diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2024-02-23 09:48:47 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2024-02-23 09:48:47 +0100 |
commit | 8e3fee33afed8cb6a0945288f4773363a4d68912 (patch) | |
tree | 2dad2a0965eb44f68fef9ad08dc79d1cd25494ae /docs/TPM2_PCR_MEASUREMENTS.md | |
parent | Merge pull request #31445 from keszybz/slow-tests (diff) | |
download | systemd-8e3fee33afed8cb6a0945288f4773363a4d68912.tar.xz systemd-8e3fee33afed8cb6a0945288f4773363a4d68912.zip |
Revert "docs: use collections to structure the data"
This reverts commit 5e8ff010a1436d33bbf3c108335af6e0b4ff7a2a.
This broke all the URLs, we can't have that. (And actually, we probably don't
_want_ to make the change either. It's nicer to have all the pages in one
directory, so one doesn't have to figure out to which collection the page
belongs.)
Diffstat (limited to 'docs/TPM2_PCR_MEASUREMENTS.md')
-rw-r--r-- | docs/TPM2_PCR_MEASUREMENTS.md | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md new file mode 100644 index 0000000000..462a86b36c --- /dev/null +++ b/docs/TPM2_PCR_MEASUREMENTS.md @@ -0,0 +1,192 @@ +--- +title: TPM2 PCR Measurements Made by systemd +category: Booting +layout: default +SPDX-License-Identifier: LGPL-2.1-or-later +--- + +# TPM2 PCR Measurements Made by systemd + +Various systemd components issue TPM2 PCR measurements during the boot process, +both in UEFI mode and from userspace. The following lists all measurements +done, and describes (in case done before `ExitBootServices()`) how they appear +in the TPM2 Event Log, maintained by the PC firmware. Note that the userspace +measurements listed below are (by default) only done if a system is booted with +`systemd-stub` — or in other words: systemd's userspace measurements are linked +to systemd's UEFI-mode measurements, and if the latter are not done the former +aren't made either. + +systemd will measure to PCRs 5 (`boot-loader-config`), 11 (`kernel-boot`), +12 (`kernel-config`), 13 (`sysexts`), 15 (`system-identity`). + +Currently, four components will issue TPM2 PCR measurements: + +* The [`systemd-boot`](https://www.freedesktop.org/software/systemd/man/systemd-boot.html) boot menu (UEFI) +* The [`systemd-stub`](https://www.freedesktop.org/software/systemd/man/systemd-stub.html) boot stub (UEFI) +* The [`systemd-pcrextend`](https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html) measurement tool (userspace) +* The [`systemd-cryptsetup`](https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup@.service.html) disk encryption tool (userspace) + +A userspace measurement event log in a format close to TCG CEL-JSON is +maintained in `/run/log/systemd/tpm2-measure.log`. + +## Measurements Added in Future + +We expect that we'll add further PCR extensions in future (both in firmware and +user mode), which also will be documented here. When executed from firmware +mode future additions are expected to be recorded as `EV_EVENT_TAG` +measurements in the event log, in order to make them robustly +recognizable. Measurements currently recorded as `EV_IPL` will continue to be +recorded as `EV_IPL`, for compatibility reasons. However, `EV_IPL` will not be +used for new, additional measurements. + +## PCR Measurements Made by `systemd-boot` (UEFI) + +### PCS 5, `EV_EVENT_TAG`, "loader.conf" + +The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is +measured as a tagged event. + +→ **Event Tag** `0xf5bc582a` + +→ **Description** in the event log record is the file name, `loader.conf`. + +→ **Measured hash** covers the content of `loader.conf` as it is read from the ESP. + +### PCR 12, `EV_IPL`, "Kernel Command Line" + +If the kernel command line was specified explicitly (by the user or in a Boot +Loader Specification Type #1 file), the kernel command line passed to the +invoked kernel is measured before it is executed. (In case an UKI/Boot Loader +Specification Type #2 entry is booted, the built-in kernel command line is +implicitly measured as part of the PE sections, because it is embedded in the +`.cmdline` PE section, hence doesn't need to be measured by `systemd-boot`; see +below for details on PE section measurements done by `systemd-stub`.) + +→ **Description** in the event log record is the literal kernel command line in +UTF-16. + +→ **Measured hash** covers the literal kernel command line in UTF-16 (without any +trailing NUL bytes). + +## PCR Measurements Made by `systemd-stub` (UEFI) + +### PCR 11, `EV_IPL`, "PE Section Name" + +A measurement is made for each PE section of the UKI