git.ipfire.org Git - thirdparty/systemd.git/commit

author	Alberto Planas <aplanas@suse.com>
	Thu, 18 Jan 2024 14:38:30 +0000 (15:38 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Fri, 19 Jan 2024 00:18:20 +0000 (00:18 +0000)
commit	4054e8128e4957f9fde783889485051ec5560d60
tree	ab33f43a4c989c25f561db6968bcea02bc318f38	tree \| snapshot
parent	4be1fc8443779f6a3d0572b9f3d8a531f74b3bfd	commit \| diff

Measure empty PK and KEK EFI vars

The OVMF UEFI firmware is measuring PK and KEK when secure boot is
disabled, and those variables are absent. This can be checked via the
event log to see that there are extensions for PCR 7 associated with PK
and KEK events of type EV_EFI_VARIABLE_DRIVER_CONFIG.

When running the "lock-secureboot-policy" verb, pcrlock complains that
those variables are not found and refuse to generate the
240-secureboot-policy.pcrlock.d/generated.pcrlock file.

The "TCG PC Client Platform Firmware Profile Specification Version 1.05
Revision 23"[1] from May 7, 2021, in section "3.3.4.8 PCR[7] - Secure
Boot Policy Measurements", point 10.b:

If reading a UEFI variable returns UEFI_NOT_FOUND, platform firmware
SHALL measure the absence of the variable. The
UEFI_VARIABLE_DATA.VariableDataLength field MUST be set to zero and
UEFI_VARIABLE_DATA.VariableData field will have a size of zero.

This patch mark those variables to be marked as "synthesize empty",
generating the correct hash for those variables.

Signed-off-by: Alberto Planas <aplanas@suse.com>