]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c3f7501)
boot: measure .sbat section 28187/head
authorLuca Boccassi <bluca@debian.org>
Thu, 29 Jun 2023 22:41:48 +0000 (23:41 +0100)
committerLuca Boccassi <bluca@debian.org>
Fri, 30 Jun 2023 16:17:56 +0000 (17:17 +0100)
We are now merging .sbat sections from sd-stub and kernel image, so
measure it in PCR11.

man/systemd-measure.xml patch | blob | blame | history
src/boot/measure.c patch | blob | blame | history
src/fundamental/tpm-pcr.c patch | blob | blame | history
src/fundamental/tpm-pcr.h patch | blob | blame | history

diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index dddc2bf16b70d44a414b7d6495e18a46841b32a9..7279df8d08fa1cec63be3f6ea8b445fc8596589a 100644 (file)
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -73,9 +73,10 @@
         <listitem><para>Pre-calculate the expected values seen in PCR register 11 after boot-up of a unified
         kernel image consisting of the components specified with <option>--linux=</option>,
         <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
-        <option>--splash=</option>, <option>--dtb=</option>, <option>--pcrpkey=</option> see below. Only
-        <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the
-        current values of PCR register 11 instead.)</para></listitem>
+        <option>--splash=</option>, <option>--dtb=</option>, <option>--sbat=</option>,
+        <option>--pcrpkey=</option> see below. Only <option>--linux=</option> is mandatory. (Alternatively,
+        specify <option>--current</option> to use the current values of PCR register 11 instead.)</para>
+        </listitem>
       </varlistentry>
 
       <varlistentry>
@@ -112,6 +113,7 @@
         <term><option>--initrd=<replaceable>PATH</replaceable></option></term>
         <term><option>--splash=<replaceable>PATH</replaceable></option></term>
         <term><option>--dtb=<replaceable>PATH</replaceable></option></term>
+        <term><option>--sbat=<replaceable>PATH</replaceable></option></term>
         <term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term>
 
         <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
diff --git a/src/boot/measure.c b/src/boot/measure.c
index bd7cc783996d6aaa7c41d94f31e7f3fc12fe5aee..e388fb666ed0615be85127dbac6e930c79d0bc25 100644 (file)
--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@@ -85,6 +85,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "     --splash=PATH       Path to splash bitmap file             %7$s .splash\n"
                "     --dtb=PATH          Path to Devicetree file                %7$s .dtb\n"
                "     --uname=PATH        Path to 'uname -r' file                %7$s .uname\n"
+               "     --sbat=PATH         Path to SBAT file                      %7$s .sbat\n"
                "     --pcrpkey=PATH      Path to public key for PCR signatures  %7$s .pcrpkey\n"
                "\nSee the %2$s for details.\n",
                program_invocation_short_name,
@@ -125,6 +126,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_SPLASH,
                 ARG_DTB,
                 ARG_UNAME,
+                ARG_SBAT,
                 _ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */
                 _ARG_SECTION_LAST,
                 ARG_PCRPKEY = _ARG_SECTION_LAST,
@@ -148,6 +150,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "splash",      required_argument, NULL, ARG_SPLASH      },
                 { "dtb",         required_argument, NULL, ARG_DTB         },
                 { "uname",       required_argument, NULL, ARG_UNAME       },
+                { "sbat",        required_argument, NULL, ARG_SBAT        },
                 { "pcrpkey",     required_argument, NULL, ARG_PCRPKEY     },
                 { "current",     no_argument,       NULL, 'c'             },
                 { "bank",        required_argument, NULL, ARG_BANK        },
diff --git a/src/fundamental/tpm-pcr.c b/src/fundamental/tpm-pcr.c
index 0685d37b05797ce8184d61db28a4a399edfd757e..2f7e9b428d42b070d610e451132de949a6d3ae0e 100644 (file)
--- a/src/fundamental/tpm-pcr.c
+++ b/src/fundamental/tpm-pcr.c
@@ -12,6 +12,7 @@ const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
         [UNIFIED_SECTION_SPLASH]  = ".splash",
         [UNIFIED_SECTION_DTB]     = ".dtb",
         [UNIFIED_SECTION_UNAME]   = ".uname",
+        [UNIFIED_SECTION_SBAT]    = ".sbat",
         [UNIFIED_SECTION_PCRSIG]  = ".pcrsig",
         [UNIFIED_SECTION_PCRPKEY] = ".pcrpkey",
         NULL,
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h
index 4989d93f0c1a7289cded50044ccbcebb1992bb31..f8ed816894f83a08aea05cffb4245122ebfa9595 100644 (file)
--- a/src/fundamental/tpm-pcr.h
+++ b/src/fundamental/tpm-pcr.h
@@ -30,6 +30,7 @@ typedef enum UnifiedSection {
         UNIFIED_SECTION_SPLASH,
         UNIFIED_SECTION_DTB,
         UNIFIED_SECTION_UNAME,
+        UNIFIED_SECTION_SBAT,
         UNIFIED_SECTION_PCRSIG,
         UNIFIED_SECTION_PCRPKEY,
         _UNIFIED_SECTION_MAX,
Unnamed repository; edit this file 'description' to name the repository.