boot: measure loader.conf in PCR5

Results in:

- EventNum: 26
  PCRIndex: 5
  EventType: EV_EVENT_TAG
  DigestCount: 4
  Digests:
  - AlgorithmId: sha1
    Digest: 155fb999ca61ba8c7b1f1d87cee821f772ef084a
  - AlgorithmId: sha256
    Digest: 4c26adf231603613afc00bb3d5cad046aec6a525ca01262417c7085caab452b5
  - AlgorithmId: sha384
    Digest: 3e0758cb6605ac274e55d747bf29ee3474fc4413cd5e7a451d1375219cd7f08a30fc915a8df7131657ca78b82b9ccec8
  - AlgorithmId: sha512
    Digest: e32d905b9092c543802f386db9a397d9b6593bdb8360fb747a6d23e491a09595fec8699184cc790d0873a3d52ed16d045538f0c73ece48278fae0fb6ed9b4ed6
  EventSize: 32
  Event: 2a58bcf5180000006c006f0061006400650072002e0063006f006e0066000000

diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md
index f92b8a5ed5b6284f3218538f2198f4a29d7aaaf9..7601c1553131e4cc3c47cc0271b910cb3ff2d158 100644 (file)
--- a/docs/TPM2_PCR_MEASUREMENTS.md
+++ b/docs/TPM2_PCR_MEASUREMENTS.md
@@ -16,8 +16,8 @@ measurements listed below are (by default) only done if a system is booted with
 to systemd's UEFI-mode measurements, and if the latter are not done the former
 aren't made either.
 
-systemd will measure to PCRs 11 (`kernel-boot`), 12 (`kernel-config`), 13
-(`sysexts`), 15 (`system-identity`).
+systemd will measure to PCRs 5 (`boot-loader-config`), 11 (`kernel-boot`),
+12 (`kernel-config`), 13 (`sysexts`), 15 (`system-identity`).
 
 Currently, four components will issue TPM2 PCR measurements:
 
@@ -31,6 +31,17 @@ maintained in `/run/log/systemd/tpm2-measure.log`.
 
 ## PCR Measurements Made by `systemd-boot` (UEFI)
 
+### PCS 5, `EV_EVENT_TAG`, "loader.conf"
+
+The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
+measured as a tagged event.
+
+→ **Event Tag** `0xf5bc582a`
+
+→ **Description** in the event log record is the file name, `loader.conf`.
+
+→ **Measured hash** covers the content of `loader.conf` as it is read from the ESP.
+
 ### PCR 12, `EV_IPL`, "Kernel Command Line"
 
 If the kernel command line was specified explicitly (by the user or in a Boot

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index de801ceb37d2d0eaa72e1b3613d44b80b8e8f6de..c28ec01975307d84f19adb8b3beeb7e8fcd35389 100644 (file)
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -21,6 +21,7 @@
 #include "secure-boot.h"
 #include "shim.h"
 #include "ticks.h"
+#include "tpm2-pcr.h"
 #include "util.h"
 #include "version.h"
 #include "vmm.h"
@@ -38,6 +39,8 @@ DECLARE_NOALLOC_SECTION(
 
 DECLARE_SBAT(SBAT_BOOT_SECTION_TEXT);
 
+#define LOADER_CONF_CONTENT_EVENT_TAG_ID UINT32_C(0xf5bc582a)
+
 typedef enum LoaderType {
         LOADER_UNDEFINED,
         LOADER_AUTO,
@@ -1621,7 +1624,7 @@ static EFI_STATUS efivar_get_timeout(const char16_t *var, uint32_t *ret_value) {
 
 static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
         _cleanup_free_ char *content = NULL;
-        size_t value = 0;  /* avoid false maybe-uninitialized warning */
+        size_t content_size, value = 0;  /* avoid false maybe-uninitialized warning */
         EFI_STATUS err;
 
         assert(root_dir);
@@ -1638,9 +1641,19 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
                 .timeout_sec_efivar = TIMEOUT_UNSET,
         };
 
-        err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, NULL);
-        if (err == EFI_SUCCESS)
+        err = file_read(root_dir, u"\\loader\\loader.conf", 0, 0, &content, &content_size);
+        if (err == EFI_SUCCESS) {
                 config_defaults_load_from_file(config, content);
+                err = tpm_log_tagged_event(
+                                TPM2_PCR_BOOT_LOADER_CONFIG,
+                                POINTER_TO_PHYSICAL_ADDRESS(content),
+                                content_size,
+                                LOADER_CONF_CONTENT_EVENT_TAG_ID,
+                                u"loader.conf",
+                                /* ret_measured= */ NULL);
+                if (err != EFI_SUCCESS)
+                        log_error_status(err, "Error measuring loader.conf into TPM: %m");
+        }
 
         err = efivar_get_timeout(u"LoaderConfigTimeout", &config->timeout_sec_efivar);
         if (err == EFI_SUCCESS)