It says remove in 2023; happy to oblige.
* rework our PID tracking in services and so on, to be strictly based on pidfd,
once kernel baseline is 5.13.
-* ~2023: remove support for TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT
-
* H2 2023: remove support for unmerged-usr
* Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous.
conf.set10('FIRST_BOOT_FULL_PRESET', get_option('first-boot-full-preset'))
-conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat'))
-
#####################################################################
cc = meson.get_compiler('c')
description : 'path to the EFI lib directory')
option('efi-includedir', type : 'string', value : '/usr/include/efi',
description : 'path to the EFI header directory')
-option('efi-tpm-pcr-compat', type : 'boolean', value : false,
- description : 'Measure kernel command line also into TPM PCR 8 (in addition to 12)')
option('sbat-distro', type : 'string', value : 'auto',
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
option('sbat-distro-generation', type : 'integer', value : 1,
return EFI_SUCCESS;
}
-static EFI_STATUS measure_cpio(
- void *buffer,
- UINTN buffer_size,
- const uint32_t tpm_pcr[],
- UINTN n_tpm_pcr,
- const char16_t *tpm_description,
- bool *ret_measured) {
-
- int measured = -1;
- EFI_STATUS err;
-
- assert(buffer || buffer_size == 0);
- assert(tpm_pcr || n_tpm_pcr == 0);
-
- for (UINTN i = 0; i < n_tpm_pcr; i++) {
- bool m;
-
- if (tpm_pcr[i] == UINT32_MAX) /* Disabled */
- continue;
-
- err = tpm_log_event(
- tpm_pcr[i],
- POINTER_TO_PHYSICAL_ADDRESS(buffer),
- buffer_size,
- tpm_description,
- &m);
- if (err != EFI_SUCCESS) {
- log_error_stall(L"Unable to add initrd TPM measurement for PCR %u (%s), ignoring: %r", tpm_pcr[i], tpm_description, err);
- measured = false;
- continue;
- }
-
- if (measured != false)
- measured = m;
- }
-
- if (ret_measured)
- *ret_measured = measured > 0;
-
- return EFI_SUCCESS;
-}
-
static char16_t *get_dropin_dir(const EFI_DEVICE_PATH *file_path) {
if (!file_path)
return NULL;
const char *target_dir_prefix,
uint32_t dir_mode,
uint32_t access_mode,
- const uint32_t tpm_pcr[],
- UINTN n_tpm_pcr,
+ uint32_t tpm_pcr,
const char16_t *tpm_description,
void **ret_buffer,
UINTN *ret_buffer_size,
assert(loaded_image);
assert(target_dir_prefix);
- assert(tpm_pcr || n_tpm_pcr == 0);
assert(ret_buffer);
assert(ret_buffer_size);
if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Failed to pack cpio trailer: %r");
- err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured);
+ err = tpm_log_event(
+ tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
if (err != EFI_SUCCESS)
- return err;
+ return log_error_status_stall(
+ err,
+ L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r",
+ tpm_pcr,
+ tpm_description,
+ err);
*ret_buffer = TAKE_PTR(buffer);
*ret_buffer_size = buffer_size;
*ret_buffer_size = 0;
if (ret_measured)
- *ret_measured = n_tpm_pcr > 0;
+ *ret_measured = false;
return EFI_SUCCESS;
}
const char16_t *target_filename,
uint32_t dir_mode,
uint32_t access_mode,
- const uint32_t tpm_pcr[],
- UINTN n_tpm_pcr,
+ uint32_t tpm_pcr,
const char16_t *tpm_description,
void **ret_buffer,
UINTN *ret_buffer_size,
assert(data || data_size == 0);
assert(target_dir_prefix);
assert(target_filename);
- assert(tpm_pcr || n_tpm_pcr == 0);
assert(ret_buffer);
assert(ret_buffer_size);
if (err != EFI_SUCCESS)
return log_error_status_stall(err, L"Failed to pack cpio trailer: %r");
- err = measure_cpio(buffer, buffer_size, tpm_pcr, n_tpm_pcr, tpm_description, ret_measured);
+ err = tpm_log_event(
+ tpm_pcr, POINTER_TO_PHYSICAL_ADDRESS(buffer), buffer_size, tpm_description, ret_measured);
if (err != EFI_SUCCESS)
- return err;
+ return log_error_status_stall(
+ err,
+ L"Unable to add cpio TPM measurement for PCR %u (%s), ignoring: %r",
+ tpm_pcr,
+ tpm_description,
+ err);
*ret_buffer = TAKE_PTR(buffer);
