mirror of
https://github.com/systemd/systemd
synced 2024-10-14 20:17:52 +00:00
Merge pull request #31429 from poettering/pcrlock-hash-order-fix
pcrlock: handle cases where order of hash algs in firmware binary logs differs in header and records
This commit is contained in:
commit
9a7c555c68
|
@ -622,6 +622,16 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
|||
to expose a single device only, since those identifiers better should be kept
|
||||
unique.
|
||||
|
||||
`systemd-pcrlock`, `systemd-pcrextend`:
|
||||
|
||||
* `$SYSTEMD_MEASURE_LOG_USERSPACE` – the path to the `tpm2-measure.log` file
|
||||
(containing userspace measurement data) to read. This allows overriding the
|
||||
default of `/run/log/systemd/tpm2-measure.log`.
|
||||
|
||||
* `$SYSTEMD_MEASURE_LOG_FIRMWARE` – the path to the `binary_bios_measurements`
|
||||
file (containing firmware measurement data) to read. This allows overriding
|
||||
the default of `/sys/kernel/security/tpm0/binary_bios_measurements`.
|
||||
|
||||
Tools using the Varlink protocol (such as `varlinkctl`) or sd-bus (such as
|
||||
`busctl`):
|
||||
|
||||
|
|
|
@ -936,23 +936,30 @@ static int event_log_load_firmware(EventLog *el) {
|
|||
assert(event->digests.count == n_algorithms);
|
||||
|
||||
for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) {
|
||||
ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[i].digestSize;
|
||||
|
||||
/* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */
|
||||
assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH)));
|
||||
uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg));
|
||||
|
||||
if (hash_alg != algorithms[i].algorithmId)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record don't match log.");
|
||||
/* On some systems (some HyperV?) the order of hash algorithms announced in the
|
||||
* header does not match the order in the records. Let's hence search for the right
|
||||
* mapping */
|
||||
size_t j;
|
||||
for (j = 0; j < n_algorithms; j++)
|
||||
if (hash_alg == algorithms[j].algorithmId)
|
||||
break;
|
||||
if (j >= n_algorithms)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record not among those advertised by log header.");
|
||||
|
||||
if (!tpm2_hash_alg_to_string(algorithms[i].algorithmId))
|
||||
ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[j].digestSize;
|
||||
|
||||
if (!tpm2_hash_alg_to_string(hash_alg))
|
||||
continue;
|
||||
|
||||
r = event_log_record_add_bank(
|
||||
record,
|
||||
algorithms[i].algorithmId,
|
||||
hash_alg,
|
||||
(const uint8_t*) ha + offsetof(TPMT_HA, digest),
|
||||
algorithms[i].digestSize,
|
||||
algorithms[j].digestSize,
|
||||
/* ret= */ NULL);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to add bank to event log record: %m");
|
||||
|
|
Loading…
Reference in a new issue