shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-25 21:57:32 +03:00
Code

Merge pull request #28948 from poettering/tpm2-duplicate-pcr-names

Browse Source 
tpm2: unify tpm2 PCR symbolic identifiers
This commit is contained in:
Luca Boccassi 2023-08-28 17:43:10 +01:00 committed by GitHub
commit cd4ed8579b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 174 additions and 168 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/analyze/analyze-pcrs.c
View File

@ -82,7 +82,7 @@ static int add_pcr_to_table(Table *table, const char *alg, uint32_t pcr) {
r = table_add_many(table,
TABLE_UINT32, pcr,
TABLE_STRING, pcr_index_to_string(pcr),
TABLE_STRING, tpm2_pcr_index_to_string(pcr),
TABLE_STRING, h,
TABLE_SET_COLOR, color);
if (r < 0)
@ -115,7 +115,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) {
(void) table_set_display(table, 0, 1);
if (strv_isempty(strv_skip(argv, 1)))
for (uint32_t pi = 0; pi < _PCR_INDEX_MAX_DEFINED; pi++) {
for (uint32_t pi = 0; pi < _TPM2_PCR_INDEX_MAX_DEFINED; pi++) {
r = add_pcr_to_table(table, alg, pi);
if (r < 0)
return r;
@ -124,7 +124,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) {
for (int i = 1; i < argc; i++) {
int pi;
pi = pcr_index_from_string(argv[i]);
pi = tpm2_pcr_index_from_string(argv[i]);
if (pi < 0)
return log_error_errno(pi, "PCR index \"%s\" not known.", argv[i]);

8
src/boot/efi/measure.c
View File

@ -5,7 +5,7 @@
#include "macro-fundamental.h"
#include "measure.h"
#include "proto/tcg.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "util.h"
static EFI_STATUS tpm1_measure_to_pcr_and_event_log(
@ -202,7 +202,7 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured
/* Measures a load options string into the TPM2, i.e. the kernel command line */
err = tpm_log_event(
TPM_PCR_INDEX_KERNEL_PARAMETERS,
TPM2_PCR_KERNEL_CONFIG,
POINTER_TO_PHYSICAL_ADDRESS(load_options),
strsize16(load_options),
load_options,
@ -210,8 +210,8 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured
if (err != EFI_SUCCESS)
return log_error_status(
err,
"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %m",
TPM_PCR_INDEX_KERNEL_PARAMETERS);
"Unable to add load options (i.e. kernel command) line measurement to PCR %i: %m",
TPM2_PCR_KERNEL_CONFIG);
if (ret_measured)
*ret_measured = measured;

19
src/boot/efi/stub.c
View File

@ -13,7 +13,8 @@
#include "secure-boot.h"
#include "shim.h"
#include "splash.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "uki.h"
#include "util.h"
#include "version.h"
#include "vmm.h"
@ -417,7 +418,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* First measure the name of the section */
(void) tpm_log_event_ascii(
TPM_PCR_INDEX_KERNEL_IMAGE,
TPM2_PCR_KERNEL_BOOT,
POINTER_TO_PHYSICAL_ADDRESS(unified_sections[section]),
strsize8(unified_sections[section]), /* including NUL byte */
unified_sections[section],
@ -427,7 +428,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Then measure the data of the section */
(void) tpm_log_event_ascii(
TPM_PCR_INDEX_KERNEL_IMAGE,
TPM2_PCR_KERNEL_BOOT,
POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[section],
szs[section],
unified_sections[section],
@ -439,7 +440,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* After we are done, set an EFI variable that tells userspace this was done successfully, and encode
* in it which PCR was used. */
if (sections_measured > 0)
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM_PCR_INDEX_KERNEL_IMAGE, 0);
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM2_PCR_KERNEL_BOOT, 0);
/* Show splash screen as early as possible */
graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]);
@ -515,7 +516,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
/* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
/* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Credentials initrd",
&credential_initrd,
&credential_initrd_size,
@ -528,7 +529,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/global_credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
/* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
/* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Global credentials initrd",
&global_credential_initrd,
&global_credential_initrd_size,
@ -541,7 +542,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/sysext",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
/* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS,
/* tpm_pcr= */ TPM2_PCR_SYSEXTS,
u"System extension initrd",
&sysext_initrd,
&sysext_initrd_size,
@ -549,9 +550,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
sysext_measured = m;
if (parameters_measured > 0)
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM_PCR_INDEX_KERNEL_PARAMETERS, 0);
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0);
if (sysext_measured)
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM_PCR_INDEX_INITRD_SYSEXTS, 0);
(void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0);
/* If the PCR signature was embedded in the PE image, then let's wrap it in a cpio and also pass it
* to the kernel, so that it can be read from /.extra/tpm2-pcr-signature.json. Note that this section

