diff options
author | Luca Boccassi <bluca@debian.org> | 2023-09-24 01:34:58 +0200 |
---|---|---|
committer | Luca Boccassi <bluca@debian.org> | 2023-10-09 23:22:09 +0200 |
commit | 3e6f010e03a81082ba8aa39606dd34e00f410af7 (patch) | |
tree | 90e6fa1f4959058e4b2fd8c528fbda9bf733f609 | |
parent | stub: add support for dtb addons (diff) | |
download | systemd-3e6f010e03a81082ba8aa39606dd34e00f410af7.tar.xz systemd-3e6f010e03a81082ba8aa39606dd34e00f410af7.zip |
stub: measure all cmdline addons together
-rw-r--r-- | docs/TPM2_PCR_MEASUREMENTS.md | 7 | ||||
-rw-r--r-- | src/boot/efi/stub.c | 28 |
2 files changed, 20 insertions, 15 deletions
diff --git a/docs/TPM2_PCR_MEASUREMENTS.md b/docs/TPM2_PCR_MEASUREMENTS.md index f2893f1344..f92b8a5ed5 100644 --- a/docs/TPM2_PCR_MEASUREMENTS.md +++ b/docs/TPM2_PCR_MEASUREMENTS.md @@ -77,12 +77,11 @@ PE section order, as per the UKI specification, see above. ### PCR 12, `EV_IPL`, "Kernel Command Line" -Might happen up to four times, for kernel command lines from: +Might happen up to three times, for kernel command lines from: 1. Passed cmdline - 2. System cmdline add-ons (one measurement covering all add-ons combined) - 3. Per-UKI cmdline add-ons (one measurement covering all add-ons combined) - 2. SMBIOS cmdline + 2. System and per-UKI cmdline add-ons (one measurement covering all add-ons combined) + 3. SMBIOS cmdline → **Description** in the event log record is the literal kernel command line in UTF-16. diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index dd3d017cce..2366dfd42b 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -257,26 +257,35 @@ static EFI_STATUS load_addons_from_dir( } static void cmdline_append_and_measure_addons( - char16_t *cmdline, + char16_t *cmdline_global, + char16_t *cmdline_uki, char16_t **cmdline_append, bool *ret_parameters_measured) { - _cleanup_free_ char16_t *tmp = NULL; + _cleanup_free_ char16_t *tmp = NULL, *merged = NULL; bool m = false; assert(cmdline_append); assert(ret_parameters_measured); - mangle_stub_cmdline(cmdline); + if (isempty(cmdline_global) && isempty(cmdline_uki)) + return; + + merged = xasprintf("%ls%ls%ls", + strempty(cmdline_global), + isempty(cmdline_global) || isempty(cmdline_uki) ? u"" : u" ", + strempty(cmdline_uki)); + + mangle_stub_cmdline(merged); - if (isempty(cmdline)) + if (isempty(merged)) return; - (void) tpm_log_load_options(cmdline, &m); + (void) tpm_log_load_options(merged, &m); *ret_parameters_measured = m; tmp = TAKE_PTR(*cmdline_append); - *cmdline_append = xasprintf("%ls%ls%ls", strempty(tmp), isempty(tmp) ? u"" : u" ", cmdline); + *cmdline_append = xasprintf("%ls%ls%ls", strempty(tmp), isempty(tmp) ? u"" : u" ", merged); } static void dtb_install_addons( @@ -623,13 +632,10 @@ static EFI_STATUS run(EFI_HANDLE image) { } /* If we have any extra command line to add via PE addons, load them now and append, and - * measure the additions separately, after the embedded options, but before the smbios ones, + * measure the additions together, after the embedded options, but before the smbios ones, * so that the order is reversed from "most hardcoded" to "most dynamic". The global addons are * loaded first, and the image-specific ones later, for the same reason. */ - cmdline_append_and_measure_addons(cmdline_addons_global, &cmdline, &m); - parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m); - - cmdline_append_and_measure_addons(cmdline_addons_uki, &cmdline, &m); + cmdline_append_and_measure_addons(cmdline_addons_global, cmdline_addons_uki, &cmdline, &m); parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m); /* SMBIOS OEM Strings data is controlled by the host admin and not covered |