diff options
-rw-r--r-- | man/systemd-cryptenroll.xml | 5 | ||||
-rw-r--r-- | man/systemd-stub.xml | 13 | ||||
-rw-r--r-- | src/boot/efi/measure.h | 4 | ||||
-rw-r--r-- | src/boot/efi/stub.c | 29 |
4 files changed, 34 insertions, 17 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml index 4a5127b02d..2aa396e300 100644 --- a/man/systemd-cryptenroll.xml +++ b/man/systemd-cryptenroll.xml @@ -307,6 +307,11 @@ </row> <row> + <entry>13</entry> + <entry><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> images it loads and passed to the booted kernel into this PCR.</entry> + </row> + + <row> <entry>14</entry> <entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry> </row> diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml index df7cabcf50..1e9bb5d631 100644 --- a/man/systemd-stub.xml +++ b/man/systemd-stub.xml @@ -115,7 +115,7 @@ images to the initrd. See <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details on system extension images. The generated <command>cpio</command> archive containing these - system extension images is measured into TPM PCR 4 (if a TPM is present).</para></listitem> + system extension images is measured into TPM PCR 13 (if a TPM is present).</para></listitem> <listitem><para>Files <filename>/loader/credentials/*.cred</filename> are packed up in a <command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename> @@ -197,7 +197,7 @@ <row> <entry>System Extensions (synthesized initrd from companion files)</entry> - <entry>4 + 9</entry> + <entry>9 + 13</entry> </row> </tbody> </tgroup> @@ -263,6 +263,15 @@ formatted as decimal ASCII string (i.e. <literal>12</literal>). This variable is set if a measurement was successfully completed, and remains unset otherwise.</para></listitem> </varlistentry> + + <varlistentry> + <term><varname>StubPcrInitRDSysExts</varname></term> + + <listitem><para>The PCR register index the systemd extensions for the initial RAM disk image, which + are picked up from the file system the kernel image is located on. Formatted as decimal ASCII string + (i.e. <literal>13</literal>). This variable is set if a measurement was successfully completed, and + remains unset otherwise.</para></listitem> + </varlistentry> </variablelist> <para>Note that some of the variables above may also be set by the boot loader. The stub will only set diff --git a/src/boot/efi/measure.h b/src/boot/efi/measure.h index df7f04c9fb..141d44aa79 100644 --- a/src/boot/efi/measure.h +++ b/src/boot/efi/measure.h @@ -22,8 +22,8 @@ #define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX #endif -/* This TPM PCR is where most Linux infrastructure extends the initrd binary images into, and so do we. */ -#define TPM_PCR_INDEX_INITRD 4U +/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ +#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U #if ENABLE_TPM diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index 1afbde3295..3b74647a18 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -182,8 +182,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { char *cmdline = NULL; _cleanup_free_ char *cmdline_owned = NULL; int sections_measured = -1, parameters_measured = -1; + bool sysext_measured = false, m; EFI_STATUS err; - bool m; InitializeLib(image, sys_table); debug_hook(L"systemd-stub"); @@ -298,21 +298,24 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { &m) == EFI_SUCCESS) parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m); - (void) pack_cpio(loaded_image, - NULL, - L".raw", - ".extra/sysext", - /* dir_mode= */ 0555, - /* access_mode= */ 0444, - /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD }, - /* n_tpm_pcr= */ 1, - L"System extension initrd", - &sysext_initrd, - &sysext_initrd_size, - NULL); + if (pack_cpio(loaded_image, + NULL, + L".raw", + ".extra/sysext", + /* dir_mode= */ 0555, + /* access_mode= */ 0444, + /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD_SYSEXTS }, + /* n_tpm_pcr= */ 1, + L"System extension initrd", + &sysext_initrd, + &sysext_initrd_size, + &m) == EFI_SUCCESS) + sysext_measured = m; if (parameters_measured > 0) (void) efivar_set_uint_string(LOADER_GUID, L"StubPcrKernelParameters", TPM_PCR_INDEX_KERNEL_PARAMETERS, 0); + if (sysext_measured) + (void) efivar_set_uint_string(LOADER_GUID, L"StubPcrInitRDSysExts", TPM_PCR_INDEX_INITRD_SYSEXTS, 0); linux_size = szs[SECTION_LINUX]; linux_base = POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[SECTION_LINUX]; |