diff options
| -rw-r--r-- | TODO | 2 | ||||
| -rw-r--r-- | meson.build | 2 | ||||
| -rw-r--r-- | meson_options.txt | 2 | ||||
| -rw-r--r-- | src/boot/efi/cpio.c | 72 | ||||
| -rw-r--r-- | src/boot/efi/cpio.h | 6 | ||||
| -rw-r--r-- | src/boot/efi/measure.c | 29 | ||||
| -rw-r--r-- | src/boot/efi/meson.build | 1 | ||||
| -rw-r--r-- | src/boot/efi/stub.c | 15 | ||||
| -rw-r--r-- | src/fundamental/tpm-pcr.h | 8 |
9 files changed, 40 insertions, 97 deletions
@@ -118,8 +118,6 @@ Deprecations and removals: * rework our PID tracking in services and so on, to be strictly based on pidfd, once kernel baseline is 5.13. -* ~2023: remove support for TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT - * H2 2023: remove support for unmerged-usr * Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous. diff --git a/meson.build b/meson.build index f0159176a4..e75a837d20 100644 --- a/meson.build +++ b/meson.build @@ -310,8 +310,6 @@ conf.set_quoted('STATUS_UNIT_FORMAT_DEFAULT_STR', status_unit_format conf.set10('FIRST_BOOT_FULL_PRESET', get_option('first-boot-full-preset')) -conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat')) - ##################################################################### cc = meson.get_compiler('c') diff --git a/meson_options.txt b/meson_options.txt index 6a95955dd9..8ce245dbb9 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -444,8 +444,6 @@ option('efi-libdir', type : 'string', description : 'path to the EFI lib directory') option('efi-includedir', type : 'string', value : '/usr/include/efi', description : 'path to the EFI header directory') -option('efi-tpm-pcr-compat', type : 'boolean', value : false, - description : 'Measure kernel command line also into TPM PCR 8 (in addition to 12)') option('sbat-distro', type : 'string', value : 'auto', description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection') option('sbat-distro-generation', type : 'integer', value : 1, diff --git a/src/boot/efi/cpio.c b/src/boot/efi/cpio.c index 79b5d4327b..7f123fa376 100644 --- a/src/boot/efi/cpio.c +++ b/src/boot/efi/cpio.c @@ -299,48 +299,6 @@ static EFI_STATUS pack_cpio_trailer( return EFI_SUCCESS; } -static EFI_STATUS measure_cpio( - void *buffer, - UINTN buffer_size, - const uint32_t tpm_pcr[], - UINTN n_tpm_pcr, - const char16_t *tpm_description, - bool *ret_measured) { - - int measured = -1; - EFI_STATUS err; - - assert(buffer || buffer_size == 0); - assert(tpm_pcr || n_tpm_pcr == 0); - - for (UINTN i = 0; i < n_tpm_pcr; i++) { - bool m; - - if (tpm_pcr[i] == UINT32_MAX) /* Disabled */ - continue; - - err = tpm_log_event( - tpm_pcr[i], - POINTER_TO_PHYSICAL_ADDRESS(buffer), - buffer_size, - tpm_description, - &m); - if (err != EFI_SUCCESS) { - log_error_stall(L"Unable to add initrd TPM measurement for PCR %u (%s), ignoring: %r", tpm_pcr[i], tpm_description, err); - measured = false; - continue; - } - - if (measured != false) - measured = m; - } - - if (ret_measured) - *ret_measured = measured > 0; - - return EFI_SUCCESS; -} - static char16_t *get_dropin_dir(const EFI_DEVICE_PATH *file_path) { if (!file_path) return NULL; @@ -370,8 +328,7 @@ EFI_STATUS pack_cpio( const char *target_dir_prefix, uint32_t dir_mode, uint32_t access_mode, - const uint32_t tpm_pcr[], - UINTN n_tpm_pcr, + uint32_t tpm_pcr, const char16_t *tpm_description, void **ret_buffer, UINTN *ret_buffer_size, @@ -388,7 +345,6 @@ EFI_STATUS pack_cpio( assert(loaded_image); assert(target_dir_prefix); - assert(tpm_pcr || n_tpm_pcr == 0); assert(ret_buffer); assert(ret_buffer_size); @@ -491,9 +447,15 @@ EFI_STATUS pack_cpio( if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Failed to pack cpio trailer: %r"); - err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured); + err = tpm_log_event( + tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured); if (err != EFI_SUCCESS) - return err; + return log_error_status_stall( + err, + L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r", + tpm_pcr, + tpm_description, + err); *ret_buffer = TAKE_PTR(buffer); *ret_buffer_size = buffer_size; @@ -505,7 +467,7 @@ nothing: *ret_buffer_size = 0; if (ret_measured) - *ret_measured = n_tpm_pcr > 0; + *ret_measured = false; return EFI_SUCCESS; } @@ -517,8 +479,7 @@ EFI_STATUS pack_cpio_literal( const char16_t *target_filename, uint32_t dir_mode, uint32_t access_mode, - const uint32_t tpm_pcr[], - UINTN n_tpm_pcr, + uint32_t tpm_pcr, const char16_t *tpm_description, void **ret_buffer, UINTN *ret_buffer_size, @@ -532,7 +493,6 @@ EFI_STATUS pack_cpio_literal( assert(data || data_size == 0); assert(target_dir_prefix); assert(target_filename); - assert(tpm_pcr || n_tpm_pcr == 0); assert(ret_buffer); assert(ret_buffer_size); @@ -557,9 +517,15 @@ EFI_STATUS pack_cpio_literal( if (err != EFI_SUCCESS) return log_error_status_stall(err, L"Failed to pack cpio trailer: %r"); - err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured); + err = tpm_log_event( + tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured); if (err != EFI_SUCCESS) - return err; + return log_error_status_stall( + err, + L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r", + tpm_pcr, + tpm_description, + err); *ret_buffer = TAKE_PTR(buffer); *ret_buffer_size = buffer_size; diff --git a/src/boot/efi/cpio.h b/src/boot/efi/cpio.h index beebef3d8b..62d2598fe5 100644 --- a/src/boot/efi/cpio.h +++ b/src/boot/efi/cpio.h @@ -12,8 +12,7 @@ EFI_STATUS pack_cpio( const char *target_dir_prefix, uint32_t dir_mode, uint32_t access_mode, - const uint32_t tpm_pcr[], - UINTN n_tpm_pcr, + uint32_t tpm_pcr, const char16_t *tpm_description, void **ret_buffer, UINTN *ret_buffer_size, @@ -26,8 +25,7 @@ EFI_STATUS pack_cpio_literal( const char16_t *target_filename, uint32_t dir_mode, uint32_t access_mode, - const uint32_t tpm_pcr[], - UINTN n_tpm_pcr, + uint32_t tpm_pcr, const char16_t *tpm_description, void **ret_buffer, UINTN *ret_buffer_size, diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c index 6da07d917e..dc3bd064db 100644 --- a/src/boot/efi/measure.c +++ b/src/boot/efi/measure.c @@ -193,27 +193,26 @@ EFI_STATUS tpm_log_event_ascii(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, U } EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured) { - int measured = -1; + bool measured = false; EFI_STATUS err; /* Measures a load options string into the TPM2, i.e. the kernel command line */ - for (UINTN i = 0; i < 2; i++) { - uint32_t pcr = i == 0 ? TPM_PCR_INDEX_KERNEL_PARAMETERS : TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT; - bool m; - - if (pcr == UINT32_MAX) /* Skip this one, if it's invalid, so that our 'measured' return value is not corrupted by it */ - continue; - - err = tpm_log_event(pcr, POINTER_TO_PHYSICAL_ADDRESS(load_options), strsize16(load_options), load_options, &m); - if (err != EFI_SUCCESS) - return log_error_status_stall(err, L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r", pcr, err); - - measured = measured < 0 ? m : (measured && m); - } + err = tpm_log_event( + TPM_PCR_INDEX_KERNEL_PARAMETERS, + POINTER_TO_PHYSICAL_ADDRESS(load_options), + strsize16(load_options), + load_options, + &measured); + if (err != EFI_SUCCESS) + return log_error_status_stall( + err, + L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r", + TPM_PCR_INDEX_KERNEL_PARAMETERS, + err); if (ret_measured) - *ret_measured = measured < 0 ? false : measured; + *ret_measured = measured; return EFI_SUCCESS; } diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build index 2a7e457df3..334e98c075 100644 --- a/src/boot/efi/meson.build +++ b/src/boot/efi/meson.build @@ -120,7 +120,6 @@ conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0]) efi_conf = configuration_data() efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0]) efi_conf.set10('ENABLE_TPM', get_option('tpm')) -efi_conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat')) foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit'] c = get_option('efi-' + ctype).split(',') diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index 023f8ae255..aa83b34166 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -290,8 +290,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { ".extra/credentials", /* dir_mode= */ 0500, /* access_mode= */ 0400, - /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT }, - /* n_tpm_pcr= */ 2, + /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS, L"Credentials initrd", &credential_initrd, &credential_initrd_size, @@ -304,8 +303,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { ".extra/global_credentials", /* dir_mode= */ 0500, /* access_mode= */ 0400, - /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT }, - /* n_tpm_pcr= */ 2, + /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS, L"Global credentials initrd", &global_credential_initrd, &global_credential_initrd_size, @@ -318,8 +316,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { ".extra/sysext", /* dir_mode= */ 0555, /* access_mode= */ 0444, - /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD_SYSEXTS }, - /* n_tpm_pcr= */ 1, + /* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS, L"System extension initrd", &sysext_initrd, &sysext_initrd_size, @@ -344,8 +341,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { L"tpm2-pcr-signature.json", /* dir_mode= */ 0555, /* access_mode= */ 0444, - /* tpm_pcr= */ NULL, - /* n_tpm_pcr= */ 0, + /* tpm_pcr= */ UINT32_MAX, /* tpm_description= */ NULL, &pcrsig_initrd, &pcrsig_initrd_size, @@ -363,8 +359,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) { L"tpm2-pcr-public-key.pem", /* dir_mode= */ 0555, /* access_mode= */ 0444, - /* tpm_pcr= */ NULL, - /* n_tpm_pcr= */ 0, + /* tpm_pcr= */ UINT32_MAX, /* tpm_description= */ NULL, &pcrpkey_initrd, &pcrpkey_initrd_size, diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h index 235d4841b0..d57291328d 100644 --- a/src/fundamental/tpm-pcr.h +++ b/src/fundamental/tpm-pcr.h @@ -14,14 +14,6 @@ /* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ #define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U -/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for - * some compatibility. (Remove in 2023!) */ -#if EFI_TPM_PCR_COMPAT -#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U -#else -#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX -#endif - /* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ #define TPM_PCR_INDEX_INITRD_SYSEXTS 13U |