<arg choice="plain">image-policy</arg>
<arg choice="plain" rep="repeat"><replaceable>POLICY</replaceable></arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-analyze</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="plain">pcrs</arg>
+ <arg choice="opt" rep="repeat"><replaceable>PCR</replaceable></arg>
+ </cmdsynopsis>
</refsynopsisdiv>
<refsect1>
default ignore - -</programlisting>
</example>
</refsect2>
+
+ <refsect2>
+ <title><command>systemd-analyze pcrs <optional><replaceable>PCR</replaceable>…</optional></command></title>
+
+ <para>This command shows the known TPM2 PCRs along with their identifying names and current values.</para>
+
+ <example>
+ <title>Example Output</title>
+
+ <programlisting>$ systemd-analyze pcrs
+NR NAME SHA256
+ 0 platform-code bcd2eb527108bbb1f5528409bcbe310aa9b74f687854cc5857605993f3d9eb11
+ 1 platform-config b60622856eb7ce52637b80f30a520e6e87c347daa679f3335f4f1a600681bb01
+ 2 external-code 1471262403e9a62f9c392941300b4807fbdb6f0bfdd50abfab752732087017dd
+ 3 external-config 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
+ 4 boot-loader-code 939f7fa1458e1f7ce968874d908e524fc0debf890383d355e4ce347b7b78a95c
+ 5 boot-loader-config 864c61c5ea5ecbdb6951e6cb6d9c1f4b4eac79772f7fe13b8bece569d83d3768
+ 6 - 3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
+ 7 secure-boot-policy 9c905bd9b9891bfb889b90a54c4b537b889cfa817c4389cc25754823a9443255
+ 8 - 0000000000000000000000000000000000000000000000000000000000000000
+ 9 kernel-initrd 9caa29b128113ef42aa53d421f03437be57211e5ebafc0fa8b5d4514ee37ff0c
+10 ima 5ea9e3dab53eb6b483b6ec9e3b2c712bea66bca1b155637841216e0094387400
+11 kernel-boot 0000000000000000000000000000000000000000000000000000000000000000
+12 kernel-config 627ffa4b405e911902fe1f1a8b0164693b31acab04f805f15bccfe2209c7eace
+13 sysexts 0000000000000000000000000000000000000000000000000000000000000000
+14 shim-policy 0000000000000000000000000000000000000000000000000000000000000000
+15 system-identity 0000000000000000000000000000000000000000000000000000000000000000
+16 debug 0000000000000000000000000000000000000000000000000000000000000000
+17 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+18 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+19 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+20 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+21 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+22 - ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+23 application-support 0000000000000000000000000000000000000000000000000000000000000000</programlisting>
+ </example>
+ </refsect2>
</refsect1>
<refsect1>
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "analyze.h"
+#include "analyze-pcrs.h"
+#include "fileio.h"
+#include "format-table.h"
+#include "hexdecoct.h"
+#include "terminal-util.h"
+#include "tpm2-util.h"
+
+static int get_pcr_alg(const char **ret) {
+ assert(ret);
+
+ FOREACH_STRING(alg, "sha256", "sha1") {
+ _cleanup_free_ char *p = NULL;
+
+ if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)
+ return log_oom();
+
+ if (access(p, F_OK) < 0) {
+ if (errno != -ENOENT)
+ return log_error_errno(errno, "Failed to determine whether %s exists: %m", p);
+ } else {
+ *ret = alg;
+ return 1;
+ }
+ }
+
+ log_notice("Kernel does not support reading PCR values.");
+ *ret = NULL;
+ return 0;
+}
+
+static int get_current_pcr(const char *alg, uint32_t pcr, void **ret, size_t *ret_size) {
+ _cleanup_free_ char *p = NULL, *s = NULL;
+ _cleanup_free_ void *buf = NULL;
+ size_t ss = 0, bufsize = 0;
+ int r;
+
+ assert(alg);
+ assert(ret);
+ assert(ret_size);
+
+ if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, alg, pcr) < 0)
+ return log_oom();
+
+ r = read_virtual_file(p, 4096, &s, &ss);
+ if (r < 0)
+ return log_error_errno(r, "Failed to read '%s': %m", p);
+
+ r = unhexmem(s, ss, &buf, &bufsize);
+ if (r < 0)
+ return log_error_errno(r, "Failed to decode hex PCR data '%s': %m", s);
+
+ *ret = TAKE_PTR(buf);
+ *ret_size = bufsize;
+ return 0;
+}
+
+static int add_pcr_to_table(Table *table, const char *alg, uint32_t pcr) {
+ _cleanup_free_ char *h = NULL;