47
src/boot/measure.c
View File

@ -18,8 +18,9 @@
#include "pretty-print.h"
#include "sha256.h"
#include "terminal-util.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "tpm2-util.h"
#include "uki.h"
#include "verbs.h"
/* Tool for pre-calculating expected TPM PCR values based on measured resources. This is intended to be used
@ -409,7 +410,7 @@ static int measure_kernel(PcrState *pcr_states, size_t n) {
_cleanup_free_ void *v = NULL;
size_t sz;
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, pcr_states[i].bank, TPM_PCR_INDEX_KERNEL_IMAGE) < 0)
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%i", pcr_states[i].bank, TPM2_PCR_KERNEL_BOOT) < 0)
return log_oom();
r = read_virtual_file(p, 4096, &s, NULL);
@ -679,9 +680,9 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
if (i == 0) {
fflush(stdout);
fprintf(stderr, "%s# PCR[%" PRIu32 "] Phase <%s>%s\n",
fprintf(stderr, "%s# PCR[%i] Phase <%s>%s\n",
ansi_grey(),
TPM_PCR_INDEX_KERNEL_IMAGE,
TPM2_PCR_KERNEL_BOOT,
isempty(*phase) ? ":" : *phase,
ansi_normal());
fflush(stderr);
@ -691,7 +692,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
if (!hd)
return log_oom();
printf("%" PRIu32 ":%s=%s\n", TPM_PCR_INDEX_KERNEL_IMAGE, pcr_states[i].bank, hd);
printf("%i:%s=%s\n", TPM2_PCR_KERNEL_BOOT, pcr_states[i].bank, hd);
} else {
_cleanup_(json_variant_unrefp) JsonVariant *array = NULL;
@ -701,7 +702,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
&array,
JSON_BUILD_OBJECT(
JSON_BUILD_PAIR_CONDITION(!isempty(*phase), "phase", JSON_BUILD_STRING(*phase)),
JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM_PCR_INDEX_KERNEL_IMAGE)),
JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM2_PCR_KERNEL_BOOT)),
JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(pcr_states[i].value, pcr_states[i].value_size))));
if (r < 0)
return log_error_errno(r, "Failed to append JSON object to array: %m");
@ -826,7 +827,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
if (tpmalg < 0)
return log_error_errno(tpmalg, "Unsupported PCR bank");
Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM_PCR_INDEX_KERNEL_IMAGE,
Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM2_PCR_KERNEL_BOOT,
tpmalg,
TPM2B_DIGEST_MAKE(p->value, p->value_size));
@ -869,7 +870,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
return r;
_cleanup_(json_variant_unrefp) JsonVariant *a = NULL;
r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE, &a);
r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM2_PCR_KERNEL_BOOT, &a);
if (r < 0)
return log_error_errno(r, "Failed to build JSON PCR mask array: %m");
@ -944,15 +945,15 @@ static int validate_stub(void) {
log_warning("Warning: current kernel image does not support measuring itself, the command line or initrd system extension images.\n"
"The PCR measurements seen are unlikely to be valid.");
r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_IMAGE, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image");
r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_BOOT, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image");
if (r < 0)
return r;
r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_PARAMETERS, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters");
r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_CONFIG, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters");
if (r < 0)
return r;
r = compare_reported_pcr_nr(TPM_PCR_INDEX_INITRD_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images");
r = compare_reported_pcr_nr(TPM2_PCR_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images");
if (r < 0)
return r;
@ -980,17 +981,13 @@ static int validate_stub(void) {
}
static int verb_status(int argc, char *argv[], void *userdata) {
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
static const struct {
uint32_t nr;
const char *description;
} relevant_pcrs[] = {
{ TPM_PCR_INDEX_KERNEL_IMAGE, "Unified Kernel Image" },
{ TPM_PCR_INDEX_KERNEL_PARAMETERS, "Kernel Parameters" },
{ TPM_PCR_INDEX_INITRD_SYSEXTS, "initrd System Extensions" },
static const uint32_t relevant_pcrs[] = {
TPM2_PCR_KERNEL_BOOT,
TPM2_PCR_KERNEL_CONFIG,
TPM2_PCR_SYSEXTS,
};
_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
int r;
r = validate_stub();
@ -1008,7 +1005,7 @@ static int verb_status(int argc, char *argv[], void *userdata) {
if (!b)
return log_oom();
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i].nr) < 0)
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i]) < 0)
return log_oom();
r = read_virtual_file(p, 4096, &s, NULL);
@ -1034,21 +1031,21 @@ static int verb_status(int argc, char *argv[], void *userdata) {
fflush(stdout);
fprintf(stderr, "%s# PCR[%" PRIu32 "] %s%s%s\n",
ansi_grey(),
relevant_pcrs[i].nr,
relevant_pcrs[i].description,
relevant_pcrs[i],
tpm2_pcr_index_to_string(relevant_pcrs[i]),
memeqzero(h, l) ? " (NOT SET!)" : "",
ansi_normal());
fflush(stderr);
}
printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i].nr, b, f);
printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i], b, f);
} else {
_cleanup_(json_variant_unrefp) JsonVariant *bv = NULL, *a = NULL;
r = json_build(&bv,
JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i].nr)),
JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i])),
JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(h, l))
)
);

