From: Lennart Poettering Date: Thu, 24 Aug 2023 09:16:14 +0000 (+0200) Subject: tpm2: unify symbolic name infra for PCRs X-Git-Tag: v255-rc1~629^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2099cd6289981f51e9f8b4b9bf028eca36c9ad52;p=thirdparty%2Fsystemd.git tpm2: unify symbolic name infra for PCRs We so far maintained two places for symboic names for PCRs. One in tpm2-util.h and one in tpm-pcr.h. Let's unify this into one, i.e. move the full list from tpm2-util.h into tpm-pcr.h, replacing the short list placed so far there. Systematically prefix the definitions with TPM2_ or tpm2_, to follow how we do this for all other defines in this context. No change in behaviour, just unification of tables. --- diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c index c081ffef017..ed907f78d10 100644 --- a/src/analyze/analyze-pcrs.c +++ b/src/analyze/analyze-pcrs.c @@ -82,7 +82,7 @@ static int add_pcr_to_table(Table *table, const char *alg, uint32_t pcr) { r = table_add_many(table, TABLE_UINT32, pcr, - TABLE_STRING, pcr_index_to_string(pcr), + TABLE_STRING, tpm2_pcr_index_to_string(pcr), TABLE_STRING, h, TABLE_SET_COLOR, color); if (r < 0) @@ -115,7 +115,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) { (void) table_set_display(table, 0, 1); if (strv_isempty(strv_skip(argv, 1))) - for (uint32_t pi = 0; pi < _PCR_INDEX_MAX_DEFINED; pi++) { + for (uint32_t pi = 0; pi < _TPM2_PCR_INDEX_MAX_DEFINED; pi++) { r = add_pcr_to_table(table, alg, pi); if (r < 0) return r; @@ -124,7 +124,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) { for (int i = 1; i < argc; i++) { int pi; - pi = pcr_index_from_string(argv[i]); + pi = tpm2_pcr_index_from_string(argv[i]); if (pi < 0) return log_error_errno(pi, "PCR index \"%s\" not known.", argv[i]); diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c index 359d277e2f2..4dc42831bfe 100644 --- a/src/boot/efi/measure.c +++ b/src/boot/efi/measure.c @@ -202,7 +202,7 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured /* Measures a load options string into the TPM2, i.e. the kernel command line */ err = tpm_log_event( - TPM_PCR_INDEX_KERNEL_PARAMETERS, + TPM2_PCR_KERNEL_CONFIG, POINTER_TO_PHYSICAL_ADDRESS(load_options), strsize16(load_options), load_options, @@ -210,8 +210,8 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured if (err != EFI_SUCCESS) return log_error_status( err, - "Unable to add load options (i.e. kernel command) line measurement to PCR %u: %m", - TPM_PCR_INDEX_KERNEL_PARAMETERS); + "Unable to add load options (i.e. kernel command) line measurement to PCR %i: %m", + TPM2_PCR_KERNEL_CONFIG); if (ret_measured) *ret_measured = measured; diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index 183106b91fe..c2eb81d92b4 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -417,7 +417,7 @@ static EFI_STATUS run(EFI_HANDLE image) { /* First measure the name of the section */ (void) tpm_log_event_ascii( - TPM_PCR_INDEX_KERNEL_IMAGE, + TPM2_PCR_KERNEL_BOOT, POINTER_TO_PHYSICAL_ADDRESS(unified_sections[section]), strsize8(unified_sections[section]), /* including NUL byte */ unified_sections[section], @@ -427,7 +427,7 @@ static EFI_STATUS run(EFI_HANDLE image) { /* Then measure the data of the section */ (void) tpm_log_event_ascii( - TPM_PCR_INDEX_KERNEL_IMAGE, + TPM2_PCR_KERNEL_BOOT, POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[section], szs[section], unified_sections[section], @@ -439,7 +439,7 @@ static EFI_STATUS run(EFI_HANDLE image) { /* After we are done, set an EFI variable that tells userspace this was done successfully, and encode * in it which PCR was used. */ if (sections_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM_PCR_INDEX_KERNEL_IMAGE, 0); + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM2_PCR_KERNEL_BOOT, 0); /* Show