From: Lennart Poettering Date: Wed, 27 Jul 2022 08:43:34 +0000 (+0200) Subject: boot: split out TPM PCR defines into header file we can share between userspace and... X-Git-Tag: v252-rc1~542^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa323c090750408fc008bfcdc538d8cf54d15180;p=thirdparty%2Fsystemd.git boot: split out TPM PCR defines into header file we can share between userspace and kernel space --- diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c index 9041896f5b3..9a16920787b 100644 --- a/src/boot/efi/measure.c +++ b/src/boot/efi/measure.c @@ -5,6 +5,7 @@ #include #include +#include "tpm-pcr.h" #include "macro-fundamental.h" #include "measure.h" #include "missing_efi.h" diff --git a/src/boot/efi/measure.h b/src/boot/efi/measure.h index 141d44aa79c..19a50f47e7d 100644 --- a/src/boot/efi/measure.h +++ b/src/boot/efi/measure.h @@ -5,26 +5,6 @@ #include #include -/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image, - * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole - * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only* - * consists of static data from the kernel PE image. */ -#define TPM_PCR_INDEX_KERNEL_IMAGE 11U - -/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ -#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U - -/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for - * some compatibility. (Remove in 2023!) */ -#if EFI_TPM_PCR_COMPAT -#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U -#else -#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX -#endif - -/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ -#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U - #if ENABLE_TPM bool tpm_present(void); diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index 3b74647a18c..549f3ce1d5b 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -12,6 +12,7 @@ #include "pe.h" #include "secure-boot.h" #include "splash.h" +#include "tpm-pcr.h" #include "util.h" /* magic string to find in the binary image */ diff --git a/src/fundamental/meson.build b/src/fundamental/meson.build index 2ec4a28433d..a4383f6a271 100644 --- a/src/fundamental/meson.build +++ b/src/fundamental/meson.build @@ -8,6 +8,7 @@ fundamental_headers = files( 'macro-fundamental.h', 'sha256.h', 'string-util-fundamental.h', + 'tpm-pcr.h', ) # for sd-boot diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h new file mode 100644 index 00000000000..6e8b25934b2 --- /dev/null +++ b/src/fundamental/tpm-pcr.h @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +/* The various TPM PCRs we measure into from sd-stub and sd-boot. */ + +/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image, + * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole + * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only* + * consists of static data from the kernel PE image. */ +#define TPM_PCR_INDEX_KERNEL_IMAGE 11U + +/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ +#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U + +/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for + * some compatibility. (Remove in 2023!) */ +#if EFI_TPM_PCR_COMPAT +#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U +#else +#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX +#endif + +/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ +#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U