10
src/boot/pcrphase.c
View File

@ -18,7 +18,7 @@
#include "openssl-util.h"
#include "parse-argument.h"
#include "pretty-print.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "tpm2-util.h"
static bool arg_graceful = false;
@ -290,7 +290,7 @@ static int run(int argc, char *argv[]) {
return log_error_errno(r, "Failed to get file system identifier string for '%s': %m", arg_file_system);
}
target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */
target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */
} else if (arg_machine_id) {
sd_id128_t mid;
@ -306,7 +306,7 @@ static int run(int argc, char *argv[]) {
if (!word)
return log_oom();
target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */
target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */
} else {
if (optind+1 != argc)
@ -322,7 +322,7 @@ static int run(int argc, char *argv[]) {
if (isempty(word))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing.");
target_pcr_nr = TPM_PCR_INDEX_KERNEL_IMAGE; /* → PCR 11 */
target_pcr_nr = TPM2_PCR_KERNEL_BOOT; /* → PCR 11 */
}
if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) {
@ -337,7 +337,7 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return r;
if (r == 0) {
log_info("Kernel stub did not measure kernel image into PCR %u, skipping userspace measurement, too.", TPM_PCR_INDEX_KERNEL_IMAGE);
log_info("Kernel stub did not measure kernel image into PCR %i, skipping userspace measurement, too.", TPM2_PCR_KERNEL_BOOT);
return EXIT_SUCCESS;
}

4
src/creds/creds.c
View File

@ -22,7 +22,7 @@
#include "stat-util.h"
#include "string-table.h"
#include "terminal-util.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "tpm2-util.h"
#include "verbs.h"
@ -930,7 +930,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_tpm2_pcr_mask == UINT32_MAX)
arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT;
if (arg_tpm2_public_key_pcr_mask == UINT32_MAX)
arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE;
arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT;
return 1;
}

4
src/cryptenroll/cryptenroll.c
View File

@ -27,7 +27,7 @@
#include "string-table.h"
#include "strv.h"
#include "terminal-util.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
static char *arg_unlock_keyfile = NULL;
@ -482,7 +482,7 @@ static int parse_argv(int argc, char *argv[]) {
return r;
if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key)
arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE);
arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND(
arg_tpm2_hash_pcr_values,

