system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 02:34:54 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

boot: stop making TPM PCR to measure kernel command line into configurable

Browse source 
Everyone appears to use PCR 8 for this, hence I think it's safe to
hardcode that in systemd too.

It's also documented, like here:

https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html

or here:

https://github.com/rhboot/shim/blob/main/README.tpm

(And the previous name was a bit confusing, since we don't actually just
measure one thing anymore, but mutliple things into multiple PCRs...)
This commit is contained in:
Lennart Poettering 2021-09-20 15:10:33 +02:00
parent 845707aae2
commit faacf1807e
5 changed files with 2 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
meson.build
View file

@ -1636,8 +1636,6 @@ if get_option('efi')
have = true
conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
else
have = false
endif

2
meson_options.txt
View file

@ -416,8 +416,6 @@ option('efi-libdir', type : 'string',
description : 'path to the EFI lib directory')
option('efi-includedir', type : 'string', value : '/usr/include/efi',
description : 'path to the EFI header directory')
option('tpm-pcrindex', type : 'integer', value : 8,
description : 'TPM PCR register number to use')
option('sbat-distro', type : 'string',
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
option('sbat-distro-generation', type : 'integer', value : 1,

2
src/boot/efi/boot.c
View file

@ -2349,7 +2349,7 @@ static EFI_STATUS image_start(
#if ENABLE_TPM
/* Try to log any options to the TPM, especially to catch manually edited options */
err = tpm_log_event(SD_TPM_PCR,
err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
(EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
if (EFI_ERROR(err))

1
src/boot/efi/meson.build
View file

@ -103,7 +103,6 @@ if have_gnu_efi
efi_conf = configuration_data()
efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
efi_conf.set10('ENABLE_TPM', get_option('tpm'))
efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
c = get_option('efi-' + ctype).split(',')

2
src/boot/efi/stub.c
View file

@ -148,7 +148,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
#if ENABLE_TPM
/* Try to log any options to the TPM, especially manually edited options */
err = tpm_log_event(SD_TPM_PCR,
err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
(EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
if (EFI_ERROR(err))