splash screen as early as possible */ graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]); @@ -515,7 +515,7 @@ static EFI_STATUS run(EFI_HANDLE image) { ".extra/credentials", /* dir_mode= */ 0500, /* access_mode= */ 0400, - /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS, + /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Credentials initrd", &credential_initrd, &credential_initrd_size, @@ -528,7 +528,7 @@ static EFI_STATUS run(EFI_HANDLE image) { ".extra/global_credentials", /* dir_mode= */ 0500, /* access_mode= */ 0400, - /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS, + /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, u"Global credentials initrd", &global_credential_initrd, &global_credential_initrd_size, @@ -541,7 +541,7 @@ static EFI_STATUS run(EFI_HANDLE image) { ".extra/sysext", /* dir_mode= */ 0555, /* access_mode= */ 0444, - /* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS, + /* tpm_pcr= */ TPM2_PCR_SYSEXTS, u"System extension initrd", &sysext_initrd, &sysext_initrd_size, @@ -549,9 +549,9 @@ static EFI_STATUS run(EFI_HANDLE image) { sysext_measured = m; if (parameters_measured > 0) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM_PCR_INDEX_KERNEL_PARAMETERS, 0); + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0); if (sysext_measured) - (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM_PCR_INDEX_INITRD_SYSEXTS, 0); + (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0); /* If the PCR signature was embedded in the PE image, then let's wrap it in a cpio and also pass it * to the kernel, so that it can be read from /.extra/tpm2-pcr-signature.json. Note that this section diff --git a/src/boot/measure.c b/src/boot/measure.c index fbeb4473f77..393d8dab11f 100644 --- a/src/boot/measure.c +++ b/src/boot/measure.c @@ -409,7 +409,7 @@ static int measure_kernel(PcrState *pcr_states, size_t n) { _cleanup_free_ void *v = NULL; size_t sz; - if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, pcr_states[i].bank, TPM_PCR_INDEX_KERNEL_IMAGE) < 0) + if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%i", pcr_states[i].bank, TPM2_PCR_KERNEL_BOOT) < 0) return log_oom(); r = read_virtual_file(p, 4096, &s, NULL); @@ -679,9 +679,9 @@ static int verb_calculate(int argc, char *argv[], void *userdata) { if (i == 0) { fflush(stdout); - fprintf(stderr, "%s# PCR[%" PRIu32 "] Phase <%s>%s\n", + fprintf(stderr, "%s# PCR[%i] Phase <%s>%s\n", ansi_grey(), - TPM_PCR_INDEX_KERNEL_IMAGE, + TPM2_PCR_KERNEL_BOOT, isempty(*phase) ? ":" : *phase, ansi_normal()); fflush(stderr); @@ -691,7 +691,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) { if (!hd) return log_oom(); - printf("%" PRIu32 ":%s=%s\n", TPM_PCR_INDEX_KERNEL_IMAGE, pcr_states[i].bank, hd); + printf("%i:%s=%s\n", TPM2_PCR_KERNEL_BOOT, pcr_states[i].bank, hd); } else { _cleanup_(json_variant_unrefp) JsonVariant *array = NULL; @@ -701,7 +701,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) { &array, JSON_BUILD_OBJECT( JSON_BUILD_PAIR_CONDITION(!isempty(*phase), "phase", JSON_BUILD_STRING(*phase)), - JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM_PCR_INDEX_KERNEL_IMAGE)), + JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM2_PCR_KERNEL_BOOT)), JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(pcr_states[i].value, pcr_states[i].value_size)))); if (r < 0) return log_error_errno(r, "Failed to append JSON object to array: %m"); @@ -826,7 +826,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { if (tpmalg < 0) return log_error_errno(tpmalg, "Unsupported PCR bank"); - Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM_PCR_INDEX_KERNEL_IMAGE, + Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM2_PCR_KERNEL_BOOT, tpmalg, TPM2B_DIGEST_MAKE(p->value, p->value_size)); @@ -869,7 +869,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) { return r; _cleanup_(json_variant_unrefp) JsonVariant *a = NULL; - r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE, &a); + r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM2_PCR_KERNEL_BOOT, &a); if (r < 0) return log_error_errno(r, "Failed to build JSON PCR mask array: %m"); @@ -944,15 +944,15 @@ static int validate_stub(void) { log_warning("Warning: current kernel image does not support measuring itself, the command line or initrd system extension images.