4
src/cryptsetup/cryptsetup.c
View File

@ -40,7 +40,7 @@
#include "random-util.h"
#include "string-table.h"
#include "strv.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "tpm2-util.h"
/* internal helper */
@ -434,7 +434,7 @@ static int parse_one_option(const char *option) {
return 0;
}
pcr = r ? TPM_PCR_INDEX_VOLUME_KEY : UINT_MAX;
pcr = r ? TPM2_PCR_SYSTEM_IDENTITY : UINT_MAX;
} else if (!TPM2_PCR_INDEX_VALID(pcr)) {
log_warning("Selected TPM index for measurement %u outside of allowed range 0…%u, ignoring.", pcr, TPM2_PCRS_MAX-1);
return 0;

2
src/fundamental/meson.build
View File

@ -7,5 +7,5 @@ fundamental_sources = files(
'efivars-fundamental.c',
'sha256.c',
'string-util-fundamental.c',
'tpm-pcr.c',
'uki.c',
)

45
src/fundamental/tpm2-pcr.h Normal file
View File

@ -0,0 +1,45 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include "macro-fundamental.h"
/* The various TPM PCRs we measure into from sd-stub and sd-boot. */
enum {
/* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform
* Firmware Profile Specification"
* (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */
TPM2_PCR_PLATFORM_CODE = 0,
TPM2_PCR_PLATFORM_CONFIG = 1,
TPM2_PCR_EXTERNAL_CODE = 2,
TPM2_PCR_EXTERNAL_CONFIG = 3,
TPM2_PCR_BOOT_LOADER_CODE = 4,
TPM2_PCR_BOOT_LOADER_CONFIG = 5,
TPM2_PCR_HOST_PLATFORM = 6,
TPM2_PCR_SECURE_BOOT_POLICY = 7,
/* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry"
(https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */
TPM2_PCR_KERNEL_INITRD = 9,
TPM2_PCR_IMA = 10,
/* systemd: This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel
* ELF image, embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given
* the whole surrounding PE image is measured into it) this should be reasonably pre-calculatable,
* because it *only* consists of static data from the kernel PE image. */
TPM2_PCR_KERNEL_BOOT = 11,
/* systemd: This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
TPM2_PCR_KERNEL_CONFIG = 12,
/* systemd: This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
TPM2_PCR_SYSEXTS = 13,
TPM2_PCR_SHIM_POLICY = 14,
/* systemd: This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */
TPM2_PCR_SYSTEM_IDENTITY = 15,
/* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */
TPM2_PCR_DEBUG = 16,
TPM2_PCR_APPLICATION_SUPPORT = 23,
};

2
src/fundamental/tpm-pcr.c → src/fundamental/uki.c
View File

@ -2,7 +2,7 @@
#include <stddef.h>
#include "tpm-pcr.h"
#include "uki.h"
const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
[UNIFIED_SECTION_LINUX] = ".linux",

19
src/fundamental/tpm-pcr.h → src/fundamental/uki.h
View File

@ -3,25 +3,8 @@
#include "macro-fundamental.h"
/* The various TPM PCRs we measure into from sd-stub and sd-boot. */
/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image,
* embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole
* surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only*
* consists of static data from the kernel PE image. */
#define TPM_PCR_INDEX_KERNEL_IMAGE 11U
/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U
/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U
/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */
#define TPM_PCR_INDEX_VOLUME_KEY 15U
/* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in
* which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */
* which we measure the sections into TPM PCR 11. PLEASE DO NOT REORDER! */
typedef enum UnifiedSection {
UNIFIED_SECTION_LINUX,
UNIFIED_SECTION_OSREL,

6
src/partition/repart.c
View File

@ -68,9 +68,9 @@
#include "string-util.h"
#include "strv.h"
#include "sync-util.h"
#include "tmpfile-util.h"
#include "terminal-util.h"
#include "tpm-pcr.h"
#include "tmpfile-util.h"
#include "tpm2-pcr.h"
#include "tpm2-util.h"
#include "user-util.h"
#include "utf8.h"
@ -6837,7 +6837,7 @@ static int parse_argv(int argc, char *argv[]) {
"A path to a loopback file must be specified when --split is used.");
if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key)
arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE);
arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND(
arg_tpm2_hash_pcr_values,

