shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-21 22:04:01 +03:00
Code

boot: Remove option TPM PCR compat option

Browse Source 
It says remove in 2023; happy to oblige.
This commit is contained in:
Jan Janssen 2023-01-08 09:07:22 +01:00 committed by Lennart Poettering
parent 4f79f545b3
commit d84bdadb43
9 changed files with 40 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -118,8 +118,6 @@ Deprecations and removals:
* rework our PID tracking in services and so on, to be strictly based on pidfd, * rework our PID tracking in services and so on, to be strictly based on pidfd,
once kernel baseline is 5.13. once kernel baseline is 5.13.
* ~2023: remove support for TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT
* H2 2023: remove support for unmerged-usr * H2 2023: remove support for unmerged-usr
* Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous. * Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.

2
meson.build
View File

@ -310,8 +310,6 @@ conf.set_quoted('STATUS_UNIT_FORMAT_DEFAULT_STR', status_unit_format
conf.set10('FIRST_BOOT_FULL_PRESET', get_option('first-boot-full-preset')) conf.set10('FIRST_BOOT_FULL_PRESET', get_option('first-boot-full-preset'))
conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat'))
##################################################################### #####################################################################
cc = meson.get_compiler('c') cc = meson.get_compiler('c')

2
meson_options.txt
View File

@ -444,8 +444,6 @@ option('efi-libdir', type : 'string',
description : 'path to the EFI lib directory') description : 'path to the EFI lib directory')
option('efi-includedir', type : 'string', value : '/usr/include/efi', option('efi-includedir', type : 'string', value : '/usr/include/efi',
description : 'path to the EFI header directory') description : 'path to the EFI header directory')
option('efi-tpm-pcr-compat', type : 'boolean', value : false,
description : 'Measure kernel command line also into TPM PCR 8 (in addition to 12)')
option('sbat-distro', type : 'string', value : 'auto', option('sbat-distro', type : 'string', value : 'auto',
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection') description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
option('sbat-distro-generation', type : 'integer', value : 1, option('sbat-distro-generation', type : 'integer', value : 1,