\n" "The PCR measurements seen are unlikely to be valid."); - r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_IMAGE, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image"); + r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_BOOT, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image"); if (r < 0) return r; - r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_PARAMETERS, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters"); + r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_CONFIG, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters"); if (r < 0) return r; - r = compare_reported_pcr_nr(TPM_PCR_INDEX_INITRD_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images"); + r = compare_reported_pcr_nr(TPM2_PCR_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images"); if (r < 0) return r; @@ -980,17 +980,13 @@ static int validate_stub(void) { } static int verb_status(int argc, char *argv[], void *userdata) { - _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; - - static const struct { - uint32_t nr; - const char *description; - } relevant_pcrs[] = { - { TPM_PCR_INDEX_KERNEL_IMAGE, "Unified Kernel Image" }, - { TPM_PCR_INDEX_KERNEL_PARAMETERS, "Kernel Parameters" }, - { TPM_PCR_INDEX_INITRD_SYSEXTS, "initrd System Extensions" }, + static const uint32_t relevant_pcrs[] = { + TPM2_PCR_KERNEL_BOOT, + TPM2_PCR_KERNEL_CONFIG, + TPM2_PCR_SYSEXTS, }; + _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; int r; r = validate_stub(); @@ -1008,7 +1004,7 @@ static int verb_status(int argc, char *argv[], void *userdata) { if (!b) return log_oom(); - if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i].nr) < 0) + if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i]) < 0) return log_oom(); r = read_virtual_file(p, 4096, &s, NULL); @@ -1034,21 +1030,21 @@ static int verb_status(int argc, char *argv[], void *userdata) { fflush(stdout); fprintf(stderr, "%s# PCR[%" PRIu32 "] %s%s%s\n", ansi_grey(), - relevant_pcrs[i].nr, - relevant_pcrs[i].description, + relevant_pcrs[i], + tpm2_pcr_index_to_string(relevant_pcrs[i]), memeqzero(h, l) ? " (NOT SET!)" : "", ansi_normal()); fflush(stderr); } - printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i].nr, b, f); + printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i], b, f); } else { _cleanup_(json_variant_unrefp) JsonVariant *bv = NULL, *a = NULL; r = json_build(&bv, JSON_BUILD_OBJECT( - JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i].nr)), + JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i])), JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(h, l)) ) ); diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c index fefb509ffd4..19401168dd2 100644 --- a/src/boot/pcrphase.c +++ b/src/boot/pcrphase.c @@ -290,7 +290,7 @@ static int run(int argc, char *argv[]) { return log_error_errno(r, "Failed to get file system identifier string for '%s': %m", arg_file_system); } - target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */ + target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */ } else if (arg_machine_id) { sd_id128_t mid; @@ -306,7 +306,7 @@ static int run(int argc, char *argv[]) { if (!word) return log_oom(); - target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */ + target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */ } else { if (optind+1 != argc) @@ -322,7 +322,7 @@ static int run(int argc, char *argv[]) { if (isempty(word)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing."); - target_pcr_nr = TPM_PCR_INDEX_KERNEL_IMAGE; /* → PCR 11 */ + target_pcr_nr = TPM2_PCR_KERNEL_BOOT; /* → PCR 11 */ } if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) { @@ -337,7 +337,7 @@ static int run(int argc, char *argv[]) { if (r < 0) return r; if (r == 0) { - log_info("Kernel stub did not measure kernel image into PCR %u, skipping userspace measurement, too.", TPM_PCR_INDEX_KERNEL_IMAGE); + log_info("Kernel stub did not measure kernel image into PCR %i, skipping userspace measurement, too.", TPM2_PCR_KERNEL_BOOT); return EXIT_SUCCESS; } diff --git a/src/creds/creds.c b/src/creds/creds.c index 36531d7d187..57f4aa68098 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -930,7 +930,7 @@ static int parse_argv(int argc, char *argv[]) { if (arg_tpm2_pcr_mask == UINT32_MAX) arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT; if (arg_tpm2_public_key_pcr_mask == UINT32_MAX) - arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE; + arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT; return 1; } diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c index 1ac2c6951e6..2bf3333132a 100644 --- a/src/cryptenroll/cryptenroll.c +++ b/src/cryptenroll/cryptenroll.c @@ -482,7 +482,7 @@ static int parse_argv(int argc, char *argv[]) { return r; if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key) - arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE); + arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT); if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND( arg_tpm2_hash_pcr_values, diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c index 1ce95b3d7e2..ced815f11ce 100644 --- a/src/cryptsetup/cryptsetup.c +++ b/src/cryptsetup/cryptsetup.c @@ -434,7 +434,7 @@ static int parse_one_option(const char *option) { return 0; } - pcr = r ? TPM_PCR_INDEX_VOLUME_KEY : UINT_MAX; + pcr = r ? TPM2_PCR_SYSTEM_IDENTITY : UINT_MAX; } else if (!TPM2_PCR_INDEX_VALID(pcr)) { log_warning("Selected TPM index for measurement %u outside of allowed range 0…%u, ignoring.", pcr, TPM2_PCRS_MAX-1); return 0; diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h index f8ed816894f..cb786e95981 100644 --- a/src/fundamental/tpm-pcr.h +++ b/src/fundamental/tpm-pcr.h @@ -5,20 +5,44 @@ /* The various TPM PCRs we measure into from sd-stub and sd-boot. */ -/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image, - * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole - * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only* - * consists of static data from the kernel PE image. */ -#define TPM_PCR_INDEX_KERNEL_IMAGE 11U +enum { + /* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform + * Firmware Profile Specification" + * (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */ + TPM2_PCR_PLATFORM_CODE = 0, + TPM2_PCR_PLATFORM_CONFIG = 1, + TPM2_PCR_EXTERNAL_CODE = 2, + TPM2_PCR_EXTERNAL_CONFIG = 3, + TPM2_PCR_BOOT_LOADER_CODE = 4, + TPM2_PCR_BOOT_LOADER_CONFIG = 5, + TPM2_PCR_HOST_PLATFORM = 6, + TPM2_PCR_SECURE_BOOT_POLICY = 7, -/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ -#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U + /* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry" + (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */ + TPM2_PCR_KERNEL_INITRD = 9, + TPM2_PCR_IMA = 10, -/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ -#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U + /* systemd: This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel + * ELF image, embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given + * the whole surrounding PE image is measured into it) this should be reasonably pre-calculatable, + * because it *only* consists of static data from the kernel PE image. */ + TPM2_PCR_KERNEL_BOOT = 11, -/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */ -#define TPM_PCR_INDEX_VOLUME_KEY 15U + /* systemd: This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ + TPM2_PCR_KERNEL_CONFIG = 12, + + /* systemd: This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ + TPM2_PCR_SYSEXTS = 13, + TPM2_PCR_SHIM_POLICY = 14, + + /* systemd: This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */ + TPM2_PCR_SYSTEM_IDENTITY = 15, + + /* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */ + TPM2_PCR_DEBUG = 16, + TPM2_PCR_APPLICATION_SUPPORT = 23, +}; /* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in * which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */ diff --git a/src/partition/repart.c b/src/partition/repart.c index aed17cc9224..ab10b9acbf1 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -6837,7 +6837,7 @@ static int parse_argv(int argc, char *argv[]) { "A path to a loopback file must be specified when --split is used."); if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key) - arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE); + arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT); if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND( arg_tpm2_hash_pcr_values, diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c index e3ec91b8771..5fd9351ff4b 100644 --- a/src/shared/efi-loader.c +++ b/src/shared/efi-loader.c @@ -271,10 +271,10 @@ int efi_stub_measured(int log_level) { if (r < 0) return log_full_errno(log_level, r, "Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string); - if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE) + if (pcr_nr != TPM2_PCR_KERNEL_BOOT) return log_full_errno(log_level, SYNTHETIC_ERRNO(EREMOTE), - "Kernel stub measured kernel image into PCR %u, which is different than expected %u.", - pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE); + "Kernel stub measured kernel image into PCR %u, which is different than expected %i.", + pcr_nr, TPM2_PCR_KERNEL_BOOT); return 1; } diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 3b83dafa6fb..9fc7d025116 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -1722,7 +1722,7 @@ int tpm2_pcr_value_from_string(const char *arg, Tpm2PCRValue *ret_pcr_value) { if (r < 1) return log_error_errno(r, "Could not parse pcr value '%s': %m", p); - r = pcr_index_from_string(index); + r = tpm2_pcr_index_from_string(index); if (r < 0) return log_error_errno(r, "Invalid pcr index '%s': %m", index); pcr_value.index = (unsigned) r; @@ -5001,25 +5001,25 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass, return 0; } -static const char* const pcr_index_table[_PCR_INDEX_MAX_DEFINED] = { - [PCR_PLATFORM_CODE] = "platform-code", - [PCR_PLATFORM_CONFIG] = "platform-config", - [PCR_EXTERNAL_CODE] = "external-code", - [PCR_EXTERNAL_CONFIG] = "external-config", - [PCR_BOOT_LOADER_CODE] = "boot-loader-code", - [PCR_BOOT_LOADER_CONFIG] = "boot-loader-config", - [PCR_HOST_PLATFORM] = "host-platform", - [PCR_SECURE_BOOT_POLICY] = "secure-boot-policy", - [PCR_KERNEL_INITRD] = "kernel-initrd", - [PCR_IMA] = "ima", - [PCR_KERNEL_BOOT] = "kernel-boot", - [PCR_KERNEL_CONFIG] = "kernel-config", - [PCR_SYSEXTS] = "sysexts", - [PCR_SHIM_POLICY] = "shim-policy", - [PCR_SYSTEM_IDENTITY] = "system-identity", - [PCR_DEBUG] = "debug", - [PCR_APPLICATION_SUPPORT] = "application-support", +static const char* const