8
src/shared/efi-loader.c
View File

@ -7,7 +7,7 @@
#include "path-util.h"
#include "stat-util.h"
#include "strv.h"
#include "tpm-pcr.h"
#include "tpm2-pcr.h"
#include "utf8.h"
#if ENABLE_EFI
@ -271,10 +271,10 @@ int efi_stub_measured(int log_level) {
if (r < 0)
return log_full_errno(log_level, r,
"Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE)
if (pcr_nr != TPM2_PCR_KERNEL_BOOT)
return log_full_errno(log_level, SYNTHETIC_ERRNO(EREMOTE),
"Kernel stub measured kernel image into PCR %u, which is different than expected %u.",
pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
"Kernel stub measured kernel image into PCR %u, which is different than expected %i.",
pcr_nr, TPM2_PCR_KERNEL_BOOT);
return 1;
}

42
src/shared/tpm2-util.c
View File

@ -1737,7 +1737,7 @@ int tpm2_pcr_value_from_string(const char *arg, Tpm2PCRValue *ret_pcr_value) {
if (r < 1)
return log_error_errno(r, "Could not parse pcr value '%s': %m", p);
r = pcr_index_from_string(index);
r = tpm2_pcr_index_from_string(index);
if (r < 0)
return log_error_errno(r, "Invalid pcr index '%s': %m", index);
pcr_value.index = (unsigned) r;
@ -5036,25 +5036,25 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass,
return 0;
}
static const char* const pcr_index_table[_PCR_INDEX_MAX_DEFINED] = {
[PCR_PLATFORM_CODE] = "platform-code",
[PCR_PLATFORM_CONFIG] = "platform-config",
[PCR_EXTERNAL_CODE] = "external-code",
[PCR_EXTERNAL_CONFIG] = "external-config",
[PCR_BOOT_LOADER_CODE] = "boot-loader-code",
[PCR_BOOT_LOADER_CONFIG] = "boot-loader-config",
[PCR_HOST_PLATFORM] = "host-platform",
[PCR_SECURE_BOOT_POLICY] = "secure-boot-policy",
[PCR_KERNEL_INITRD] = "kernel-initrd",
[PCR_IMA] = "ima",
[PCR_KERNEL_BOOT] = "kernel-boot",
[PCR_KERNEL_CONFIG] = "kernel-config",
[PCR_SYSEXTS] = "sysexts",
[PCR_SHIM_POLICY] = "shim-policy",
[PCR_SYSTEM_IDENTITY] = "system-identity",
[PCR_DEBUG] = "debug",
[PCR_APPLICATION_SUPPORT] = "application-support",
static const char* const tpm2_pcr_index_table[_TPM2_PCR_INDEX_MAX_DEFINED] = {
[TPM2_PCR_PLATFORM_CODE] = "platform-code",
[TPM2_PCR_PLATFORM_CONFIG] = "platform-config",
[TPM2_PCR_EXTERNAL_CODE] = "external-code",
[TPM2_PCR_EXTERNAL_CONFIG] = "external-config",
[TPM2_PCR_BOOT_LOADER_CODE] = "boot-loader-code",
[TPM2_PCR_BOOT_LOADER_CONFIG] = "boot-loader-config",
[TPM2_PCR_HOST_PLATFORM] = "host-platform",
[TPM2_PCR_SECURE_BOOT_POLICY] = "secure-boot-policy",
[TPM2_PCR_KERNEL_INITRD] = "kernel-initrd",
[TPM2_PCR_IMA] = "ima",
[TPM2_PCR_KERNEL_BOOT] = "kernel-boot",
[TPM2_PCR_KERNEL_CONFIG] = "kernel-config",
[TPM2_PCR_SYSEXTS] = "sysexts",
[TPM2_PCR_SHIM_POLICY] = "shim-policy",
[TPM2_PCR_SYSTEM_IDENTITY] = "system-identity",
[TPM2_PCR_DEBUG] = "debug",
[TPM2_PCR_APPLICATION_SUPPORT] = "application-support",
};
DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(pcr_index, int, TPM2_PCRS_MAX - 1);
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(pcr_index, int);
DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(tpm2_pcr_index, int, TPM2_PCRS_MAX - 1);
DEFINE_STRING_TABLE_LOOKUP_TO_STRING(tpm2_pcr_index, int);

