mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
efi: Measure into both CC and TPM if available. (#31939)
* efi: Measure into both CC and TPM if available. It's possible that both measurement protocols are made available, so instead of assuming only one or the other are available, measure into both to avoid a problem like CVE-2021-42299. Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
This commit is contained in:
parent
b1d18b96c4
commit
dbbd878340
@ -187,9 +187,39 @@ bool tpm_present(void) {
|
||||
return tcg2_interface_check();
|
||||
}
|
||||
|
||||
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
|
||||
static EFI_STATUS tcg2_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
|
||||
EFI_TCG2_PROTOCOL *tpm2;
|
||||
EFI_STATUS err = EFI_SUCCESS;
|
||||
|
||||
assert(ret_measured);
|
||||
|
||||
tpm2 = tcg2_interface_check();
|
||||
if (tpm2)
|
||||
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
|
||||
|
||||
*ret_measured = tpm2 && (err == EFI_SUCCESS);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
static EFI_STATUS cc_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
|
||||
EFI_CC_MEASUREMENT_PROTOCOL *cc;
|
||||
EFI_STATUS err = EFI_SUCCESS;
|
||||
|
||||
assert(ret_measured);
|
||||
|
||||
cc = cc_interface_check();
|
||||
if (cc)
|
||||
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
|
||||
|
||||
*ret_measured = cc && (err == EFI_SUCCESS);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
|
||||
EFI_STATUS err;
|
||||
bool tpm_ret_measured, cc_ret_measured;
|
||||
|
||||
assert(description || pcrindex == UINT32_MAX);
|
||||
|
||||
@ -203,27 +233,15 @@ EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
tpm2 = tcg2_interface_check();
|
||||
if (tpm2)
|
||||
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
|
||||
else {
|
||||
EFI_CC_MEASUREMENT_PROTOCOL *cc;
|
||||
/* Measure into both CC and TPM if both are available to avoid a problem like CVE-2021-42299 */
|
||||
err = cc_log_event(pcrindex, buffer, buffer_size, description, &cc_ret_measured);
|
||||
if (err != EFI_SUCCESS)
|
||||
return err;
|
||||
|
||||
cc = cc_interface_check();
|
||||
if (cc)
|
||||
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
|
||||
else {
|
||||
/* No active TPM found, so don't return an error */
|
||||
|
||||
if (ret_measured)
|
||||
*ret_measured = false;
|
||||
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
}
|
||||
err = tcg2_log_event(pcrindex, buffer, buffer_size, description, &tpm_ret_measured);
|
||||
|
||||
if (err == EFI_SUCCESS && ret_measured)
|
||||
*ret_measured = true;
|
||||
*ret_measured = tpm_ret_measured || cc_ret_measured;
|
||||
|
||||
return err;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user