From: Daan De Meyer Date: Tue, 1 Oct 2024 08:15:15 +0000 (+0200) Subject: Revert "ukify: introduce new --measure-base= switch" X-Git-Tag: v257-rc1~323^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=71f11a8f4c0fb50c5ff170db6ddc89e626cdc202;p=thirdparty%2Fsystemd.git Revert "ukify: introduce new --measure-base= switch" This reverts commit bc3e2c5a5774ae7b212817d04e04abccf30088ae. --- diff --git a/man/ukify.xml b/man/ukify.xml index a11eb85c917..902736d4ed8 100644 --- a/man/ukify.xml +++ b/man/ukify.xml @@ -240,19 +240,6 @@ - - - - Takes a path to an existing PE file to use as base profile, for measuring - multi-profile UKIs. When calculating the PCR values, this has the effect that the sections - specified on the command line are combined with any sections from the PE file specified here (up to - the first .profile section, and only if not already specified on the command - line). Typically, this is used together with to both import and use as - measurement base an existing UKI. - - - - diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 55c40164ae9..1a8c9507eeb 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -503,14 +503,6 @@ def pe_strip_section_name(name): def call_systemd_measure(uki, opts): - - if not opts.measure and not opts.pcr_private_keys: - return - - measure_sections = ('.linux', '.osrel', '.cmdline', '.initrd', - '.ucode', '.splash', '.dtb', '.uname', - '.sbat', '.pcrpkey', '.profile') - measure_tool = find_tool('systemd-measure', '/usr/lib/systemd/systemd-measure', opts=opts) @@ -519,60 +511,15 @@ def call_systemd_measure(uki, opts): # PCR measurement - to_measure = [] - tflist = [] - - # First, pick up the sections we shall measure now */ - for s in uki.sections: - if not s.measure: - continue - - if s.content is not None: - to_measure.append(f"--{s.name.removeprefix('.')}={s.content}") - else: - raise ValueError(f"Don't know how to measure section {s.name}"); - - # And now iterate through the base profile and measure what we haven't measured above - if opts.measure_base is not None: - pe = pefile.PE(opts.measure_base, fast_load=True) - - # Find matching PE section in base image - for base_section in pe.sections: - name = pe_strip_section_name(base_section.Name) - - # If we reach the first .profile section the base is over - if name == ".profile": - break - - # Only some sections are measured - if name not in measure_sections: - continue - - # Check if this is a section we already covered above - already_covered = False - for s in uki.sections: - if s.measure and name == s.name: - already_covered = True - break; - - if already_covered: - continue - - # Split out section and use as base - tf = tempfile.NamedTemporaryFile() - tf.write(base_section.get_data(length=base_section.Misc_VirtualSize)) - tf.flush() - tflist.append(tf) - - to_measure.append(f"--{name.removeprefix('.')}={tf.name}") - if opts.measure: pp_groups = opts.phase_path_groups or [] cmd = [ measure_tool, 'calculate', - *to_measure, + *(f"--{s.name.removeprefix('.')}={s.content}" + for s in uki.sections + if s.measure), *(f'--bank={bank}' for bank in banks), # For measurement, the keys are not relevant, so we can lump all the phase paths @@ -592,7 +539,9 @@ def call_systemd_measure(uki, opts): cmd = [ measure_tool, 'sign', - *to_measure, + *(f"--{s.name.removeprefix('.')}={s.content}" + for s in uki.sections + if s.measure), *(f'--bank={bank}' for bank in banks), ] @@ -1481,14 +1430,6 @@ CONFIG_ITEMS = [ config_key = 'UKI/Extend', ), - ConfigItem( - '--measure-base', - metavar = 'UKI', - type = pathlib.Path, - help = 'path to existing UKI file whose relevant sections shall be used as base for PCR11 prediction', - config_key = 'UKI/MeasureBase', - ), - ConfigItem( '--pcr-banks', metavar = 'BANK…',