#include "iovec-util-fundamental.h"
#include "measure.h"
#include "string-util-fundamental.h"
+#include "tpm2-pcr.h"
#include "util.h"
static char *write_cpio_word(char *p, uint32_t v) {
const char16_t *match_suffix,
const char16_t *exclude_suffix,
const CpioTarget *target,
- uint32_t tpm_pcr,
const char16_t *tpm_description,
struct iovec *ret_buffer,
bool *ret_measured) {
return log_error_status(err, "Failed to pack cpio trailer: %m");
err = tpm_log_ipl_event(
- tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
+ target->tpm_pcr,
+ POINTER_TO_PHYSICAL_ADDRESS(buffer),
+ buffer_size,
+ tpm_description,
+ ret_measured);
if (err != EFI_SUCCESS)
return log_error_status(
err,
- "Unable to add cpio TPM measurement for PCR %u (%ls), ignoring: %m",
- tpm_pcr,
+ "Unable to add cpio TPM measurement for PCR %u (%ls): %m",
+ target->tpm_pcr,
tpm_description);
*ret_buffer = IOVEC_MAKE(TAKE_PTR(buffer), buffer_size);
size_t data_size,
const CpioTarget *target,
const char16_t *target_filename,
- uint32_t tpm_pcr,
const char16_t *tpm_description,
struct iovec *ret_buffer,
bool *ret_measured) {
return log_error_status(err, "Failed to pack cpio trailer: %m");
err = tpm_log_ipl_event(
- tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
+ target->tpm_pcr,
+ POINTER_TO_PHYSICAL_ADDRESS(buffer),
+ buffer_size,
+ tpm_description,
+ ret_measured);
if (err != EFI_SUCCESS)
return log_error_status(
err,
- "Unable to add cpio TPM measurement for PCR %u (%ls), ignoring: %m",
- tpm_pcr,
+ "Unable to add cpio TPM measurement for PCR %u (%ls): %m",
+ target->tpm_pcr,
tpm_description);
*ret_buffer = IOVEC_MAKE(TAKE_PTR(buffer), buffer_size);
.directory = ".extra/credentials",
.dir_mode = 0500,
.access_mode = 0400,
+ .tpm_pcr = TPM2_PCR_KERNEL_CONFIG,
};
const CpioTarget cpio_target_global_credentials = {
.directory = ".extra/global_credentials",
.dir_mode = 0500,
.access_mode = 0400,
+ .tpm_pcr = TPM2_PCR_KERNEL_CONFIG,
};
const CpioTarget cpio_target_sysext = {
.directory = ".extra/sysext",
.dir_mode = 0555,
.access_mode = 0444,
+ .tpm_pcr = TPM2_PCR_SYSEXTS,
};
const CpioTarget cpio_target_global_sysext = {
.directory = ".extra/global_sysext",
.dir_mode = 0555,
.access_mode = 0444,
+ .tpm_pcr = TPM2_PCR_SYSEXTS,
};
const CpioTarget cpio_target_confext = {
.directory = ".extra/confext",
.dir_mode = 0555,
.access_mode = 0444,
+ .tpm_pcr = TPM2_PCR_KERNEL_CONFIG,
};
const CpioTarget cpio_target_global_confext = {
.directory = ".extra/global_confext",
.dir_mode = 0555,
.access_mode = 0444,
+ .tpm_pcr = TPM2_PCR_KERNEL_CONFIG,
};
const CpioTarget cpio_target_meta = {
.directory = ".extra",
.dir_mode = 0555,
.access_mode = 0444,
+ .tpm_pcr = UINT32_MAX,
};
const CpioTarget cpio_target_meta_secret = {
.directory = ".extra",
.dir_mode = 0555,
.access_mode = 0400,
+ .tpm_pcr = UINT32_MAX,
};
const char *directory; /* Path to directory where to place resources */
uint32_t dir_mode; /* Access mode for the directory */
uint32_t access_mode; /* Access mode for the files in the directory */
+ uint32_t tpm_pcr; /* Where to measure this data into */
} CpioTarget;
EFI_STATUS pack_cpio_one(
const char16_t *match_suffix,
const char16_t *exclude_suffix,
const CpioTarget *target,
- uint32_t tpm_pcr,
const char16_t *tpm_description,
struct iovec *ret_buffer,
bool *ret_measured);
size_t data_size,
const CpioTarget *target,
const char16_t *target_filename,
- uint32_t tpm_pcr,
const char16_t *tpm_description,
struct iovec *ret_buffer,
bool *ret_measured);
u".cred",
/* exclude_suffix= */ NULL,
&cpio_target_credentials,
- /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Credentials initrd",
initrds + INITRD_CREDENTIAL,
&m) == EFI_SUCCESS)
u".cred",
/* exclude_suffix= */ NULL,
&cpio_target_global_credentials,
- /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Global credentials initrd",
initrds + INITRD_GLOBAL_CREDENTIAL,
&m) == EFI_SUCCESS)
u".raw", /* ideally we'd pick up only *.sysext.raw here, but for compat we pick up *.raw instead … */
u".confext.raw", /* … but then exclude *.confext.raw again */
&cpio_target_sysext,
- /* tpm_pcr= */ TPM2_PCR_SYSEXTS,
u"System extension initrd",
initrds + INITRD_SYSEXT,
&m) == EFI_SUCCESS)
u".raw", /* as above */
u".confext.raw",
&cpio_target_global_sysext,
- /* tpm_pcr= */ TPM2_PCR_SYSEXTS,
u"Global system extension initrd",
initrds + INITRD_GLOBAL_SYSEXT,
&m) == EFI_SUCCESS)
u".confext.raw",
/* exclude_suffix= */ NULL,
&cpio_target_confext,
- /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Configuration extension initrd",
initrds + INITRD_CONFEXT,
&m) == EFI_SUCCESS)
u".confext.raw",
/* exclude_suffix= */ NULL,
&cpio_target_global_confext,
- /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Global configuration extension initrd",
initrds + INITRD_GLOBAL_CONFEXT,
&m) == EFI_SUCCESS)
sections[t->section].memory_size,
&cpio_target_meta,
t->filename,
- /* tpm_pcr= */ UINT32_MAX,
/* tpm_description= */ NULL,
initrds + t->initrd_index,
/* ret_measured= */ NULL);
BOOT_SECRET_SIZE,
&cpio_target_meta_secret,
u"boot-secret",
- /* tpm_pcr= */ UINT32_MAX,
/* tpm_description= */ NULL,
initrds + INITRD_BOOT_SECRET,
/* ret_measured= */ NULL);
projects / thirdparty / systemd.git / commitdiff
