From 16b3bb1a1bb8a0a42ad6eb56fd33dcb800c8af04 Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 29 Jun 2023 23:41:48 +0100 Subject: [PATCH] boot: measure .sbat section We are now merging .sbat sections from sd-stub and kernel image, so measure it in PCR11. (cherry picked from commit d5f91cf79361cab58e32bf7b76c41ba244add75f) Resolves: RHEL-13199 --- man/systemd-measure.xml | 8 +++++--- src/boot/measure.c | 3 +++ src/fundamental/tpm-pcr.c | 1 + src/fundamental/tpm-pcr.h | 1 + 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 46fc979654..e08dbcdac9 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -66,9 +66,10 @@ Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified kernel image consisting of the components specified with , , , , - , , see below. Only - is mandatory. (Alternatively, specify to use the - current values of PCR register 11 instead.) + , , , + see below. Only is mandatory. (Alternatively, + specify to use the current values of PCR register 11 instead.) + @@ -104,6 +105,7 @@ + When used with the calculate or sign verb, diff --git a/src/boot/measure.c b/src/boot/measure.c index 67ab84753e..84a7c357a4 100644 --- a/src/boot/measure.c +++ b/src/boot/measure.c @@ -80,6 +80,7 @@ static int help(int argc, char *argv[], void *userdata) { " --splash=PATH Path to splash bitmap file %7$s .splash\n" " --dtb=PATH Path to Devicetree file %7$s .dtb\n" " --uname=PATH Path to 'uname -r' file %7$s .uname\n" + " --sbat=PATH Path to SBAT file %7$s .sbat\n" " --pcrpkey=PATH Path to public key for PCR signatures %7$s .pcrpkey\n" "\nSee the %2$s for details.\n", program_invocation_short_name, @@ -120,6 +121,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_SPLASH, ARG_DTB, ARG_UNAME, + ARG_SBAT, _ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */ _ARG_SECTION_LAST, ARG_PCRPKEY = _ARG_SECTION_LAST, @@ -142,6 +144,7 @@ static int parse_argv(int argc, char *argv[]) { { "splash", required_argument, NULL, ARG_SPLASH }, { "dtb", required_argument, NULL, ARG_DTB }, { "uname", required_argument, NULL, ARG_UNAME }, + { "sbat", required_argument, NULL, ARG_SBAT }, { "pcrpkey", required_argument, NULL, ARG_PCRPKEY }, { "current", no_argument, NULL, 'c' }, { "bank", required_argument, NULL, ARG_BANK }, diff --git a/src/fundamental/tpm-pcr.c b/src/fundamental/tpm-pcr.c index 0685d37b05..2f7e9b428d 100644 --- a/src/fundamental/tpm-pcr.c +++ b/src/fundamental/tpm-pcr.c @@ -12,6 +12,7 @@ const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = { [UNIFIED_SECTION_SPLASH] = ".splash", [UNIFIED_SECTION_DTB] = ".dtb", [UNIFIED_SECTION_UNAME] = ".uname", + [UNIFIED_SECTION_SBAT] = ".sbat", [UNIFIED_SECTION_PCRSIG] = ".pcrsig", [UNIFIED_SECTION_PCRPKEY] = ".pcrpkey", NULL, diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h index 24240b82ed..794d593825 100644 --- a/src/fundamental/tpm-pcr.h +++ b/src/fundamental/tpm-pcr.h @@ -35,6 +35,7 @@ typedef enum UnifiedSection { UNIFIED_SECTION_SPLASH, UNIFIED_SECTION_DTB, UNIFIED_SECTION_UNAME, + UNIFIED_SECTION_SBAT, UNIFIED_SECTION_PCRSIG, UNIFIED_SECTION_PCRPKEY, _UNIFIED_SECTION_MAX,