tpm2_pcr_index_table[_TPM2_PCR_INDEX_MAX_DEFINED] = { + [TPM2_PCR_PLATFORM_CODE] = "platform-code", + [TPM2_PCR_PLATFORM_CONFIG] = "platform-config", + [TPM2_PCR_EXTERNAL_CODE] = "external-code", + [TPM2_PCR_EXTERNAL_CONFIG] = "external-config", + [TPM2_PCR_BOOT_LOADER_CODE] = "boot-loader-code", + [TPM2_PCR_BOOT_LOADER_CONFIG] = "boot-loader-config", + [TPM2_PCR_HOST_PLATFORM] = "host-platform", + [TPM2_PCR_SECURE_BOOT_POLICY] = "secure-boot-policy", + [TPM2_PCR_KERNEL_INITRD] = "kernel-initrd", + [TPM2_PCR_IMA] = "ima", + [TPM2_PCR_KERNEL_BOOT] = "kernel-boot", + [TPM2_PCR_KERNEL_CONFIG] = "kernel-config", + [TPM2_PCR_SYSEXTS] = "sysexts", + [TPM2_PCR_SHIM_POLICY] = "shim-policy", + [TPM2_PCR_SYSTEM_IDENTITY] = "system-identity", + [TPM2_PCR_DEBUG] = "debug", + [TPM2_PCR_APPLICATION_SUPPORT] = "application-support", }; -DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(pcr_index, int, TPM2_PCRS_MAX - 1); -DEFINE_STRING_TABLE_LOOKUP_TO_STRING(pcr_index, int); +DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(tpm2_pcr_index, int, TPM2_PCRS_MAX - 1); +DEFINE_STRING_TABLE_LOOKUP_TO_STRING(tpm2_pcr_index, int); diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 23a97f15ff0..2ae1a8809f9 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -9,6 +9,7 @@ #include "macro.h" #include "openssl-util.h" #include "sha256.h" +#include "tpm-pcr.h" typedef enum TPM2Flags { TPM2_FLAGS_USE_PIN = 1 << 0, @@ -18,6 +19,7 @@ typedef enum TPM2Flags { * TPM2 on a Client PC must have at least 24 PCRs. This hardcodes our expectation of 24. */ #define TPM2_PCRS_MAX 24U #define TPM2_PCRS_MASK ((UINT32_C(1) << TPM2_PCRS_MAX) - 1) + static inline bool TPM2_PCR_INDEX_VALID(unsigned pcr) { return pcr < TPM2_PCRS_MAX; } @@ -298,34 +300,6 @@ typedef enum Tpm2Support { TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_LIBRARIES, } Tpm2Support; -enum { - /* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform - * Firmware Profile Specification" - * (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */ - PCR_PLATFORM_CODE = 0, - PCR_PLATFORM_CONFIG = 1, - PCR_EXTERNAL_CODE = 2, - PCR_EXTERNAL_CONFIG = 3, - PCR_BOOT_LOADER_CODE = 4, - PCR_BOOT_LOADER_CONFIG = 5, - PCR_HOST_PLATFORM = 6, - PCR_SECURE_BOOT_POLICY = 7, - /* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry" - (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */ - PCR_KERNEL_INITRD = 9, - PCR_IMA = 10, - PCR_KERNEL_BOOT = 11, - PCR_KERNEL_CONFIG = 12, - PCR_SYSEXTS = 13, - PCR_SHIM_POLICY = 14, - PCR_SYSTEM_IDENTITY = 15, - /* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */ - PCR_DEBUG = 16, - PCR_APPLICATION_SUPPORT = 23, - _PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX, - _PCR_INDEX_INVALID = -EINVAL, -}; - Tpm2Support tpm2_support(void); int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); @@ -341,5 +315,11 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass, size_t saltlen, uint8_t res[static SHA256_DIGEST_SIZE]); -int pcr_index_from_string(const char *s) _pure_; -const char *pcr_index_to_string(int pcr) _const_; +enum { + /* Additional defines for the PCR index naming enum from "fundamental/tpm-pcr.h" */ + _TPM2_PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX, + _TPM2_PCR_INDEX_INVALID = -EINVAL, +}; + +int tpm2_pcr_index_from_string(const char *s) _pure_; +const char *tpm2_pcr_index_to_string(int pcr) _const_; diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c index 7e65396b146..e2c700896a3 100644 --- a/src/test/test-tpm2.c +++ b/src/test/test-tpm2.c @@ -4,44 +4,44 @@ #include "tpm2-util.h" #include "tests.h" -TEST(pcr_index_from_string) { - assert_se(pcr_index_from_string("platform-code") == 0); - assert_se(pcr_index_from_string("0") == 0); - assert_se(pcr_index_from_string("platform-config") == 1); - assert_se(pcr_index_from_string("1") == 1); - assert_se(pcr_index_from_string("external-code") == 2); - assert_se(pcr_index_from_string("2") == 2); - assert_se(pcr_index_from_string("external-config") == 