From 2c90b5ec63ab420d074ebe4f5c6881737c9bc155 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 21 May 2023 15:18:21 +0100
Subject: [PATCH] stub: measure SMBIOS kernel-cmdline-extra in PCR12

PCR1, where SMBIOS strings are measured, is filled with data that is not
under the control of the machine owner. Measure cmdline extensions in
PCR12 too, where we measure other optional addons that are loaded by
sd-stub.
---
 man/systemd-stub.xml | 5 ++++-
 src/boot/efi/stub.c  | 8 +++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index 21b79cd35f1..4cbf9cde85b 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -63,6 +63,9 @@
       <listitem><para>A compiled binary DeviceTree will be looked for in the <literal>.dtb</literal> PE
       section.</para></listitem>
 
+      <listitem><para>Kernel version information, i.e. the output of <command>uname -r</command> for the
+      kernel included in the UKI, in the <literal>.uname</literal> PE section.</para></listitem>
+
       <listitem><para>The kernel command line to pass to the invoked kernel will be looked for in the
       <literal>.cmdline</literal> PE section.</para></listitem>
 
@@ -391,7 +394,7 @@
       <varlistentry>
         <term><varname>io.systemd.stub.kernel-cmdline-extra</varname></term>
         <listitem><para>If set, the value of this string is added to the list of kernel command line
-        arguments that are passed to the kernel.</para></listitem>
+        arguments that are measured in PCR12 and passed to the kernel.</para></listitem>
       </varlistentry>
     </variablelist>
   </refsect1>
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index eb4bd77ac3c..c8bbd36f3cc 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -277,11 +277,17 @@ static EFI_STATUS run(EFI_HANDLE image) {
                 mangle_stub_cmdline(cmdline);
         }
 
-        /* SMBIOS strings are measured in PCR1, so we do not re-measure these command line extensions. */
         const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
         if (extra) {
                 _cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
                 cmdline = xasprintf("%ls %ls", tmp, extra16);
+
+                /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
+                 * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
+                 * measurements that are not under control of the machine owner. */
+                m = false;
+                (void) tpm_log_load_options(extra16, &m);
+                parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
         }
 
         export_variables(loaded_image);
-- 
2.47.3