+ const char *color = NULL;
+ int r;
+
+ if (alg) {
+ _cleanup_free_ void *buf = NULL;
+ size_t bufsize = 0;
+
+ r = get_current_pcr(alg, pcr, &buf, &bufsize);
+ if (r < 0)
+ return r;
+
+ h = hexmem(buf, bufsize);
+ if (!h)
+ return log_oom();
+
+ /* Grey out PCRs that are not sensibly initialized */
+ if (memeqbyte(0, buf, bufsize) ||
+ memeqbyte(0xFFU, buf, bufsize))
+ color = ANSI_GREY;
+ }
+
+ r = table_add_many(table,
+ TABLE_UINT32, pcr,
+ TABLE_STRING, pcr_index_to_string(pcr),
+ TABLE_STRING, h,
+ TABLE_SET_COLOR, color);
+ if (r < 0)
+ return table_log_add_error(r);
+
+ return 0;
+}
+
+int verb_pcrs(int argc, char *argv[], void *userdata) {
+ _cleanup_(table_unrefp) Table *table = NULL;
+ const char *alg = NULL;
+ int r;
+
+ if (tpm2_support() != TPM2_SUPPORT_FULL)
+ log_notice("System has not TPM2 support, not showing PCR state.");
+ else {
+ r = get_pcr_alg(&alg);
+ if (r < 0)
+ return r;
+ }
+
+ table = table_new("nr", "name", alg);
+ if (!table)
+ return log_oom();
+
+ (void) table_set_align_percent(table, table_get_cell(table, 0, 0), 100);
+ (void) table_set_ersatz_string(table, TABLE_ERSATZ_DASH);
+
+ if (!alg) /* hide hash column if we couldn't acquire it */
+ (void) table_set_display(table, 0, 1);
+
+ if (strv_isempty(strv_skip(argv, 1)))
+ for (uint32_t pi = 0; pi < _PCR_INDEX_MAX_DEFINED; pi++) {
+ r = add_pcr_to_table(table, alg, pi);
+ if (r < 0)
+ return r;
+ }
+ else {
+ for (int i = 1; i < argc; i++) {
+ int pi;
+
+ pi = pcr_index_from_string(argv[i]);
+ if (pi < 0)
+ return log_error_errno(pi, "PCR index \"%s\" not known.", argv[i]);
+
+ r = add_pcr_to_table(table, alg, pi);
+ if (r < 0)
+ return r;
+ }
+
+ (void) table_set_sort(table, (size_t) 0);
+ }
+
+ r = table_print_with_pager(table, arg_json_format_flags, arg_pager_flags, /* show_header= */true);
+ if (r < 0)
+ return log_error_errno(r, "Failed to output table: %m");
+
+ return EXIT_SUCCESS;
+}
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+int verb_pcrs(int argc, char *argv[], void *userdata);
#include "analyze-inspect-elf.h"
#include "analyze-log-control.h"
#include "analyze-malloc.h"
+#include "analyze-pcrs.h"
#include "analyze-plot.h"
#include "analyze-security.h"
#include "analyze-service-watchdogs.h"
" inspect-elf FILE... Parse and print ELF package metadata\n"
" malloc [D-BUS SERVICE...] Dump malloc stats of a D-Bus service\n"
" fdstore SERVICE... Show file descriptor store contents of service\n"
+ " pcrs [PCR...] Show TPM2 PCRs and their names\n"
"\nOptions:\n"
" --recursive-errors=MODE Control which units are verified\n"
" --offline=BOOL Perform a security review on unit file(s)\n"
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --offline= is only supported for security right now.");
- if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore"))
+ if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
- "Option --json= is only supported for security, inspect-elf, plot, and fdstore right now.");
+ "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs right now.");
if (arg_threshold != 100 && !streq_ptr(argv[optind], "security"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
{ "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc },
{ "fdstore", 2, VERB_ANY, 0, verb_fdstore },
{ "image-policy", 2, 2, 0, verb_image_policy },
+ { "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
{}
};
'analyze-inspect-elf.c',
'analyze-log-control.c',
'analyze-malloc.c',
+ 'analyze-pcrs.c',
'analyze-plot.c',
'analyze-security.c',
'analyze-service-watchdogs.c',
};
DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(pcr_index, int, TPM2_PCRS_MAX - 1);
+DEFINE_STRING_TABLE_LOOKUP_TO_STRING(pcr_index, int);
size_t saltlen,
uint8_t res[static SHA256_DIGEST_SIZE]);
-int pcr_index_from_string(const char *s);
+int pcr_index_from_string(const char *s) _pure_;
+const char *pcr_index_to_string(int pcr) _const_;
(! systemd-analyze image-policy 'doedel')
+# Output is very hard to predict, but let's run it for coverage anyway
+systemd-analyze pcrs
+systemd-analyze pcrs --json=pretty
+systemd-analyze pcrs 14 7 0 ima
+
systemd-analyze log-level info
echo OK >/testok