stub/measure: document and measure .uname UKI section

2024-07-22 10:44:58 +00:00 · 2023-05-21 14:32:09 +01:00 · 2023-05-21 14:32:09 +01:00 · b6f2e68602
parent e1f1b5fc62
commit b6f2e68602
5 changed files with 9 additions and 1 deletions
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@ -57,6 +57,9 @@
      <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file of
      the OS the kernel belongs to, in the <literal>.osrel</literal> PE section.</para></listitem>

+      <listitem><para>Kernel version information, i.e. the output of <command>uname -r</command> for the
+      kernel included in the UKI, in the <literal>.uname</literal> PE section.</para></listitem>
+
      <listitem><para>The initrd will be loaded from the <literal>.initrd</literal> PE section.
      </para></listitem>

--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@ -83,6 +83,7 @@ static int help(int argc, char *argv[], void *userdata) {
               "     --initrd=PATH       Path to initrd image file              %7$s .initrd\n"
               "     --splash=PATH       Path to splash bitmap file             %7$s .splash\n"
               "     --dtb=PATH          Path to Devicetree file                %7$s .dtb\n"
+               "     --uname=PATH        Path to 'uname -r' file                %7$s .uname\n"
               "     --pcrpkey=PATH      Path to public key for PCR signatures  %7$s .pcrpkey\n"
               "\nSee the %2$s for details.\n",
               program_invocation_short_name,
@ -122,6 +123,7 @@ static int parse_argv(int argc, char *argv[]) {
                ARG_INITRD,
                ARG_SPLASH,
                ARG_DTB,
+                ARG_UNAME,
                _ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */
                _ARG_SECTION_LAST,
                ARG_PCRPKEY = _ARG_SECTION_LAST,
@ -144,6 +146,7 @@ static int parse_argv(int argc, char *argv[]) {
                { "initrd",      required_argument, NULL, ARG_INITRD      },
                { "splash",      required_argument, NULL, ARG_SPLASH      },
                { "dtb",         required_argument, NULL, ARG_DTB         },
+                { "uname",       required_argument, NULL, ARG_UNAME       },
                { "pcrpkey",     required_argument, NULL, ARG_PCRPKEY     },
                { "current",     no_argument,       NULL, 'c'             },
                { "bank",        required_argument, NULL, ARG_BANK        },
--- a/src/fundamental/tpm-pcr.c
+++ b/src/fundamental/tpm-pcr.c
@ -11,6 +11,7 @@ const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
        [UNIFIED_SECTION_INITRD]  = ".initrd",
        [UNIFIED_SECTION_SPLASH]  = ".splash",
        [UNIFIED_SECTION_DTB]     = ".dtb",
+        [UNIFIED_SECTION_UNAME]   = ".uname",
        [UNIFIED_SECTION_PCRSIG]  = ".pcrsig",
        [UNIFIED_SECTION_PCRPKEY] = ".pcrpkey",
        NULL,
--- a/src/fundamental/tpm-pcr.h
+++ b/src/fundamental/tpm-pcr.h
@ -29,6 +29,7 @@ typedef enum UnifiedSection {
        UNIFIED_SECTION_INITRD,
        UNIFIED_SECTION_SPLASH,
        UNIFIED_SECTION_DTB,
+        UNIFIED_SECTION_UNAME,
        UNIFIED_SECTION_PCRSIG,
        UNIFIED_SECTION_PCRPKEY,
        _UNIFIED_SECTION_MAX,
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@ -658,10 +658,10 @@ def make_uki(opts):
        ('.osrel',   opts.os_release, True ),
        ('.cmdline', opts.cmdline,    True ),
        ('.dtb',     opts.devicetree, True ),
+        ('.uname',   opts.uname,      True ),
        ('.splash',  opts.splash,     True ),
        ('.pcrpkey', pcrpkey,         True ),
        ('.initrd',  initrd,          True ),
-        ('.uname',   opts.uname,      False),

        # linux shall be last to leave breathing room for decompression.
        # We'll add it later.