40
src/shared/tpm2-util.h
View File

@ -9,6 +9,7 @@
#include "macro.h"
#include "openssl-util.h"
#include "sha256.h"
#include "tpm2-pcr.h"
typedef enum TPM2Flags {
TPM2_FLAGS_USE_PIN = 1 << 0,
@ -18,6 +19,7 @@ typedef enum TPM2Flags {
* TPM2 on a Client PC must have at least 24 PCRs. This hardcodes our expectation of 24. */
#define TPM2_PCRS_MAX 24U
#define TPM2_PCRS_MASK ((UINT32_C(1) << TPM2_PCRS_MAX) - 1)
static inline bool TPM2_PCR_INDEX_VALID(unsigned pcr) {
return pcr < TPM2_PCRS_MAX;
}
@ -306,34 +308,6 @@ typedef enum Tpm2Support {
TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_LIBRARIES,
} Tpm2Support;
enum {
/* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform
* Firmware Profile Specification"
* (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */
PCR_PLATFORM_CODE = 0,
PCR_PLATFORM_CONFIG = 1,
PCR_EXTERNAL_CODE = 2,
PCR_EXTERNAL_CONFIG = 3,
PCR_BOOT_LOADER_CODE = 4,
PCR_BOOT_LOADER_CONFIG = 5,
PCR_HOST_PLATFORM = 6,
PCR_SECURE_BOOT_POLICY = 7,
/* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry"
(https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */
PCR_KERNEL_INITRD = 9,
PCR_IMA = 10,
PCR_KERNEL_BOOT = 11,
PCR_KERNEL_CONFIG = 12,
PCR_SYSEXTS = 13,
PCR_SHIM_POLICY = 14,
PCR_SYSTEM_IDENTITY = 15,
/* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */
PCR_DEBUG = 16,
PCR_APPLICATION_SUPPORT = 23,
_PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX,
_PCR_INDEX_INVALID = -EINVAL,
};
Tpm2Support tpm2_support(void);
int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
@ -349,5 +323,11 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass,
size_t saltlen,
uint8_t res[static SHA256_DIGEST_SIZE]);
int pcr_index_from_string(const char *s) _pure_;
const char *pcr_index_to_string(int pcr) _const_;
enum {
/* Additional defines for the PCR index naming enum from "fundamental/tpm2-pcr.h" */
_TPM2_PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX,
_TPM2_PCR_INDEX_INVALID = -EINVAL,
};
int tpm2_pcr_index_from_string(const char *s) _pure_;
const char *tpm2_pcr_index_to_string(int pcr) _const_;

