shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-09 09:57:26 +03:00
Code

shared/efi-loader: fix compilation with !ENABLE_EFI, improve messages

Browse Source 
When compiled without ENABLE_EFI, efi_stub_measured() was not defined, so
compilation would fail. But it's not enough to add a stub that returns
-EOPNOTSUPP. We call this function in various places and usually print the error
at warning or error level, so we'd print a confusing message. We also can't add
a stub that always returns 0, because then we'd print a message like "Kernel
stub did not measure", which would be confusing too. Adding special handling for
-EOPNOTSUPP in every caller is also unattractive. So instead efi_stub_measured()
is reworked to log the warning or error internally, and such logging is removed
from the callers, and a stub is added that logs a custom message.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2023-01-24 22:45:25 +01:00 committed by Luca Boccassi
parent 1d62f3a7a1
commit 2f6c52b919
6 changed files with 27 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/boot/pcrphase.c
View File

@ -334,9 +334,9 @@ static int run(int argc, char *argv[]) {
length = strlen(word);
/* Skip logic if sd-stub is not used, after all PCR 11 might have a very different purpose then. */
r = efi_stub_measured();
r = efi_stub_measured(LOG_ERR);
if (r < 0)
return log_error_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled: %m");
return r;
if (r == 0) {
log_info("Kernel stub did not measure kernel image into PCR %u, skipping userspace measurement, too.", TPM_PCR_INDEX_KERNEL_IMAGE);
return EXIT_SUCCESS;

4
src/cryptsetup/cryptsetup.c
View File

@ -828,9 +828,9 @@ static int measure_volume_key(
return 0;
}
r = efi_stub_measured();
r = efi_stub_measured(LOG_WARNING);
if (r < 0)
return log_warning_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled: %m");
return r;
if (r == 0) {
log_debug("Kernel stub did not measure kernel image into the expected PCR, skipping userspace measurement, too.");
return 0;

8
src/fstab-generator/fstab-generator.c
View File

@ -530,12 +530,10 @@ static int add_mount(
}
if (flags & MOUNT_PCRFS) {
r = efi_stub_measured();
if (r < 0)
log_warning_errno(r, "Failed to detect if we are running on a kernel image with TPM measurement enabled, assuming not: %m");
else if (r == 0)
r = efi_stub_measured(LOG_WARNING);
if (r == 0)
log_debug("Kernel stub did not measure kernel image into PCR, skipping userspace measurement, too.");
else {
else if (r > 0) {
r = generator_hook_up_pcrfs(dest, where, target_unit);
if (r < 0)
return r;

12
src/gpt-auto-generator/gpt-auto-generator.c
View File

@ -102,13 +102,13 @@ static int add_cryptsetup(
* assignment, under the assumption that people who are fine to use sd-stub with its PCR
* assignments are also OK with our PCR 15 use here. */
r = efi_stub_measured();
if (r < 0)
log_warning_errno(r, "Failed to determine whether booted via systemd-stub with measurements enabled, ignoring: %m");
else if (r == 0)
r = efi_stub_measured(LOG_WARNING);
if (r == 0)
log_debug("Will not measure volume key of volume '%s', because not booted via systemd-stub with measurements enabled.", id);
else if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes"))
return log_oom();
else if (r > 0) {
if (!strextend_with_separator(&options, ",", "tpm2-measure-pcr=yes"))
return log_oom();
}
}
r = generator_write_cryptsetup_service_section(f, id, what, NULL, options);

12
src/shared/efi-loader.c
View File

@ -238,7 +238,7 @@ int efi_stub_get_features(uint64_t *ret) {
return 0;
}
int efi_stub_measured(void) {
int efi_stub_measured(int log_level) {
_cleanup_free_ char *pcr_string = NULL;
unsigned pcr_nr;
int r;
@ -264,13 +264,17 @@ int efi_stub_measured(void) {
if (r == -ENOENT)
return 0;
if (r < 0)
return r;
return log_full_errno(log_level, r,
"Failed to get StubPcrKernelImage EFI variable: %m");
r = safe_atou(pcr_string, &pcr_nr);
if (r < 0)
return log_debug_errno(r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
return log_full_errno(log_level, r,
"Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE)
return log_debug_errno(SYNTHETIC_ERRNO(EREMOTE), "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
return log_full_errno(log_level, SYNTHETIC_ERRNO(EREMOTE),
"Kernel stub measured kernel image into PCR %u, which is different than expected %u.",
pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
return 1;
}

7
src/shared/efi-loader.h
View File

@ -18,7 +18,7 @@ int efi_loader_get_entries(char ***ret);
int efi_loader_get_features(uint64_t *ret);
int efi_stub_get_features(uint64_t *ret);
int efi_stub_measured(void);
int efi_stub_measured(int log_level);
int efi_loader_get_config_timeout_one_shot(usec_t *ret);
int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat);
@ -45,6 +45,11 @@ static inline int efi_stub_get_features(uint64_t *ret) {
return -EOPNOTSUPP;
}
static inline int efi_stub_measured(int log_level) {
return log_full_errno(log_level, SYNTHETIC_ERRNO(EOPNOTSUPP),
"Compiled without support for EFI");
}
static inline int efi_loader_get_config_timeout_one_shot(usec_t *ret) {
return -EOPNOTSUPP;
}