diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-07-26 11:35:57 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-08-02 10:28:49 +0200 |
| commit | de7ad6d4f439f912ab0ba078dd29ef21a0af3623 (patch) | |
| tree | 417edbeab0ce5f7bcda6382c55358233506b08da /man/systemd-cryptenroll.xml | |
| parent | 16700cb85ab2d815dec3f489c3280f264ea23a86 (diff) | |
| download | systemd-de7ad6d4f439f912ab0ba078dd29ef21a0af3623.tar.gz | |
sd-stub: measure sysext images picked up by sd-stub into PCR 13
Let's grab another so far unused PCR, and measure all sysext images into
it that we load from the ESP. Note that this is possibly partly redundant,
since sysext images should have dm-verity enabled, and that is hooked up
to IMA. However, measuring this explicitly has the benefit that we can
measure filenames too, easily, and that all without need for IMA or
anything like that.
This means: when booting a unified sd-stub kernel through sd-boot we'll
now have:
1. PCR 11: unified kernel image payload (i.e. kernel, initrd, boot
splash, dtb, osrelease)
2. PCR 12: kernel command line (i.e. the one embedded in the image, plus
optionally an overriden one) + any credential files picked up by
sd-stub
3. PCR 13: sysext images picked up by sd-stub
And each of these three PCRs should carry just the above, and start from
zero, thus be pre-calculatable.
Thus, all components and parameters of the OS boot process (i.e.
everything after the boot loader) is now nicely pre-calculable.
NOTE: this actually replaces previous measuring of the syext images into
PCR 4. I added this back in 845707aae23b3129db635604edb95c4048a5922a,
following the train of thought, that sysext images for the initrd should
be measured like the initrd itself they are for, and according to my
thinking that would be a unified kernel which is measured by firmware
into PCR 4 like any other UEFI executables.
However, I think we should depart from that idea. First and foremost
that makes it harder to pre-calculate PCR 4 (since we actually measured
quite incompatible records to the TPM event log), but also I think
there's great value in being able to write policies that bind to the
used sysexts independently of the earlier boot chain (i.e. shim, boot
loader, unified kernel), hence a separate PCR makes more sense.
Strictly speaking, this is a compatibility break, but I think one we can
get away with, simply because the initrd sysext images are currently not
picked up by systemd-sysext yet in the initrd, and because of that we
can be reasonably sure noone uses this yet, and hence relies on the PCR
register used. Hence, let's clean this up before people actually do
start relying on this.
Diffstat (limited to 'man/systemd-cryptenroll.xml')
| -rw-r--r-- | man/systemd-cryptenroll.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 4a5127b02d..2aa396e300 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -307,6 +307,11 @@ </row> <row> + <entry>13</entry> + <entry><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> images it loads and passed to the booted kernel into this PCR.</entry> + </row> + + <row> <entry>14</entry> <entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry> </row> |