1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

efi: Measure into both CC and TPM if available. (#31939)

* efi: Measure into both CC and TPM if available.

It's possible that both measurement protocols are made available, so
instead of assuming only one or the other are available, measure into
both to avoid a problem like CVE-2021-42299.

Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
This commit is contained in:
Dionna Amalie Glaze 2024-03-26 02:26:59 -07:00 committed by GitHub
parent b1d18b96c4
commit dbbd878340
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -187,9 +187,39 @@ bool tpm_present(void) {
return tcg2_interface_check();
}
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
static EFI_STATUS tcg2_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
EFI_TCG2_PROTOCOL *tpm2;
EFI_STATUS err = EFI_SUCCESS;
assert(ret_measured);
tpm2 = tcg2_interface_check();
if (tpm2)
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
*ret_measured = tpm2 && (err == EFI_SUCCESS);
return err;
}
static EFI_STATUS cc_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
EFI_CC_MEASUREMENT_PROTOCOL *cc;
EFI_STATUS err = EFI_SUCCESS;
assert(ret_measured);
cc = cc_interface_check();
if (cc)
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
*ret_measured = cc && (err == EFI_SUCCESS);
return err;
}
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
EFI_STATUS err;
bool tpm_ret_measured, cc_ret_measured;
assert(description || pcrindex == UINT32_MAX);
@ -203,27 +233,15 @@ EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t
return EFI_SUCCESS;
}
tpm2 = tcg2_interface_check();
if (tpm2)
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
else {
EFI_CC_MEASUREMENT_PROTOCOL *cc;
/* Measure into both CC and TPM if both are available to avoid a problem like CVE-2021-42299 */
err = cc_log_event(pcrindex, buffer, buffer_size, description, &cc_ret_measured);
if (err != EFI_SUCCESS)
return err;
cc = cc_interface_check();
if (cc)
err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
else {
/* No active TPM found, so don't return an error */
if (ret_measured)
*ret_measured = false;
return EFI_SUCCESS;
}
}
err = tcg2_log_event(pcrindex, buffer, buffer_size, description, &tpm_ret_measured);
if (err == EFI_SUCCESS && ret_measured)
*ret_measured = true;
*ret_measured = tpm_ret_measured || cc_ret_measured;
return err;
}