From: Lennart Poettering Date: Wed, 26 Jun 2024 08:39:22 +0000 (+0200) Subject: stub: split out code that sets EFI vars indicating measured PCRs X-Git-Tag: v257-rc1~1041^2~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d5669a4679e716d6ecc34cad7c8a996aa8f27db;p=thirdparty%2Fsystemd.git stub: split out code that sets EFI vars indicating measured PCRs --- diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index 4745556b020..ae5d783e96a 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -112,7 +112,7 @@ static EFI_STATUS combine_initrds( return EFI_SUCCESS; } -static void export_variables(EFI_LOADED_IMAGE_PROTOCOL *loaded_image) { +static void export_general_variables(EFI_LOADED_IMAGE_PROTOCOL *loaded_image) { static const uint64_t stub_features = EFI_STUB_FEATURE_REPORT_BOOT_PARTITION | /* We set LoaderDevicePartUUID */ EFI_STUB_FEATURE_PICK_UP_CREDENTIALS | /* We pick up credentials from the boot partition */ @@ -161,7 +161,6 @@ static void export_variables(EFI_LOADED_IMAGE_PROTOCOL *loaded_image) { efivar_set(MAKE_GUID_PTR(LOADER), u"LoaderFirmwareType", s, 0); } - /* add StubInfo (this is one is owned by the stub, hence we unconditionally override this with our * own data) */ (void) efivar_set(MAKE_GUID_PTR(LOADER), u"StubInfo", u"systemd-stub " GIT_VERSION, 0); @@ -800,6 +799,25 @@ static void lookup_embedded_initrds( sections[UNIFIED_SECTION_UCODE].size); } +static void export_pcr_variables( + int sections_measured, + int parameters_measured, + int sysext_measured, + int confext_measured) { + + /* After we are done with measuring, set an EFI variable that tells userspace this was done + * successfully, and encode in it which PCR was used. */ + + if (sections_measured > 0) + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM2_PCR_KERNEL_BOOT, 0); + if (parameters_measured > 0) + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0); + if (sysext_measured > 0) + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0); + if (confext_measured > 0) + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDConfExts", TPM2_PCR_KERNEL_CONFIG, 0); +} + static EFI_STATUS run(EFI_HANDLE image) { _cleanup_(initrds_free) struct iovec initrds[_INITRD_MAX] = {}; void **dt_bases_addons_global = NULL, **dt_bases_addons_uki = NULL; @@ -870,11 +888,6 @@ static EFI_STATUS run(EFI_HANDLE image) { measure_sections(loaded_image, sections, §ions_measured); - /* After we are done, set an EFI variable that tells userspace this was done successfully, and encode - * in it which PCR was used. */ - if (sections_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM2_PCR_KERNEL_BOOT, 0); - /* Show splash screen as early as possible */ if (PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_SPLASH)) graphics_splash((const uint8_t*) loaded_image->ImageBase + sections[UNIFIED_SECTION_SPLASH].memory_offset, sections[UNIFIED_SECTION_SPLASH].size); @@ -903,7 +916,7 @@ static EFI_STATUS run(EFI_HANDLE image) { cmdline_append_and_measure_smbios(&cmdline, ¶meters_measured); - export_variables(loaded_image); + export_general_variables(loaded_image); generate_sidecar_initrds(loaded_image, initrds, ¶meters_measured, &sysext_measured, &confext_measured); @@ -937,12 +950,7 @@ static EFI_STATUS run(EFI_HANDLE image) { &dtb_measured); combine_measured_flag(¶meters_measured, dtb_measured); - if (parameters_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0); - if (sysext_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0); - if (confext_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDConfExts", TPM2_PCR_KERNEL_CONFIG, 0); + export_pcr_variables(sections_measured, parameters_measured, sysext_measured, confext_measured); generate_embedded_initrds(loaded_image, sections, initrds); lookup_embedded_initrds(loaded_image, sections, initrds);