59 lines
3.0 KiB
Diff
59 lines
3.0 KiB
Diff
From 23d58876e6301dd33f0f039a2cacb95a340dc2ea Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Date: Fri, 7 Jul 2023 16:30:20 +0100
|
|
Subject: [PATCH] efi: don't pull kernel cmdline from SMBIOS in a confidential
|
|
VM
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
In a confidential VM, the SMBIOS data is not trusted, as it is under the
|
|
control of the host OS/admin and not covered by attestation of the machine.
|
|
|
|
Fixes: https://github.com/systemd/systemd/issues/27604
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
(cherry picked from commit 4b1153cfcc397df5a095f2ec7e587787e8ba47ee)
|
|
|
|
Related: RHEL-50651
|
|
---
|
|
src/boot/efi/stub.c | 26 +++++++++++++++-----------
|
|
1 file changed, 15 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
|
|
index 2c7c56de3e..93843f015a 100644
|
|
--- a/src/boot/efi/stub.c
|
|
+++ b/src/boot/efi/stub.c
|
|
@@ -494,17 +494,21 @@ static EFI_STATUS real_main(EFI_HANDLE image) {
|
|
log_error_status(err, "Error loading UKI-specific addons, ignoring: %m");
|
|
parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
|
|
|
|
- const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
|
|
- if (extra) {
|
|
- _cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
|
|
- cmdline = xasprintf("%ls %ls", tmp, extra16);
|
|
-
|
|
- /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
|
|
- * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
|
|
- * measurements that are not under control of the machine owner. */
|
|
- m = false;
|
|
- (void) tpm_log_load_options(extra16, &m);
|
|
- parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
|
|
+ /* SMBIOS OEM Strings data is controlled by the host admin and not covered
|
|
+ * by the VM attestation, so MUST NOT be trusted when in a confidential VM */
|
|
+ if (!is_confidential_vm()) {
|
|
+ const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
|
|
+ if (extra) {
|
|
+ _cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
|
|
+ cmdline = xasprintf("%ls %ls", tmp, extra16);
|
|
+
|
|
+ /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
|
|
+ * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
|
|
+ * measurements that are not under control of the machine owner. */
|
|
+ m = false;
|
|
+ (void) tpm_log_load_options(extra16, &m);
|
|
+ parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
|
|
+ }
|
|
}
|
|
|
|
export_variables(loaded_image);
|