shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-25 10:04:04 +03:00
Code

pcrlock: handle measurement logs where hash algs in header are announced in different order than in records

Browse Source 
Apparently on HyperV the measurement logs announce the hash algs in a
different order in the header than the records have them. Let's handle
this gracefully
This commit is contained in:
Lennart Poettering 2024-02-21 14:43:42 +01:00
parent 0691d0e5a1
commit e90a255e55
1 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/pcrlock/pcrlock.c
View File

@ -936,23 +936,30 @@ static int event_log_load_firmware(EventLog *el) {
assert(event->digests.count == n_algorithms); assert(event->digests.count == n_algorithms);
for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) { for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) {
ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[i].digestSize;
/* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */ /* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */
assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH))); assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH)));
uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg)); uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg));
if (hash_alg != algorithms[i].algorithmId) /* On some systems (some HyperV?) the order of hash algorithms announced in the
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record don't match log."); * header does not match the order in the records. Let's hence search for the right
* mapping */
size_t j;
for (j = 0; j < n_algorithms; j++)
if (hash_alg == algorithms[j].algorithmId)
break;
if (j >= n_algorithms)
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record not among those advertised by log header.");
if (!tpm2_hash_alg_to_string(algorithms[i].algorithmId)) ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[j].digestSize;
if (!tpm2_hash_alg_to_string(hash_alg))
continue; continue;
r = event_log_record_add_bank( r = event_log_record_add_bank(
record, record,
algorithms[i].algorithmId, hash_alg,
(const uint8_t*) ha + offsetof(TPMT_HA, digest), (const uint8_t*) ha + offsetof(TPMT_HA, digest),
algorithms[i].digestSize, algorithms[j].digestSize,
/* ret= */ NULL); /* ret= */ NULL);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to add bank to event log record: %m"); return log_error_errno(r, "Failed to add bank to event log record: %m");