72
src/boot/efi/cpio.c
View File

@ -299,48 +299,6 @@ static EFI_STATUS pack_cpio_trailer(
return EFI_SUCCESS; return EFI_SUCCESS;
} }
static EFI_STATUS measure_cpio(
void *buffer,
UINTN buffer_size,
const uint32_t tpm_pcr[],
UINTN n_tpm_pcr,
const char16_t *tpm_description,
bool *ret_measured) {
int measured = -1;
EFI_STATUS err;
assert(buffer || buffer_size == 0);
assert(tpm_pcr || n_tpm_pcr == 0);
for (UINTN i = 0; i < n_tpm_pcr; i++) {
bool m;
if (tpm_pcr[i] == UINT32_MAX) /* Disabled */
continue;
err = tpm_log_event(
tpm_pcr[i],
POINTER_TO_PHYSICAL_ADDRESS(buffer),
buffer_size,
tpm_description,
&m);
if (err != EFI_SUCCESS) {
log_error_stall(L"Unable to add initrd TPM measurement for PCR %u (%s), ignoring: %r", tpm_pcr[i], tpm_description, err);
measured = false;
continue;
}
if (measured != false)
measured = m;
}
if (ret_measured)
*ret_measured = measured > 0;
return EFI_SUCCESS;
}
static char16_t *get_dropin_dir(const EFI_DEVICE_PATH *file_path) { static char16_t *get_dropin_dir(const EFI_DEVICE_PATH *file_path) {
if (!file_path) if (!file_path)
return NULL; return NULL;
@ -370,8 +328,7 @@ EFI_STATUS pack_cpio(
const char *target_dir_prefix, const char *target_dir_prefix,
uint32_t dir_mode, uint32_t dir_mode,
uint32_t access_mode, uint32_t access_mode,
const uint32_t tpm_pcr[], uint32_t tpm_pcr,
UINTN n_tpm_pcr,
const char16_t *tpm_description, const char16_t *tpm_description,
void **ret_buffer, void **ret_buffer,
UINTN *ret_buffer_size, UINTN *ret_buffer_size,
@ -388,7 +345,6 @@ EFI_STATUS pack_cpio(
assert(loaded_image); assert(loaded_image);
assert(target_dir_prefix); assert(target_dir_prefix);
assert(tpm_pcr || n_tpm_pcr == 0);
assert(ret_buffer); assert(ret_buffer);
assert(ret_buffer_size); assert(ret_buffer_size);
@ -491,9 +447,15 @@ EFI_STATUS pack_cpio(
if (err != EFI_SUCCESS) if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Failed to pack cpio trailer: %r"); return log_error_status_stall(err, L"Failed to pack cpio trailer: %r");
err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured); err = tpm_log_event(
tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
if (err != EFI_SUCCESS) if (err != EFI_SUCCESS)
return err; return log_error_status_stall(
err,
L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r",
tpm_pcr,
tpm_description,
err);
*ret_buffer = TAKE_PTR(buffer); *ret_buffer = TAKE_PTR(buffer);
*ret_buffer_size = buffer_size; *ret_buffer_size = buffer_size;
@ -505,7 +467,7 @@ nothing:
*ret_buffer_size = 0; *ret_buffer_size = 0;
if (ret_measured) if (ret_measured)
*ret_measured = n_tpm_pcr > 0; *ret_measured = false;
return EFI_SUCCESS; return EFI_SUCCESS;
} }
@ -517,8 +479,7 @@ EFI_STATUS pack_cpio_literal(
const char16_t *target_filename, const char16_t *target_filename,
uint32_t dir_mode, uint32_t dir_mode,
uint32_t access_mode, uint32_t access_mode,
const uint32_t tpm_pcr[], uint32_t tpm_pcr,
UINTN n_tpm_pcr,
const char16_t *tpm_description, const char16_t *tpm_description,
void **ret_buffer, void **ret_buffer,
UINTN *ret_buffer_size, UINTN *ret_buffer_size,
@ -532,7 +493,6 @@ EFI_STATUS pack_cpio_literal(
assert(data || data_size == 0); assert(data || data_size == 0);
assert(target_dir_prefix); assert(target_dir_prefix);
assert(target_filename); assert(target_filename);
assert(tpm_pcr || n_tpm_pcr == 0);
assert(ret_buffer); assert(ret_buffer);
assert(ret_buffer_size); assert(ret_buffer_size);
@ -557,9 +517,15 @@ EFI_STATUS pack_cpio_literal(
if (err != EFI_SUCCESS) if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Failed to pack cpio trailer: %r"); return log_error_status_stall(err, L"Failed to pack cpio trailer: %r");
err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured); err = tpm_log_event(
tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
if (err != EFI_SUCCESS) if (err != EFI_SUCCESS)
return err; return log_error_status_stall(
err,
L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r",
tpm_pcr,
tpm_description,
err);
*ret_buffer = TAKE_PTR(buffer); *ret_buffer = TAKE_PTR(buffer);
*ret_buffer_size = buffer_size; *ret_buffer_size = buffer_size;

6
src/boot/efi/cpio.h
View File

@ -12,8 +12,7 @@ EFI_STATUS pack_cpio(
const char *target_dir_prefix, const char *target_dir_prefix,
uint32_t dir_mode, uint32_t dir_mode,
uint32_t access_mode, uint32_t access_mode,
const uint32_t tpm_pcr[], uint32_t tpm_pcr,
UINTN n_tpm_pcr,
const char16_t *tpm_description, const char16_t *tpm_description,
void **ret_buffer, void **ret_buffer,
UINTN *ret_buffer_size, UINTN *ret_buffer_size,
@ -26,8 +25,7 @@ EFI_STATUS pack_cpio_literal(
const char16_t *target_filename, const char16_t *target_filename,
uint32_t dir_mode, uint32_t dir_mode,
uint32_t access_mode, uint32_t access_mode,
const uint32_t tpm_pcr[], uint32_t tpm_pcr,
UINTN n_tpm_pcr,
const char16_t *tpm_description, const char16_t *tpm_description,
void **ret_buffer, void **ret_buffer,
UINTN *ret_buffer_size, UINTN *ret_buffer_size,

