCOL *This, - EFI_PHYSICAL_ADDRESS HashData, - uint64_t HashDataLen, - uint32_t AlgorithmId, - TCG_PCR_EVENT *TCGLogData, - uint32_t *EventNumber, - EFI_PHYSICAL_ADDRESS *EventLogLastEntry); -}; - typedef struct EFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL; struct EFI_TCG2_PROTOCOL { EFI_STATUS (EFIAPI *GetCapability)(