Merge pull request #31429 from poettering/pcrlock-hash-order-fix

pcrlock: handle cases where order of hash algs in firmware binary logs differs in header and records
2024-10-14 20:17:52 +00:00 · 2024-02-22 08:29:56 +09:00 · 2024-02-22 08:29:56 +09:00 · 9a7c555c68
parent 0584e2aa7c e90a255e55
commit 9a7c555c68
2 changed files with 24 additions and 7 deletions
--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
@ -622,6 +622,16 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
  to expose a single device only, since those identifiers better should be kept
  unique.

+`systemd-pcrlock`, `systemd-pcrextend`:
+
+* `$SYSTEMD_MEASURE_LOG_USERSPACE` – the path to the `tpm2-measure.log` file
+  (containing userspace measurement data) to read. This allows overriding the
+  default of `/run/log/systemd/tpm2-measure.log`.
+
+* `$SYSTEMD_MEASURE_LOG_FIRMWARE` – the path to the `binary_bios_measurements`
+  file (containing firmware measurement data) to read. This allows overriding
+  the default of `/sys/kernel/security/tpm0/binary_bios_measurements`.
+
 Tools using the Varlink protocol (such as `varlinkctl`) or sd-bus (such as
 `busctl`):

--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@ -936,23 +936,30 @@ static int event_log_load_firmware(EventLog *el) {
                assert(event->digests.count == n_algorithms);

                for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) {
-                        ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[i].digestSize;
-
                        /* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */
                        assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH)));
                        uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg));

-                        if (hash_alg != algorithms[i].algorithmId)
-                                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record don't match log.");
+                        /* On some systems (some HyperV?) the order of hash algorithms announced in the
+                         * header does not match the order in the records. Let's hence search for the right
+                         * mapping */
+                        size_t j;
+                        for (j = 0; j < n_algorithms; j++)
+                                if (hash_alg == algorithms[j].algorithmId)
+                                        break;
+                        if (j >= n_algorithms)
+                                return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record not among those advertised by log header.");

-                        if (!tpm2_hash_alg_to_string(algorithms[i].algorithmId))
+                        ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[j].digestSize;
+
+                        if (!tpm2_hash_alg_to_string(hash_alg))
                                continue;

                        r = event_log_record_add_bank(
                                        record,
-                                        algorithms[i].algorithmId,
+                                        hash_alg,
                                        (const uint8_t*) ha + offsetof(TPMT_HA, digest),
-                                        algorithms[i].digestSize,
+                                        algorithms[j].digestSize,
                                        /* ret= */ NULL);
                        if (r < 0)
                                return log_error_errno(r, "Failed to add bank to event log record: %m");