1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Merge pull request #31456 from poettering/tpm1.2-no-more

sd-stub: drop any support for TPM 1.2
This commit is contained in:
Lennart Poettering 2024-02-23 14:52:20 +01:00 committed by GitHub
commit bebe5f1a74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 16 additions and 116 deletions

7
NEWS
View File

@ -26,6 +26,13 @@ CHANGES WITH 256 in spe:
a private VLAN variant of the proxy ARP supported by the kernel
under the name IPv4ProxyARPPrivateVLAN=.
* TPM 1.2 PCR measurement support has been removed from
systemd-stub. TPM 1.2 is obsolete and — due to the (by today's
standards) weak cryptographic algorithms it only supports — does not
actually provide the security benefits it's supposed to
provide. Given that the rest of systemd's codebase never supported
TPM 1.2 the support has now been removed from systemd-stub as well.
CHANGES WITH 255:
Announcements of Future Feature Removals and Incompatible Changes:

2
TODO
View File

@ -128,8 +128,6 @@ Deprecations and removals:
* Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm
trigger"'s waiting logic, since we can then rely on uuid-tagged uevents
* remove remaining tpm1.2 support from sd-stub
Features:
* vmspawn: to speed up boot let's disable all PCR banks in swtpm except for

View File

@ -10,39 +10,6 @@
#include "tpm2-pcr.h"
#include "util.h"
static EFI_STATUS tpm1_measure_to_pcr_and_event_log(
const EFI_TCG_PROTOCOL *tcg,
uint32_t pcrindex,
EFI_PHYSICAL_ADDRESS buffer,
size_t buffer_size,
const char16_t *description) {
_cleanup_free_ TCG_PCR_EVENT *tcg_event = NULL;
EFI_PHYSICAL_ADDRESS event_log_last;
uint32_t event_number = 1;
size_t desc_len;
assert(tcg);
assert(description);
desc_len = strsize16(description);
tcg_event = xmalloc(offsetof(TCG_PCR_EVENT, Event) + desc_len);
*tcg_event = (TCG_PCR_EVENT) {
.EventSize = desc_len,
.PCRIndex = pcrindex,
.EventType = EV_IPL,
};
memcpy(tcg_event->Event, description, desc_len);
return tcg->HashLogExtendEvent(
(EFI_TCG_PROTOCOL *) tcg,
buffer, buffer_size,
TCG_ALG_SHA,
tcg_event,
&event_number,
&event_log_last);
}
static EFI_STATUS tpm2_measure_to_pcr_and_tagged_event_log(
EFI_TCG2_PROTOCOL *tcg,
uint32_t pcrindex,
@ -187,37 +154,6 @@ static EFI_CC_MEASUREMENT_PROTOCOL *cc_interface_check(void) {
return cc;
}
static EFI_TCG_PROTOCOL *tcg1_interface_check(void) {
EFI_PHYSICAL_ADDRESS event_log_location, event_log_last_entry;
EFI_TCG_BOOT_SERVICE_CAPABILITY capability = {
.Size = sizeof(capability),
};
EFI_STATUS err;
uint32_t features;
EFI_TCG_PROTOCOL *tcg;
err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_TCG_PROTOCOL), NULL, (void **) &tcg);
if (err != EFI_SUCCESS)
return NULL;
err = tcg->StatusCheck(
tcg,
&capability,
&features,
&event_log_location,
&event_log_last_entry);
if (err != EFI_SUCCESS)
return NULL;
if (capability.TPMDeactivatedFlag)
return NULL;
if (!capability.TPMPresentFlag)
return NULL;
return tcg;
}
static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = {
.Size = sizeof(capability),
@ -248,7 +184,7 @@ static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
}
bool tpm_present(void) {
return tcg2_interface_check() || tcg1_interface_check();
return tcg2_interface_check();
}
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
@ -271,25 +207,18 @@ EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t
if (tpm2)
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
else {
EFI_TCG_PROTOCOL *tpm1;
EFI_CC_MEASUREMENT_PROTOCOL *cc;
tpm1 = tcg1_interface_check();
if (tpm1)
err = tpm1_measure_to_pcr_and_event_log(tpm1, pcrindex, buffer, buffer_size, description);
cc = cc_interface_check();
if (cc)
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
else {
EFI_CC_MEASUREMENT_PROTOCOL *cc;
/* No active TPM found, so don't return an error */
cc = cc_interface_check();
if (cc)
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
else {
/* No active TPM found, so don't return an error */
if (ret_measured)
*ret_measured = false;
if (ret_measured)
*ret_measured = false;
return EFI_SUCCESS;
}
return EFI_SUCCESS;
}
}

View File

@ -3,12 +3,9 @@
#include "efi.h"
#define EFI_TCG_PROTOCOL_GUID \
GUID_DEF(0xf541796d, 0xa62e, 0x4954, 0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd)
#define EFI_TCG2_PROTOCOL_GUID \
GUID_DEF(0x607f766c, 0x7455, 0x42be, 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
#define TCG_ALG_SHA 0x4
#define EFI_TCG2_EVENT_HEADER_VERSION 1
#define EV_IPL 13
#define EV_EVENT_TAG UINT32_C(6)
@ -48,16 +45,6 @@ typedef struct {
uint32_t ActivePcrBanks;
} EFI_TCG2_BOOT_SERVICE_CAPABILITY;
typedef struct {
uint32_t PCRIndex;
uint32_t EventType;
struct {
uint8_t Digest[20];
} Digest;
uint32_t EventSize;
uint8_t Event[];
} _packed_ TCG_PCR_EVENT;
typedef struct {
uint32_t HeaderSize;
uint16_t HeaderVersion;
@ -77,27 +64,6 @@ typedef struct {
uint8_t Event[];
} _packed_ EFI_TCG2_TAGGED_EVENT;
typedef struct EFI_TCG_PROTOCOL EFI_TCG_PROTOCOL;
struct EFI_TCG_PROTOCOL {
EFI_STATUS (EFIAPI *StatusCheck)(
EFI_TCG_PROTOCOL *This,
EFI_TCG_BOOT_SERVICE_CAPABILITY *ProtocolCapability,
uint32_t *TCGFeatureFlags,
EFI_PHYSICAL_ADDRESS *EventLogLocation,
EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
void *HashAll;
void *LogEvent;
void *PassThroughToTpm;
EFI_STATUS (EFIAPI *HashLogExtendEvent)(
EFI_TCG_PROTOCOL *This,
EFI_PHYSICAL_ADDRESS HashData,
uint64_t HashDataLen,
uint32_t AlgorithmId,
TCG_PCR_EVENT *TCGLogData,
uint32_t *EventNumber,
EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
};
typedef struct EFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL;
struct EFI_TCG2_PROTOCOL {
EFI_STATUS (EFIAPI *GetCapability)(