3); - assert_se(pcr_index_from_string("3") == 3); - assert_se(pcr_index_from_string("boot-loader-code") == 4); - assert_se(pcr_index_from_string("4") == 4); - assert_se(pcr_index_from_string("boot-loader-config") == 5); - assert_se(pcr_index_from_string("5") == 5); - assert_se(pcr_index_from_string("secure-boot-policy") == 7); - assert_se(pcr_index_from_string("7") == 7); - assert_se(pcr_index_from_string("kernel-initrd") == 9); - assert_se(pcr_index_from_string("9") == 9); - assert_se(pcr_index_from_string("ima") == 10); - assert_se(pcr_index_from_string("10") == 10); - assert_se(pcr_index_from_string("kernel-boot") == 11); - assert_se(pcr_index_from_string("11") == 11); - assert_se(pcr_index_from_string("kernel-config") == 12); - assert_se(pcr_index_from_string("12") == 12); - assert_se(pcr_index_from_string("sysexts") == 13); - assert_se(pcr_index_from_string("13") == 13); - assert_se(pcr_index_from_string("shim-policy") == 14); - assert_se(pcr_index_from_string("14") == 14); - assert_se(pcr_index_from_string("system-identity") == 15); - assert_se(pcr_index_from_string("15") == 15); - assert_se(pcr_index_from_string("debug") == 16); - assert_se(pcr_index_from_string("16") == 16); - assert_se(pcr_index_from_string("application-support") == 23); - assert_se(pcr_index_from_string("23") == 23); - assert_se(pcr_index_from_string("hello") == -EINVAL); - assert_se(pcr_index_from_string("8") == 8); - assert_se(pcr_index_from_string("44") == -EINVAL); - assert_se(pcr_index_from_string("-5") == -EINVAL); - assert_se(pcr_index_from_string("24") == -EINVAL); +TEST(tpm2_pcr_index_from_string) { + assert_se(tpm2_pcr_index_from_string("platform-code") == 0); + assert_se(tpm2_pcr_index_from_string("0") == 0); + assert_se(tpm2_pcr_index_from_string("platform-config") == 1); + assert_se(tpm2_pcr_index_from_string("1") == 1); + assert_se(tpm2_pcr_index_from_string("external-code") == 2); + assert_se(tpm2_pcr_index_from_string("2") == 2); + assert_se(tpm2_pcr_index_from_string("external-config") == 3); + assert_se(tpm2_pcr_index_from_string("3") == 3); + assert_se(tpm2_pcr_index_from_string("boot-loader-code") == 4); + assert_se(tpm2_pcr_index_from_string("4") == 4); + assert_se(tpm2_pcr_index_from_string("boot-loader-config") == 5); + assert_se(tpm2_pcr_index_from_string("5") == 5); + assert_se(tpm2_pcr_index_from_string("secure-boot-policy") == 7); + assert_se(tpm2_pcr_index_from_string("7") == 7); + assert_se(tpm2_pcr_index_from_string("kernel-initrd") == 9); + assert_se(tpm2_pcr_index_from_string("9") == 9); + assert_se(tpm2_pcr_index_from_string("ima") == 10); + assert_se(tpm2_pcr_index_from_string("10") == 10); + assert_se(tpm2_pcr_index_from_string("kernel-boot") == 11); + assert_se(tpm2_pcr_index_from_string("11") == 11); + assert_se(tpm2_pcr_index_from_string("kernel-config") == 12); + assert_se(tpm2_pcr_index_from_string("12") == 12); + assert_se(tpm2_pcr_index_from_string("sysexts") == 13); + assert_se(tpm2_pcr_index_from_string("13") == 13); + assert_se(tpm2_pcr_index_from_string("shim-policy") == 14); + assert_se(tpm2_pcr_index_from_string("14") == 14); + assert_se(tpm2_pcr_index_from_string("system-identity") == 15); + assert_se(tpm2_pcr_index_from_string("15") == 15); + assert_se(tpm2_pcr_index_from_string("debug") == 16); + assert_se(tpm2_pcr_index_from_string("16") == 16); + assert_se(tpm2_pcr_index_from_string("application-support") == 23); + assert_se(tpm2_pcr_index_from_string("23") == 23); + assert_se(tpm2_pcr_index_from_string("hello") == -EINVAL); + assert_se(tpm2_pcr_index_from_string("8") == 8); + assert_se(tpm2_pcr_index_from_string("44") == -EINVAL); + assert_se(tpm2_pcr_index_from_string("-5") == -EINVAL); + assert_se(tpm2_pcr_index_from_string("24") == -EINVAL); } TEST(tpm2_util_pbkdf2_hmac_sha256) {