*ret_buffer_size = buffer_size;
const char *target_dir_prefix,
uint32_t dir_mode,
uint32_t access_mode,
- const uint32_t tpm_pcr[],
- UINTN n_tpm_pcr,
+ uint32_t tpm_pcr,
const char16_t *tpm_description,
void **ret_buffer,
UINTN *ret_buffer_size,
const char16_t *target_filename,
uint32_t dir_mode,
uint32_t access_mode,
- const uint32_t tpm_pcr[],
- UINTN n_tpm_pcr,
+ uint32_t tpm_pcr,
const char16_t *tpm_description,
void **ret_buffer,
UINTN *ret_buffer_size,
}
EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured) {
- int measured = -1;
+ bool measured = false;
EFI_STATUS err;
/* Measures a load options string into the TPM2, i.e. the kernel command line */
- for (UINTN i = 0; i < 2; i++) {
- uint32_t pcr = i == 0 ? TPM_PCR_INDEX_KERNEL_PARAMETERS : TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT;
- bool m;
-
- if (pcr == UINT32_MAX) /* Skip this one, if it's invalid, so that our 'measured' return value is not corrupted by it */
- continue;
-
- err = tpm_log_event(pcr, POINTER_TO_PHYSICAL_ADDRESS(load_options), strsize16(load_options), load_options, &m);
- if (err != EFI_SUCCESS)
- return log_error_status_stall(err, L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r", pcr, err);
-
- measured = measured < 0 ? m : (measured && m);
- }
+ err = tpm_log_event(
+ TPM_PCR_INDEX_KERNEL_PARAMETERS,
+ POINTER_TO_PHYSICAL_ADDRESS(load_options),
+ strsize16(load_options),
+ load_options,
+ &measured);
+ if (err != EFI_SUCCESS)
+ return log_error_status_stall(
+ err,
+ L"Unable to add load options (i.e. kernel command) line measurement to PCR %u: %r",
+ TPM_PCR_INDEX_KERNEL_PARAMETERS,
+ err);
if (ret_measured)
- *ret_measured = measured < 0 ? false : measured;
+ *ret_measured = measured;
return EFI_SUCCESS;
}
efi_conf = configuration_data()
efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', efi_arch[0])
efi_conf.set10('ENABLE_TPM', get_option('tpm'))
-efi_conf.set10('EFI_TPM_PCR_COMPAT', get_option('efi-tpm-pcr-compat'))
foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
c = get_option('efi-' + ctype).split(',')
".extra/credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
- /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT },
- /* n_tpm_pcr= */ 2,
+ /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
L"Credentials initrd",
&credential_initrd,
&credential_initrd_size,
".extra/global_credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
- /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_KERNEL_PARAMETERS, TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT },
- /* n_tpm_pcr= */ 2,
+ /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
L"Global credentials initrd",
&global_credential_initrd,
&global_credential_initrd_size,
".extra/sysext",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
- /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD_SYSEXTS },
- /* n_tpm_pcr= */ 1,
+ /* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS,
L"System extension initrd",
&sysext_initrd,
&sysext_initrd_size,
L"tpm2-pcr-signature.json",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
- /* tpm_pcr= */ NULL,
- /* n_tpm_pcr= */ 0,
+ /* tpm_pcr= */ UINT32_MAX,
/* tpm_description= */ NULL,
&pcrsig_initrd,
&pcrsig_initrd_size,
L"tpm2-pcr-public-key.pem",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
- /* tpm_pcr= */ NULL,
- /* n_tpm_pcr= */ 0,
+ /* tpm_pcr= */ UINT32_MAX,
/* tpm_description= */ NULL,
&pcrpkey_initrd,
&pcrpkey_initrd_size,
/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U
-/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for
- * some compatibility. (Remove in 2023!) */
-#if EFI_TPM_PCR_COMPAT
-#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U
-#else
-#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX
-#endif
-
/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U
projects / thirdparty / systemd.git / commitdiff
