94 lines
4.6 KiB
Diff
94 lines
4.6 KiB
Diff
|
From 49586386d23c0aef7e40ab6922a484b2ed64edc6 Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|||
|
|
Date: Mon, 14 Nov 2022 17:26:45 +0100
|
|||
|
|
Subject: [PATCH] pcrphase: add $SYSTEMD_PCRPHASE_STUB_VERIFY env var for
|
|||
|
|
overriding stub check
|
|||
|
|
|
|||
|
|
(cherry picked from commit 6337be0a4ec2d3cf3268b51aa705ee58cfb2b394)
|
|||
|
|
|
|||
|
|
Related: RHEL-16182
|
|||
|
|
---
|
|||
|
|
docs/ENVIRONMENT.md | 7 ++++++-
|
|||
|
|
src/boot/pcrphase.c | 35 ++++++++++++++++++++++++-----------
|
|||
|
|
2 files changed, 30 insertions(+), 12 deletions(-)
|
|||
|
|
|
|||
|
|
diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
|
|||
|
|
index f1a4692b59..7b2dd13673 100644
|
|||
|
|
--- a/docs/ENVIRONMENT.md
|
|||
|
|
+++ b/docs/ENVIRONMENT.md
|
|||
|
|
@@ -471,7 +471,7 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
|||
|
|
|
|||
|
|
`systemd-journald`:
|
|||
|
|
|
|||
|
|
-* `$SYSTEMD_JOURNAL_COMPACT` - Takes a boolean. If enabled, journal files are written
|
|||
|
|
+* `$SYSTEMD_JOURNAL_COMPACT` – Takes a boolean. If enabled, journal files are written
|
|||
|
|
in a more compact format that reduces the amount of disk space required by the
|
|||
|
|
journal. Note that journal files in compact mode are limited to 4G to allow use of
|
|||
|
|
32-bit offsets. Enabled by default.
|
|||
|
|
@@ -483,3 +483,8 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \
|
|||
|
|
compression mode of existing journal files are not changed. To make the
|
|||
|
|
specified algorithm takes an effect immediately, you need to explicitly run
|
|||
|
|
`journalctl --rotate`.
|
|||
|
|
+
|
|||
|
|
+`systemd-pcrphase`:
|
|||
|
|
+
|
|||
|
|
+* `$SYSTEMD_PCRPHASE_STUB_VERIFY` – Takes a boolean. If false the requested
|
|||
|
|
+ measurement is done even if no EFI stub usage was reported via EFI variables.
|
|||
|
|
diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
|
|||
|
|
index 267f66767c..f57d628e84 100644
|
|||
|
|
--- a/src/boot/pcrphase.c
|
|||
|
|
+++ b/src/boot/pcrphase.c
|
|||
|
|
@@ -5,6 +5,7 @@
|
|||
|
|
#include <sd-messages.h>
|
|||
|
|
|
|||
|
|
#include "efivars.h"
|
|||
|
|
+#include "env-util.h"
|
|||
|
|
#include "main-func.h"
|
|||
|
|
#include "openssl-util.h"
|
|||
|
|
#include "parse-util.h"
|
|||
|
|
@@ -174,21 +175,33 @@ static int run(int argc, char *argv[]) {
|
|||
|
|
|
|||
|
|
length = strlen(word);
|
|||
|
|
|
|||
|
|
+ int b = getenv_bool("SYSTEMD_PCRPHASE_STUB_VERIFY");
|
|||
|
|
+ if (b < 0 && b != -ENXIO)
|
|||
|
|
+ log_warning_errno(b, "Unable to parse $SYSTEMD_PCRPHASE_STUB_VERIFY value, ignoring.");
|
|||
|
|
+
|
|||
|
|
/* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */
|
|||
|
|
r = efi_get_variable_string(EFI_LOADER_VARIABLE(StubPcrKernelImage), &pcr_string);
|
|||
|
|
if (r == -ENOENT) {
|
|||
|
|
- log_info("Kernel stub did not measure kernel image into PCR %u, skipping measurement.", TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
- return EXIT_SUCCESS;
|
|||
|
|
- }
|
|||
|
|
- if (r < 0)
|
|||
|
|
+ if (b != 0) {
|
|||
|
|
+ log_info("Kernel stub did not measure kernel image into PCR %u, skipping measurement.", TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ return EXIT_SUCCESS;
|
|||
|
|
+ } else
|
|||
|
|
+ log_notice("Kernel stub did not measure kernel image into PCR %u, but told to measure anyway, hence proceeding.", TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ } else if (r < 0)
|
|||
|
|
return log_error_errno(r, "Failed to read StubPcrKernelImage EFI variable: %m");
|
|||
|
|
-
|
|||
|
|
- /* Let's validate that the stub announced PCR 11 as we expected. */
|
|||
|
|
- r = safe_atou(pcr_string, &pcr_nr);
|
|||
|
|
- if (r < 0)
|
|||
|
|
- return log_error_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
|
|||
|
|
- if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE)
|
|||
|
|
- return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ else {
|
|||
|
|
+ /* Let's validate that the stub announced PCR 11 as we expected. */
|
|||
|
|
+ r = safe_atou(pcr_string, &pcr_nr);
|
|||
|
|
+ if (r < 0)
|
|||
|
|
+ return log_error_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
|
|||
|
|
+ if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE) {
|
|||
|
|
+ if (b != 0)
|
|||
|
|
+ return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ else
|
|||
|
|
+ log_notice("Kernel stub measured kernel image into PCR %u, which is different than expected %u, but told to measure anyway, hence proceeding.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ } else
|
|||
|
|
+ log_debug("Kernel stub reported same PCR %u as we want to use, proceeding.", TPM_PCR_INDEX_KERNEL_IMAGE);
|
|||
|
|
+ }
|
|||
|
|
|
|||
|
|
r = dlopen_tpm2();
|
|||
|
|
if (r < 0)
|