From 49586386d23c0aef7e40ab6922a484b2ed64edc6 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 14 Nov 2022 17:26:45 +0100 Subject: [PATCH] pcrphase: add $SYSTEMD_PCRPHASE_STUB_VERIFY env var for overriding stub check (cherry picked from commit 6337be0a4ec2d3cf3268b51aa705ee58cfb2b394) Related: RHEL-16182 --- docs/ENVIRONMENT.md | 7 ++++++- src/boot/pcrphase.c | 35 ++++++++++++++++++++++++----------- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md index f1a4692b59..7b2dd13673 100644 --- a/docs/ENVIRONMENT.md +++ b/docs/ENVIRONMENT.md @@ -471,7 +471,7 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \ `systemd-journald`: -* `$SYSTEMD_JOURNAL_COMPACT` - Takes a boolean. If enabled, journal files are written +* `$SYSTEMD_JOURNAL_COMPACT` – Takes a boolean. If enabled, journal files are written in a more compact format that reduces the amount of disk space required by the journal. Note that journal files in compact mode are limited to 4G to allow use of 32-bit offsets. Enabled by default. @@ -483,3 +483,8 @@ SYSTEMD_HOME_DEBUG_SUFFIX=foo \ compression mode of existing journal files are not changed. To make the specified algorithm takes an effect immediately, you need to explicitly run `journalctl --rotate`. + +`systemd-pcrphase`: + +* `$SYSTEMD_PCRPHASE_STUB_VERIFY` – Takes a boolean. If false the requested + measurement is done even if no EFI stub usage was reported via EFI variables. diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c index 267f66767c..f57d628e84 100644 --- a/src/boot/pcrphase.c +++ b/src/boot/pcrphase.c @@ -5,6 +5,7 @@ #include #include "efivars.h" +#include "env-util.h" #include "main-func.h" #include "openssl-util.h" #include "parse-util.h" @@ -174,21 +175,33 @@ static int run(int argc, char *argv[]) { length = strlen(word); + int b = getenv_bool("SYSTEMD_PCRPHASE_STUB_VERIFY"); + if (b < 0 && b != -ENXIO) + log_warning_errno(b, "Unable to parse $SYSTEMD_PCRPHASE_STUB_VERIFY value, ignoring."); + /* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */ r = efi_get_variable_string(EFI_LOADER_VARIABLE(StubPcrKernelImage), &pcr_string); if (r == -ENOENT) { - log_info("Kernel stub did not measure kernel image into PCR %u, skipping measurement.", TPM_PCR_INDEX_KERNEL_IMAGE); - return EXIT_SUCCESS; - } - if (r < 0) + if (b != 0) { + log_info("Kernel stub did not measure kernel image into PCR %u, skipping measurement.", TPM_PCR_INDEX_KERNEL_IMAGE); + return EXIT_SUCCESS; + } else + log_notice("Kernel stub did not measure kernel image into PCR %u, but told to measure anyway, hence proceeding.", TPM_PCR_INDEX_KERNEL_IMAGE); + } else if (r < 0) return log_error_errno(r, "Failed to read StubPcrKernelImage EFI variable: %m"); - - /* Let's validate that the stub announced PCR 11 as we expected. */ - r = safe_atou(pcr_string, &pcr_nr); - if (r < 0) - return log_error_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string); - if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE) - return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE); + else { + /* Let's validate that the stub announced PCR 11 as we expected. */ + r = safe_atou(pcr_string, &pcr_nr); + if (r < 0) + return log_error_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string); + if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE) { + if (b != 0) + return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE); + else + log_notice("Kernel stub measured kernel image into PCR %u, which is different than expected %u, but told to measure anyway, hence proceeding.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE); + } else + log_debug("Kernel stub reported same PCR %u as we want to use, proceeding.", TPM_PCR_INDEX_KERNEL_IMAGE); + } r = dlopen_tpm2(); if (r < 0)