From: Lennart Poettering Date: Wed, 29 Apr 2026 10:01:59 +0000 (+0200) Subject: cpio: move TPM PCR info into CpioTarget X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3ace5621b0dad786fd9675914ba0f60ed69373a;p=thirdparty%2Fsystemd.git cpio: move TPM PCR info into CpioTarget The PR to measure into is closely associated with where we place a resource in the initrd cpios. Hence, let's also track it in CpioTarget, thus simplifying our function parameter lists that way. No change in behaviour. --- diff --git a/src/boot/cpio.c b/src/boot/cpio.c index 81792b00a89..31638b1c8fc 100644 --- a/src/boot/cpio.c +++ b/src/boot/cpio.c @@ -5,6 +5,7 @@ #include "iovec-util-fundamental.h" #include "measure.h" #include "string-util-fundamental.h" +#include "tpm2-pcr.h" #include "util.h" static char *write_cpio_word(char *p, uint32_t v) { @@ -306,7 +307,6 @@ EFI_STATUS pack_cpio( const char16_t *match_suffix, const char16_t *exclude_suffix, const CpioTarget *target, - uint32_t tpm_pcr, const char16_t *tpm_description, struct iovec *ret_buffer, bool *ret_measured) { @@ -425,12 +425,16 @@ EFI_STATUS pack_cpio( return log_error_status(err, "Failed to pack cpio trailer: %m"); err = tpm_log_ipl_event( - tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured); + target->tpm_pcr, + POINTER_TO_PHYSICAL_ADDRESS(buffer), + buffer_size, + tpm_description, + ret_measured); if (err != EFI_SUCCESS) return log_error_status( err, - "Unable to add cpio TPM measurement for PCR %u (%ls), ignoring: %m", - tpm_pcr, + "Unable to add cpio TPM measurement for PCR %u (%ls): %m", + target->tpm_pcr, tpm_description); *ret_buffer = IOVEC_MAKE(TAKE_PTR(buffer), buffer_size); @@ -450,7 +454,6 @@ EFI_STATUS pack_cpio_literal( size_t data_size, const CpioTarget *target, const char16_t *target_filename, - uint32_t tpm_pcr, const char16_t *tpm_description, struct iovec *ret_buffer, bool *ret_measured) { @@ -486,12 +489,16 @@ EFI_STATUS pack_cpio_literal( return log_error_status(err, "Failed to pack cpio trailer: %m"); err = tpm_log_ipl_event( - tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured); + target->tpm_pcr, + POINTER_TO_PHYSICAL_ADDRESS(buffer), + buffer_size, + tpm_description, + ret_measured); if (err != EFI_SUCCESS) return log_error_status( err, - "Unable to add cpio TPM measurement for PCR %u (%ls), ignoring: %m", - tpm_pcr, + "Unable to add cpio TPM measurement for PCR %u (%ls): %m", + target->tpm_pcr, tpm_description); *ret_buffer = IOVEC_MAKE(TAKE_PTR(buffer), buffer_size); @@ -506,46 +513,54 @@ const CpioTarget cpio_target_credentials = { .directory = ".extra/credentials", .dir_mode = 0500, .access_mode = 0400, + .tpm_pcr = TPM2_PCR_KERNEL_CONFIG, }; const CpioTarget cpio_target_global_credentials = { .directory = ".extra/global_credentials", .dir_mode = 0500, .access_mode = 0400, + .tpm_pcr = TPM2_PCR_KERNEL_CONFIG, }; const CpioTarget cpio_target_sysext = { .directory = ".extra/sysext", .dir_mode = 0555, .access_mode = 0444, + .tpm_pcr = TPM2_PCR_SYSEXTS, }; const CpioTarget cpio_target_global_sysext = { .directory = ".extra/global_sysext", .dir_mode = 0555, .access_mode = 0444, + .tpm_pcr = TPM2_PCR_SYSEXTS, }; const CpioTarget cpio_target_confext = { .directory = ".extra/confext", .dir_mode = 0555, .access_mode = 0444, + .tpm_pcr = TPM2_PCR_KERNEL_CONFIG, }; const CpioTarget cpio_target_global_confext = { .directory = ".extra/global_confext", .dir_mode = 0555, .access_mode = 0444, + .tpm_pcr = TPM2_PCR_KERNEL_CONFIG, }; const CpioTarget cpio_target_meta = { .directory = ".extra", .dir_mode = 0555, .access_mode = 0444, + .tpm_pcr = UINT32_MAX, }; const CpioTarget cpio_target_meta_secret = { .directory = ".extra", .dir_mode = 0555, .access_mode = 0400, + .tpm_pcr = UINT32_MAX, }; diff --git a/src/boot/cpio.h b/src/boot/cpio.h index 3c311bc714d..3aa52577934 100644 --- a/src/boot/cpio.h +++ b/src/boot/cpio.h @@ -8,6 +8,7 @@ typedef struct CpioTarget { const char *directory; /* Path to directory where to place resources */ uint32_t dir_mode; /* Access mode for the directory */ uint32_t access_mode; /* Access mode for the files in the directory */ + uint32_t tpm_pcr; /* Where to measure this data into */ } CpioTarget; EFI_STATUS pack_cpio_one( @@ -35,7 +36,6 @@ EFI_STATUS pack_cpio( const char16_t *match_suffix, const char16_t *exclude_suffix, const CpioTarget *target, - uint32_t tpm_pcr, const char16_t *tpm_description, struct iovec *ret_buffer, bool *ret_measured); @@ -45,7 +45,6 @@ EFI_STATUS pack_cpio_literal( size_t data_size, const CpioTarget *target, const char16_t *target_filename, - uint32_t tpm_pcr, const char16_t *tpm_description, struct iovec *ret_buffer, bool *ret_measured); diff --git a/src/boot/stub.c b/src/boot/stub.c index 8632a603a21..52927e91ff0 100644 --- a/src/boot/stub.c +++ b/src/boot/stub.c @@ -819,7 +819,6 @@ static void generate_sidecar_initrds( u".cred", /* exclude_suffix= */ NULL, &cpio_target_credentials, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Credentials initrd", initrds + INITRD_CREDENTIAL, &m) == EFI_SUCCESS) @@ -830,7 +829,6 @@ static void generate_sidecar_initrds( u".cred", /* exclude_suffix= */ NULL, &cpio_target_global_credentials, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Global credentials initrd", initrds + INITRD_GLOBAL_CREDENTIAL, &m) == EFI_SUCCESS) @@ -841,7 +839,6 @@ static void generate_sidecar_initrds( u".raw", /* ideally we'd pick up only *.sysext.raw here, but for compat we pick up *.raw instead … */ u".confext.raw", /* … but then exclude *.confext.raw again */ &cpio_target_sysext, - /* tpm_pcr= */ TPM2_PCR_SYSEXTS, u"System extension initrd", initrds + INITRD_SYSEXT, &m) == EFI_SUCCESS) @@ -852,7 +849,6 @@ static void generate_sidecar_initrds( u".raw", /* as above */ u".confext.raw", &cpio_target_global_sysext, - /* tpm_pcr= */ TPM2_PCR_SYSEXTS, u"Global system extension initrd", initrds + INITRD_GLOBAL_SYSEXT, &m) == EFI_SUCCESS) @@ -863,7 +859,6 @@ static void generate_sidecar_initrds( u".confext.raw", /* exclude_suffix= */ NULL, &cpio_target_confext, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Configuration extension initrd", initrds + INITRD_CONFEXT, &m) == EFI_SUCCESS) @@ -874,7 +869,6 @@ static void generate_sidecar_initrds( u".confext.raw", /* exclude_suffix= */ NULL, &cpio_target_global_confext, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Global configuration extension initrd", initrds + INITRD_GLOBAL_CONFEXT, &m) == EFI_SUCCESS) @@ -926,7 +920,6 @@ static void generate_embedded_initrds( sections[t->section].memory_size, &cpio_target_meta, t->filename, - /* tpm_pcr= */ UINT32_MAX, /* tpm_description= */ NULL, initrds + t->initrd_index, /* ret_measured= */ NULL); @@ -948,7 +941,6 @@ static void generate_boot_secret_initrd( BOOT_SECRET_SIZE, &cpio_target_meta_secret, u"boot-secret", - /* tpm_pcr= */ UINT32_MAX, /* tpm_description= */ NULL, initrds + INITRD_BOOT_SECRET, /* ret_measured= */ NULL);