27
src/boot/efi/measure.c
View File

@ -193,27 +193,26 @@ EFI_STATUS tpm_log_event_ascii(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, U
} }
EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured) { EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured) {
int measured = -1; bool measured = false;
EFI_STATUS err; EFI_STATUS err;
/* Measures a load options string into the TPM2, i.e. the kernel command line */ /* Measures a load options string into the TPM2, i.e. the kernel command line */
for (UINTN i = 0; i < 2; i++) { err = tpm_log_event(
uint32_t pcr = i == 0 ? TPM_PCR_INDEX_KERNEL_PARAMETERS : TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT; TPM_PCR_INDEX_KERNEL_PARAMETERS,
bool m; POINTER_TO_PHYSICAL_ADDRESS(load_options),
strsize16(load_options),
if (pcr == UINT32_MAX) /* Skip this one, if it's invalid, so that our 'measured' return value is not corrupted by it */ load_options,
continue; &measured);
err = tpm_log_event(pcr, POINTER_TO_PHYSICAL_ADDRESS(load_options), strsize16(load_options), load_options, &m);
if (err != EFI_SUCCESS) if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r", pcr, err); return log_error_status_stall(
err,
measured = measured < 0 ? m : (measured && m); L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r",
} TPM_PCR_INDEX_KERNEL_PARAMETERS,
err);
if (ret_measured) if (ret_measured)
*ret_measured = measured < 0 ? false : measured; *ret_measured = measured;
return EFI_SUCCESS; return EFI_SUCCESS;
} }

1
src/boot/efi/meson.build
View File

@ -120,7 +120,6 @@ conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0])
efi_conf = configuration_data() efi_conf = configuration_data()
efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0]) efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0])
efi_conf.set10('ENABLE_TPM', get_option('tpm')) efi_conf.set10('ENABLE_TPM', get_option('tpm'))
efi_conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat'))
foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit'] foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
c = get_option('efi-' + ctype).split(',') c = get_option('efi-' + ctype).split(',')

15
src/boot/efi/stub.c
View File

@ -290,8 +290,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
".extra/credentials", ".extra/credentials",
/* dir_mode= */ 0500, /* dir_mode= */ 0500,
/* access_mode= */ 0400, /* access_mode= */ 0400,
/* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT }, /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
/* n_tpm_pcr= */ 2,
L"Credentials initrd", L"Credentials initrd",
&credential_initrd, &credential_initrd,
&credential_initrd_size, &credential_initrd_size,
@ -304,8 +303,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
".extra/global_credentials", ".extra/global_credentials",
/* dir_mode= */ 0500, /* dir_mode= */ 0500,
/* access_mode= */ 0400, /* access_mode= */ 0400,
/* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT }, /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
/* n_tpm_pcr= */ 2,
L"Global credentials initrd", L"Global credentials initrd",
&global_credential_initrd, &global_credential_initrd,
&global_credential_initrd_size, &global_credential_initrd_size,
@ -318,8 +316,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
".extra/sysext", ".extra/sysext",
/* dir_mode= */ 0555, /* dir_mode= */ 0555,
/* access_mode= */ 0444, /* access_mode= */ 0444,
/* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD_SYSEXTS }, /* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS,
/* n_tpm_pcr= */ 1,
L"System extension initrd", L"System extension initrd",
&sysext_initrd, &sysext_initrd,
&sysext_initrd_size, &sysext_initrd_size,
@ -344,8 +341,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
L"tpm2-pcr-signature.json", L"tpm2-pcr-signature.json",
/* dir_mode= */ 0555, /* dir_mode= */ 0555,
/* access_mode= */ 0444, /* access_mode= */ 0444,
/* tpm_pcr= */ NULL, /* tpm_pcr= */ UINT32_MAX,
/* n_tpm_pcr= */ 0,
/* tpm_description= */ NULL, /* tpm_description= */ NULL,
&pcrsig_initrd, &pcrsig_initrd,
&pcrsig_initrd_size, &pcrsig_initrd_size,
@ -363,8 +359,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
L"tpm2-pcr-public-key.pem", L"tpm2-pcr-public-key.pem",
/* dir_mode= */ 0555, /* dir_mode= */ 0555,
/* access_mode= */ 0444, /* access_mode= */ 0444,
/* tpm_pcr= */ NULL, /* tpm_pcr= */ UINT32_MAX,
/* n_tpm_pcr= */ 0,
/* tpm_description= */ NULL, /* tpm_description= */ NULL,
&pcrpkey_initrd, &pcrpkey_initrd,
&pcrpkey_initrd_size, &pcrpkey_initrd_size,

8
src/fundamental/tpm-pcr.h
View File

@ -14,14 +14,6 @@
/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ /* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U #define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U
/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for
* some compatibility. (Remove in 2023!) */
#if EFI_TPM_PCR_COMPAT
#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U
#else
#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX
#endif
/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ /* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U #define TPM_PCR_INDEX_INITRD_SYSEXTS 13U