systemd/1040-efi-don-t-pull-kernel-cmdline-from-SMBIOS-in-a-confi.patch

59 lines
3.0 KiB
Diff
Raw Permalink Normal View History

From 23d58876e6301dd33f0f039a2cacb95a340dc2ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 7 Jul 2023 16:30:20 +0100
Subject: [PATCH] efi: don't pull kernel cmdline from SMBIOS in a confidential
VM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In a confidential VM, the SMBIOS data is not trusted, as it is under the
control of the host OS/admin and not covered by attestation of the machine.
Fixes: https://github.com/systemd/systemd/issues/27604
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 4b1153cfcc397df5a095f2ec7e587787e8ba47ee)
Related: RHEL-50651
---
src/boot/efi/stub.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 2c7c56de3e..93843f015a 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -494,17 +494,21 @@ static EFI_STATUS real_main(EFI_HANDLE image) {
log_error_status(err, "Error loading UKI-specific addons, ignoring: %m");
parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
- const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
- if (extra) {
- _cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
- cmdline = xasprintf("%ls %ls", tmp, extra16);
-
- /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
- * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
- * measurements that are not under control of the machine owner. */
- m = false;
- (void) tpm_log_load_options(extra16, &m);
- parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
+ /* SMBIOS OEM Strings data is controlled by the host admin and not covered
+ * by the VM attestation, so MUST NOT be trusted when in a confidential VM */
+ if (!is_confidential_vm()) {
+ const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
+ if (extra) {
+ _cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
+ cmdline = xasprintf("%ls %ls", tmp, extra16);
+
+ /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
+ * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
+ * measurements that are not under control of the machine owner. */
+ m = false;
+ (void) tpm_log_load_options(extra16, &m);
+ parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
+ }
}
export_variables(loaded_image);