stub: measure all cmdline addons together

2024-07-22 18:55:10 +00:00 · 2023-09-24 00:34:58 +01:00 · 2023-09-24 00:34:58 +01:00 · 3e6f010e03
parent 68f85761e2
commit 3e6f010e03
2 changed files with 21 additions and 16 deletions
--- a/docs/TPM2_PCR_MEASUREMENTS.md
+++ b/docs/TPM2_PCR_MEASUREMENTS.md
@ -77,12 +77,11 @@ PE section order, as per the UKI specification, see above.

 ### PCR 12, `EV_IPL`, "Kernel Command Line"

-Might happen up to four times, for kernel command lines from:
+Might happen up to three times, for kernel command lines from:

 1. Passed cmdline
- 2. System cmdline add-ons (one measurement covering all add-ons combined)
- 3. Per-UKI cmdline add-ons (one measurement covering all add-ons combined)
- 2. SMBIOS cmdline
+ 2. System and per-UKI cmdline add-ons (one measurement covering all add-ons combined)
+ 3. SMBIOS cmdline

 → **Description** in the event log record is the literal kernel command line in
 UTF-16.
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@ -257,26 +257,35 @@ static EFI_STATUS load_addons_from_dir(
 }

 static void cmdline_append_and_measure_addons(
-                char16_t *cmdline,
+                char16_t *cmdline_global,
+                char16_t *cmdline_uki,
                char16_t **cmdline_append,
                bool *ret_parameters_measured) {

-        _cleanup_free_ char16_t *tmp = NULL;
+        _cleanup_free_ char16_t *tmp = NULL, *merged = NULL;
        bool m = false;

        assert(cmdline_append);
        assert(ret_parameters_measured);

-        mangle_stub_cmdline(cmdline);
-
-        if (isempty(cmdline))
+        if (isempty(cmdline_global) && isempty(cmdline_uki))
                return;

-        (void) tpm_log_load_options(cmdline, &m);
+        merged = xasprintf("%ls%ls%ls",
+                           strempty(cmdline_global),
+                           isempty(cmdline_global) || isempty(cmdline_uki) ? u"" : u" ",
+                           strempty(cmdline_uki));
+
+        mangle_stub_cmdline(merged);
+
+        if (isempty(merged))
+                return;
+
+        (void) tpm_log_load_options(merged, &m);
        *ret_parameters_measured = m;

        tmp = TAKE_PTR(*cmdline_append);
-        *cmdline_append = xasprintf("%ls%ls%ls", strempty(tmp), isempty(tmp) ? u"" : u" ", cmdline);
+        *cmdline_append = xasprintf("%ls%ls%ls", strempty(tmp), isempty(tmp) ? u"" : u" ", merged);
 }

 static void dtb_install_addons(
@ -623,13 +632,10 @@ static EFI_STATUS run(EFI_HANDLE image) {
        }

        /* If we have any extra command line to add via PE addons, load them now and append, and
-         * measure the additions separately, after the embedded options, but before the smbios ones,
+         * measure the additions together, after the embedded options, but before the smbios ones,
         * so that the order is reversed from "most hardcoded" to "most dynamic". The global addons are
         * loaded first, and the image-specific ones later, for the same reason. */
-        cmdline_append_and_measure_addons(cmdline_addons_global, &cmdline, &m);
-        parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
-
-        cmdline_append_and_measure_addons(cmdline_addons_uki, &cmdline, &m);
+        cmdline_append_and_measure_addons(cmdline_addons_global, cmdline_addons_uki, &cmdline, &m);
        parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);

        /* SMBIOS OEM Strings data is controlled by the host admin and not covered