From 0f0bed8be6f24b26e076609d3a0b9b3365856b57 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 28 Jun 2024 19:48:32 +0200 Subject: [PATCH] measure: introduce support for a new ".profile" section This introduces the concept, and makes sure systemd-measure covers it. See a later commit for details on the new section. --- man/systemd-measure.xml | 12 ++++++++---- src/boot/measure.c | 7 +++++-- tools/command_ignorelist | 1 + 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml index 931b62c12e7..9b991e87b31 100644 --- a/man/systemd-measure.xml +++ b/man/systemd-measure.xml @@ -76,9 +76,9 @@ kernel image consisting of the components specified with , , , , , , , - , , see below. Only - is mandatory. (Alternatively, specify to use the - current values of PCR register 11 instead.) + , , , + , see below. Only is mandatory. (Alternatively, + specify to use the current values of PCR register 11 instead.) @@ -124,6 +124,7 @@ + When used with the calculate or sign verb, configures the files to read the unified kernel image components from. Each option corresponds with @@ -131,7 +132,10 @@ the path to the ELF kernel file that the unified PE kernel will wrap. All switches except are optional. Each option may be used at most once. - + + + With the exception of , which has been added in version + 257. diff --git a/src/boot/measure.c b/src/boot/measure.c index b7508edf65b..1af5fef720f 100644 --- a/src/boot/measure.c +++ b/src/boot/measure.c @@ -100,6 +100,7 @@ static int help(int argc, char *argv[], void *userdata) { " --uname=PATH Path to 'uname -r' file %7$s .uname\n" " --sbat=PATH Path to SBAT file %7$s .sbat\n" " --pcrpkey=PATH Path to public key for PCR signatures %7$s .pcrpkey\n" + " --profile=PATH Path to profile file %7$s .profile\n" "\nSee the %2$s for details.\n", program_invocation_short_name, link, @@ -142,8 +143,9 @@ static int parse_argv(int argc, char *argv[]) { ARG_UNAME, ARG_SBAT, _ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */ + ARG_PCRPKEY, _ARG_SECTION_LAST, - ARG_PCRPKEY = _ARG_SECTION_LAST, + ARG_PROFILE = _ARG_SECTION_LAST, ARG_BANK, ARG_PRIVATE_KEY, ARG_PRIVATE_KEY_SOURCE, @@ -169,6 +171,7 @@ static int parse_argv(int argc, char *argv[]) { { "uname", required_argument, NULL, ARG_UNAME }, { "sbat", required_argument, NULL, ARG_SBAT }, { "pcrpkey", required_argument, NULL, ARG_PCRPKEY }, + { "profile", required_argument, NULL, ARG_PROFILE }, { "current", no_argument, NULL, 'c' }, { "bank", required_argument, NULL, ARG_BANK }, { "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE }, @@ -188,7 +191,7 @@ static int parse_argv(int argc, char *argv[]) { assert(argv); /* Make sure the arguments list and the section list, stays in sync */ - //assert_cc(_ARG_SECTION_FIRST + _UNIFIED_SECTION_MAX == _ARG_SECTION_LAST + 1); + assert_cc(_ARG_SECTION_FIRST + _UNIFIED_SECTION_MAX == _ARG_SECTION_LAST + 1); while ((c = getopt_long(argc, argv, "hjc", options, NULL)) >= 0) switch (c) { diff --git a/tools/command_ignorelist b/tools/command_ignorelist index fa160d17c63..6d0a81f3309 100644 --- a/tools/command_ignorelist +++ b/tools/command_ignorelist @@ -568,3 +568,4 @@ file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[t file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/lib/arch-id/"] file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/share/"] file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/state/"] +systemd-measure.xml /refsect1[title="Options"]/variablelist/varlistentry[term="--linux=PATH"]