76
src/test/test-tpm2.c
View File

@ -4,44 +4,44 @@
#include "tpm2-util.h"
#include "tests.h"
TEST(pcr_index_from_string) {
assert_se(pcr_index_from_string("platform-code") == 0);
assert_se(pcr_index_from_string("0") == 0);
assert_se(pcr_index_from_string("platform-config") == 1);
assert_se(pcr_index_from_string("1") == 1);
assert_se(pcr_index_from_string("external-code") == 2);
assert_se(pcr_index_from_string("2") == 2);
assert_se(pcr_index_from_string("external-config") == 3);
assert_se(pcr_index_from_string("3") == 3);
assert_se(pcr_index_from_string("boot-loader-code") == 4);
assert_se(pcr_index_from_string("4") == 4);
assert_se(pcr_index_from_string("boot-loader-config") == 5);
assert_se(pcr_index_from_string("5") == 5);
assert_se(pcr_index_from_string("secure-boot-policy") == 7);
assert_se(pcr_index_from_string("7") == 7);
assert_se(pcr_index_from_string("kernel-initrd") == 9);
assert_se(pcr_index_from_string("9") == 9);
assert_se(pcr_index_from_string("ima") == 10);
assert_se(pcr_index_from_string("10") == 10);
assert_se(pcr_index_from_string("kernel-boot") == 11);
assert_se(pcr_index_from_string("11") == 11);
assert_se(pcr_index_from_string("kernel-config") == 12);
assert_se(pcr_index_from_string("12") == 12);
assert_se(pcr_index_from_string("sysexts") == 13);
assert_se(pcr_index_from_string("13") == 13);
assert_se(pcr_index_from_string("shim-policy") == 14);
assert_se(pcr_index_from_string("14") == 14);
assert_se(pcr_index_from_string("system-identity") == 15);
assert_se(pcr_index_from_string("15") == 15);
assert_se(pcr_index_from_string("debug") == 16);
assert_se(pcr_index_from_string("16") == 16);
assert_se(pcr_index_from_string("application-support") == 23);
assert_se(pcr_index_from_string("23") == 23);
assert_se(pcr_index_from_string("hello") == -EINVAL);
assert_se(pcr_index_from_string("8") == 8);
assert_se(pcr_index_from_string("44") == -EINVAL);
assert_se(pcr_index_from_string("-5") == -EINVAL);
assert_se(pcr_index_from_string("24") == -EINVAL);
TEST(tpm2_pcr_index_from_string) {
assert_se(tpm2_pcr_index_from_string("platform-code") == 0);
assert_se(tpm2_pcr_index_from_string("0") == 0);
assert_se(tpm2_pcr_index_from_string("platform-config") == 1);
assert_se(tpm2_pcr_index_from_string("1") == 1);
assert_se(tpm2_pcr_index_from_string("external-code") == 2);
assert_se(tpm2_pcr_index_from_string("2") == 2);
assert_se(tpm2_pcr_index_from_string("external-config") == 3);
assert_se(tpm2_pcr_index_from_string("3") == 3);
assert_se(tpm2_pcr_index_from_string("boot-loader-code") == 4);
assert_se(tpm2_pcr_index_from_string("4") == 4);
assert_se(tpm2_pcr_index_from_string("boot-loader-config") == 5);
assert_se(tpm2_pcr_index_from_string("5") == 5);
assert_se(tpm2_pcr_index_from_string("secure-boot-policy") == 7);
assert_se(tpm2_pcr_index_from_string("7") == 7);
assert_se(tpm2_pcr_index_from_string("kernel-initrd") == 9);
assert_se(tpm2_pcr_index_from_string("9") == 9);
assert_se(tpm2_pcr_index_from_string("ima") == 10);
assert_se(tpm2_pcr_index_from_string("10") == 10);
assert_se(tpm2_pcr_index_from_string("kernel-boot") == 11);
assert_se(tpm2_pcr_index_from_string("11") == 11);
assert_se(tpm2_pcr_index_from_string("kernel-config") == 12);
assert_se(tpm2_pcr_index_from_string("12") == 12);
assert_se(tpm2_pcr_index_from_string("sysexts") == 13);
assert_se(tpm2_pcr_index_from_string("13") == 13);
assert_se(tpm2_pcr_index_from_string("shim-policy") == 14);
assert_se(tpm2_pcr_index_from_string("14") == 14);
assert_se(tpm2_pcr_index_from_string("system-identity") == 15);
assert_se(tpm2_pcr_index_from_string("15") == 15);
assert_se(tpm2_pcr_index_from_string("debug") == 16);
assert_se(tpm2_pcr_index_from_string("16") == 16);
assert_se(tpm2_pcr_index_from_string("application-support") == 23);
assert_se(tpm2_pcr_index_from_string("23") == 23);
assert_se(tpm2_pcr_index_from_string("hello") == -EINVAL);
assert_se(tpm2_pcr_index_from_string("8") == 8);
assert_se(tpm2_pcr_index_from_string("44") == -EINVAL);
assert_se(tpm2_pcr_index_from_string("-5") == -EINVAL);
assert_se(tpm2_pcr_index_from_string("24") == -EINVAL);
}
TEST(tpm2_util_pbkdf2_hmac_sha256) {