measure: introduce support for a new ".profile" section

This introduces the concept, and makes sure systemd-measure covers it.
See a later commit for details on the new section.

diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 931b62c12e7f62e849c38c6a0aced2f1e059a600..9b991e87b315ae3718bcfbc39cf60bd5855a894a 100644 (file)
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -76,9 +76,9 @@
         kernel image consisting of the components specified with <option>--linux=</option>,
         <option>--osrel=</option>, <option>--cmdline=</option>, <option>--initrd=</option>,
         <option>--ucode=</option>, <option>--splash=</option>, <option>--dtb=</option>,
-        <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option> see below.  Only
-        <option>--linux=</option> is mandatory. (Alternatively, specify <option>--current</option> to use the
-        current values of PCR register 11 instead.)</para>
+        <option>--uname=</option>, <option>--sbat=</option>, <option>--pcrpkey=</option>,
+        <option>--profile=</option>, see below.  Only <option>--linux=</option> is mandatory. (Alternatively,
+        specify <option>--current</option> to use the current values of PCR register 11 instead.)</para>
 
         <xi:include href="version-info.xml" xpointer="v252"/>
         </listitem>
@@ -124,6 +124,7 @@
         <term><option>--uname=<replaceable>PATH</replaceable></option></term>
         <term><option>--sbat=<replaceable>PATH</replaceable></option></term>
         <term><option>--pcrpkey=<replaceable>PATH</replaceable></option></term>
+        <term><option>--profile=<replaceable>PATH</replaceable></option></term>
 
         <listitem><para>When used with the <command>calculate</command> or <command>sign</command> verb,
         configures the files to read the unified kernel image components from. Each option corresponds with
@@ -131,7 +132,10 @@
         the path to the ELF kernel file that the unified PE kernel will wrap. All switches except
         <option>--linux=</option> are optional. Each option may be used at most once.</para>
 
-        <xi:include href="version-info.xml" xpointer="v252"/></listitem>
+        <xi:include href="version-info.xml" xpointer="v252"/>
+
+        <para id="v257">With the exception of <option>--profile=</option>, which has been added in version
+        257.</para></listitem>
       </varlistentry>
 
       <varlistentry>

diff --git a/src/boot/measure.c b/src/boot/measure.c
index b7508edf65bcf62ddfdcfd5cd9412ff95996653b..1af5fef720fcb35b1ea866f8705a6a67aa0ffeb7 100644 (file)
--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@@ -100,6 +100,7 @@ static int help(int argc, char *argv[], void *userdata) {
                "     --uname=PATH        Path to 'uname -r' file                %7$s .uname\n"
                "     --sbat=PATH         Path to SBAT file                      %7$s .sbat\n"
                "     --pcrpkey=PATH      Path to public key for PCR signatures  %7$s .pcrpkey\n"
+               "     --profile=PATH      Path to profile file                   %7$s .profile\n"
                "\nSee the %2$s for details.\n",
                program_invocation_short_name,
                link,
@@ -142,8 +143,9 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_UNAME,
                 ARG_SBAT,
                 _ARG_PCRSIG, /* the .pcrsig section is not input for signing, hence not actually an argument here */
+                ARG_PCRPKEY,
                 _ARG_SECTION_LAST,
-                ARG_PCRPKEY = _ARG_SECTION_LAST,
+                ARG_PROFILE = _ARG_SECTION_LAST,
                 ARG_BANK,
                 ARG_PRIVATE_KEY,
                 ARG_PRIVATE_KEY_SOURCE,
@@ -169,6 +171,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "uname",              required_argument, NULL, ARG_UNAME              },
                 { "sbat",               required_argument, NULL, ARG_SBAT               },
                 { "pcrpkey",            required_argument, NULL, ARG_PCRPKEY            },
+                { "profile",            required_argument, NULL, ARG_PROFILE            },
                 { "current",            no_argument,       NULL, 'c'                    },
                 { "bank",               required_argument, NULL, ARG_BANK               },
                 { "tpm2-device",        required_argument, NULL, ARG_TPM2_DEVICE        },
@@ -188,7 +191,7 @@ static int parse_argv(int argc, char *argv[]) {
         assert(argv);
 
         /* Make sure the arguments list and the section list, stays in sync */
-        //assert_cc(_ARG_SECTION_FIRST + _UNIFIED_SECTION_MAX == _ARG_SECTION_LAST + 1);
+        assert_cc(_ARG_SECTION_FIRST + _UNIFIED_SECTION_MAX == _ARG_SECTION_LAST + 1);
 
         while ((c = getopt_long(argc, argv, "hjc", options, NULL)) >= 0)
                 switch (c) {

diff --git a/tools/command_ignorelist b/tools/command_ignorelist
index fa160d17c631ee48a977849a4cf1c10a1ec567a2..6d0a81f33095cc180c9ee1564301600b78215e59 100644 (file)
--- a/tools/command_ignorelist
+++ b/tools/command_ignorelist
@@ -568,3 +568,4 @@ file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[t
 file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/lib/arch-id/"]
 file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/share/"]
 file-hierarchy.xml /refsect1[title="Home Directory"]/variablelist/varlistentry[term="~/.local/state/"]
+systemd-measure.xml /refsect1[title="Options"]/variablelist/varlistentry[term="--linux=PATH"]