You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
4.8 KiB
97 lines
4.8 KiB
From 16b3bb1a1bb8a0a42ad6eb56fd33dcb800c8af04 Mon Sep 17 00:00:00 2001
|
|
From: Luca Boccassi <bluca@debian.org>
|
|
Date: Thu, 29 Jun 2023 23:41:48 +0100
|
|
Subject: [PATCH] boot: measure .sbat section
|
|
|
|
We are now merging .sbat sections from sd-stub and kernel image, so
|
|
measure it in PCR11.
|
|
|
|
(cherry picked from commit d5f91cf79361cab58e32bf7b76c41ba244add75f)
|
|
|
|
Resolves: RHEL-13199
|
|
---
|
|
man/systemd-measure.xml | 8 +++++---
|
|
src/boot/measure.c | 3 +++
|
|
src/fundamental/tpm-pcr.c | 1 +
|
|
src/fundamental/tpm-pcr.h | 1 +
|
|
4 files changed, 10 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
|
|
index 46fc979654..e08dbcdac9 100644
|
|
--- a/man/systemd-measure.xml
|
|
+++ b/man/systemd-measure.xml
|
|
@@ -66,9 +66,10 @@
|
|
<listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
|
|
kernel image consisting of the components specified with <option>--linux=</option>,
|
|
<option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
|
|
- <option>--splash=</option>, <option>--dtb=</option>, <option>--pcrpkey=</option> see below. Only
|
|
- <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the
|
|
- current values of PCR register 11 instead.)</para></listitem>
|
|
+ <option>--splash=</option>, <option>--dtb=</option>, <option>--sbat=</option>,
|
|
+ <option>--pcrpkey=</option> see below. Only <option>--linux=</option> is mandatory. (Alternatively,
|
|
+ specify <option>--current</option> to use the current values of PCR register 11 instead.)</para>
|
|
+ </listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
@@ -104,6 +105,7 @@
|
|
<term><option>--initrd=PATH</option></term>
|
|
<term><option>--splash=PATH</option></term>
|
|
<term><option>--dtb=PATH</option></term>
|
|
+ <term><option>--sbat=PATH</option></term>
|
|
<term><option>--pcrpkey=PATH</option></term>
|
|
|
|
<listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
|
|
diff --git a/src/boot/measure.c b/src/boot/measure.c
|
|
index 67ab84753e..84a7c357a4 100644
|
|
--- a/src/boot/measure.c
|
|
+++ b/src/boot/measure.c
|
|
@@ -80,6 +80,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|
" --splash=PATH Path to splash bitmap file %7$s .splash\n"
|
|
" --dtb=PATH Path to Devicetree file %7$s .dtb\n"
|
|
" --uname=PATH Path to 'uname -r' file %7$s .uname\n"
|
|
+ " --sbat=PATH Path to SBAT file %7$s .sbat\n"
|
|
" --pcrpkey=PATH Path to public key for PCR signatures %7$s .pcrpkey\n"
|
|
"\nSee the %2$s for details.\n",
|
|
program_invocation_short_name,
|
|
@@ -120,6 +121,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|
ARG_SPLASH,
|
|
ARG_DTB,
|
|
ARG_UNAME,
|
|
+ ARG_SBAT,
|
|
_ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */
|
|
_ARG_SECTION_LAST,
|
|
ARG_PCRPKEY = _ARG_SECTION_LAST,
|
|
@@ -142,6 +144,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|
{ "splash", required_argument, NULL, ARG_SPLASH },
|
|
{ "dtb", required_argument, NULL, ARG_DTB },
|
|
{ "uname", required_argument, NULL, ARG_UNAME },
|
|
+ { "sbat", required_argument, NULL, ARG_SBAT },
|
|
{ "pcrpkey", required_argument, NULL, ARG_PCRPKEY },
|
|
{ "current", no_argument, NULL, 'c' },
|
|
{ "bank", required_argument, NULL, ARG_BANK },
|
|
diff --git a/src/fundamental/tpm-pcr.c b/src/fundamental/tpm-pcr.c
|
|
index 0685d37b05..2f7e9b428d 100644
|
|
--- a/src/fundamental/tpm-pcr.c
|
|
+++ b/src/fundamental/tpm-pcr.c
|
|
@@ -12,6 +12,7 @@ const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
|
|
[UNIFIED_SECTION_SPLASH] = ".splash",
|
|
[UNIFIED_SECTION_DTB] = ".dtb",
|
|
[UNIFIED_SECTION_UNAME] = ".uname",
|
|
+ [UNIFIED_SECTION_SBAT] = ".sbat",
|
|
[UNIFIED_SECTION_PCRSIG] = ".pcrsig",
|
|
[UNIFIED_SECTION_PCRPKEY] = ".pcrpkey",
|
|
NULL,
|
|
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h
|
|
index 24240b82ed..794d593825 100644
|
|
--- a/src/fundamental/tpm-pcr.h
|
|
+++ b/src/fundamental/tpm-pcr.h
|
|
@@ -35,6 +35,7 @@ typedef enum UnifiedSection {
|
|
UNIFIED_SECTION_SPLASH,
|
|
UNIFIED_SECTION_DTB,
|
|
UNIFIED_SECTION_UNAME,
|
|
+ UNIFIED_SECTION_SBAT,
|
|
UNIFIED_SECTION_PCRSIG,
|
|
UNIFIED_SECTION_PCRPKEY,
|
|
_UNIFIED_SECTION_MAX,
|