that is defined by the +[UKI +specification](https://uapi-group.org/specifications/specs/unified_kernel_image/), +in the canonical order described in the specification. + +Happens once for each UKI-defined PE section of the UKI, in the canonical UKI +PE section order, as per the UKI specification. For each record a pair of +records is written, first one that covers the PE section name (described here), +and the second one that covers the PE section data (described below), so that +both types of records appear interleaved in the event log. + +→ **Description** in the event log record is the PE section name in UTF-16. + +→ **Measured hash** covers the PE section name in ASCII (*including* a trailing NUL byte!). + +### PCR 11, `EV_IPL`, "PE Section Data" + +Happens once for each UKI-defined PE section of the UKI, in the canonical UKI +PE section order, as per the UKI specification, see above. + +→ **Description** in the event log record is the PE section name in UTF-16. + +→ **Measured hash** covers the (binary) PE section contents. + +### PCR 12, `EV_IPL`, "Kernel Command Line" + +Might happen up to three times, for kernel command lines from: + + 1. Passed cmdline + 2. System and per-UKI cmdline add-ons (one measurement covering all add-ons combined) + 3. SMBIOS cmdline + +→ **Description** in the event log record is the literal kernel command line in +UTF-16. + +→ **Measured hash** covers the literal kernel command line in UTF-16 (without any +trailing NUL bytes). + +### PCR 12, `EV_EVENT_TAG`, "Devicetrees" + +Devicetree addons are measured individually as a tagged event. + +→ **Event Tag** `0x6c46f751` + +→ **Description** the addon filename. + +→ **Measured hash** covers the content of the Devicetree. + +### PCR 12, `EV_IPL`, "Per-UKI Credentials initrd" + +→ **Description** in the event log record is the constant string "Credentials +initrd" in UTF-16. + +→ **Measured hash** covers the per-UKI credentials cpio archive (which is generated + on-the-fly by `systemd-stub`). + +### PCR 12, `EV_IPL`, "Global Credentials initrd" + +→ **Description** in the event log record is the constant string "Global +credentials initrd" in UTF-16. + +→ **Measured hash** covers the global credentials cpio archive (which is generated +on-the-fly by `systemd-stub`). + +### PCR 13, `EV_IPL`, "sysext initrd" + +→ **Description** in the event log record is the constant string "System extension +initrd" in UTF-16. + +→ **Measured hash** covers the per-UKI sysext cpio archive (which is generated +on-the-fly by `systemd-stub`). + +## PCR Measurements Made by `systemd-pcrextend` (Userspace) + +### PCR 11, "Boot Phases" + +The `systemd-pcrphase.service`, `systemd-pcrphase-initrd.service`, +`systemd-pcrphase-sysinit.service` services will measure the boot phase reached +during various times of the boot process. Specifically, the strings +"enter-initrd", "leave-initrd", "sysinit", "ready", "shutdown", "final" are +measured, in this order. (These are regular units, and administrators may +choose to define additional/different phases.) + +→ **Measured hash** covers the phase string (in UTF-8, without trailing NUL +bytes). + +### PCR 15, "Machine ID" + +The `systemd-pcrmachine.service` service will measure the machine ID (as read +from `/etc/machine-id`) during boot. + +→ **Measured hash** covers the string "machine-id:" suffixed by the machine ID +formatted in hexadecimal lowercase characters (in UTF-8, without trailing NUL +bytes). + +### PCR 15, "File System" + +The `systemd-pcrfs-root.service` and `systemd-pcrfs@.service` services will +measure a string identifying a specific file system, typically covering the +root file system and `/var/` (if it is its own file system). + +→ **Measured hash** covers the string "file-system:" suffixed by a series of six +colon-separated strings, identifying the file system type, UUID, label as well +as the GPT partition entry UUID, entry type UUID and entry label (in UTF-8, +without trailing NUL bytes). + +## PCR Measurements Made by `systemd-cryptsetup` (Userspace) + +### PCR 15, "Volume Key" + +The `systemd-cryptsetup@.service` service will measure a key derived from the +LUKS volume key of a specific encrypted volume, typically covering the backing +encryption device of the root file system and `/var/` (if it is its own file +system). + +→ **Measured hash** covers the (binary) result of the HMAC(V,S) calculation where V +is the LUKS volume key, and S is the string "cryptsetup:" followed by the LUKS +volume name and the UUID of the LUKS superblock. |