summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Boccassi <bluca@debian.org>2023-08-28 18:43:10 +0200
committerGitHub <noreply@github.com>2023-08-28 18:43:10 +0200
commitcd4ed8579b436656295ef36b02f071b3904da722 (patch)
tree29cf58682590f4b7dc74362f64aba3fad870d7a6
parentMerge pull request #28916 from ddstreet/tpm2_pcr_value_post_merge (diff)
parentfundamental: rename tpm-pcr.h → tpm2-pcr.h (diff)
downloadsystemd-cd4ed8579b436656295ef36b02f071b3904da722.tar.xz
systemd-cd4ed8579b436656295ef36b02f071b3904da722.zip
Merge pull request #28948 from poettering/tpm2-duplicate-pcr-names
tpm2: unify tpm2 PCR symbolic identifiers
Diffstat
-rw-r--r--src/analyze/analyze-pcrs.c6
-rw-r--r--src/boot/efi/measure.c8
-rw-r--r--src/boot/efi/stub.c19
-rw-r--r--src/boot/measure.c47
-rw-r--r--src/boot/pcrphase.c10
-rw-r--r--src/creds/creds.c4
-rw-r--r--src/cryptenroll/cryptenroll.c4
-rw-r--r--src/cryptsetup/cryptsetup.c4
-rw-r--r--src/fundamental/meson.build2
-rw-r--r--src/fundamental/tpm2-pcr.h45
-rw-r--r--src/fundamental/uki.c (renamed from src/fundamental/tpm-pcr.c)2
-rw-r--r--src/fundamental/uki.h (renamed from src/fundamental/tpm-pcr.h)19
-rw-r--r--src/partition/repart.c6
-rw-r--r--src/shared/efi-loader.c8
-rw-r--r--src/shared/tpm2-util.c42
-rw-r--r--src/shared/tpm2-util.h40
-rw-r--r--src/test/test-tpm2.c76
17 files changed, 174 insertions, 168 deletions
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index c081ffef01..ed907f78d1 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -82,7 +82,7 @@ static int add_pcr_to_table(Table *table, const char *alg, uint32_t pcr) {
r = table_add_many(table,
TABLE_UINT32, pcr,
- TABLE_STRING, pcr_index_to_string(pcr),
+ TABLE_STRING, tpm2_pcr_index_to_string(pcr),
TABLE_STRING, h,
TABLE_SET_COLOR, color);
if (r < 0)
@@ -115,7 +115,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) {
(void) table_set_display(table, 0, 1);
if (strv_isempty(strv_skip(argv, 1)))
- for (uint32_t pi = 0; pi < _PCR_INDEX_MAX_DEFINED; pi++) {
+ for (uint32_t pi = 0; pi < _TPM2_PCR_INDEX_MAX_DEFINED; pi++) {
r = add_pcr_to_table(table, alg, pi);
if (r < 0)
return r;
@@ -124,7 +124,7 @@ int verb_pcrs(int argc, char *argv[], void *userdata) {
for (int i = 1; i < argc; i++) {
int pi;
- pi = pcr_index_from_string(argv[i]);
+ pi = tpm2_pcr_index_from_string(argv[i]);
if (pi < 0)
return log_error_errno(pi, "PCR index \"%s\" not known.", argv[i]);
diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c
index 359d277e2f..677fe64015 100644
--- a/src/boot/efi/measure.c
+++ b/src/boot/efi/measure.c
@@ -5,7 +5,7 @@
#include "macro-fundamental.h"
#include "measure.h"
#include "proto/tcg.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "util.h"
static EFI_STATUS tpm1_measure_to_pcr_and_event_log(
@@ -202,7 +202,7 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured
/* Measures a load options string into the TPM2, i.e. the kernel command line */
err = tpm_log_event(
- TPM_PCR_INDEX_KERNEL_PARAMETERS,
+ TPM2_PCR_KERNEL_CONFIG,
POINTER_TO_PHYSICAL_ADDRESS(load_options),
strsize16(load_options),
load_options,
@@ -210,8 +210,8 @@ EFI_STATUS tpm_log_load_options(const char16_t *load_options, bool *ret_measured
if (err != EFI_SUCCESS)
return log_error_status(
err,
- "Unable to add load options (i.e. kernel command) line measurement to PCR %u: %m",
- TPM_PCR_INDEX_KERNEL_PARAMETERS);
+ "Unable to add load options (i.e. kernel command) line measurement to PCR %i: %m",
+ TPM2_PCR_KERNEL_CONFIG);
if (ret_measured)
*ret_measured = measured;
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 183106b91f..e34fc77faa 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -13,7 +13,8 @@
#include "secure-boot.h"
#include "shim.h"
#include "splash.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
+#include "uki.h"
#include "util.h"
#include "version.h"
#include "vmm.h"
@@ -417,7 +418,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* First measure the name of the section */
(void) tpm_log_event_ascii(
- TPM_PCR_INDEX_KERNEL_IMAGE,
+ TPM2_PCR_KERNEL_BOOT,
POINTER_TO_PHYSICAL_ADDRESS(unified_sections[section]),
strsize8(unified_sections[section]), /* including NUL byte */
unified_sections[section],
@@ -427,7 +428,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* Then measure the data of the section */
(void) tpm_log_event_ascii(
- TPM_PCR_INDEX_KERNEL_IMAGE,
+ TPM2_PCR_KERNEL_BOOT,
POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[section],
szs[section],
unified_sections[section],
@@ -439,7 +440,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
/* After we are done, set an EFI variable that tells userspace this was done successfully, and encode
* in it which PCR was used. */
if (sections_measured > 0)
- (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM_PCR_INDEX_KERNEL_IMAGE, 0);
+ (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelImage", TPM2_PCR_KERNEL_BOOT, 0);
/* Show splash screen as early as possible */
graphics_splash((const uint8_t*) loaded_image->ImageBase + addrs[UNIFIED_SECTION_SPLASH], szs[UNIFIED_SECTION_SPLASH]);
@@ -515,7 +516,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
- /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
+ /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Credentials initrd",
&credential_initrd,
&credential_initrd_size,
@@ -528,7 +529,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/global_credentials",
/* dir_mode= */ 0500,
/* access_mode= */ 0400,
- /* tpm_pcr= */ TPM_PCR_INDEX_KERNEL_PARAMETERS,
+ /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG,
u"Global credentials initrd",
&global_credential_initrd,
&global_credential_initrd_size,
@@ -541,7 +542,7 @@ static EFI_STATUS run(EFI_HANDLE image) {
".extra/sysext",
/* dir_mode= */ 0555,
/* access_mode= */ 0444,
- /* tpm_pcr= */ TPM_PCR_INDEX_INITRD_SYSEXTS,
+ /* tpm_pcr= */ TPM2_PCR_SYSEXTS,
u"System extension initrd",
&sysext_initrd,
&sysext_initrd_size,
@@ -549,9 +550,9 @@ static EFI_STATUS run(EFI_HANDLE image) {
sysext_measured = m;
if (parameters_measured > 0)
- (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM_PCR_INDEX_KERNEL_PARAMETERS, 0);
+ (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrKernelParameters", TPM2_PCR_KERNEL_CONFIG, 0);
if (sysext_measured)
- (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM_PCR_INDEX_INITRD_SYSEXTS, 0);
+ (void) efivar_set_uint_string(MAKE_GUID_PTR(LOADER), u"StubPcrInitRDSysExts", TPM2_PCR_SYSEXTS, 0);
/* If the PCR signature was embedded in the PE image, then let's wrap it in a cpio and also pass it
* to the kernel, so that it can be read from /.extra/tpm2-pcr-signature.json. Note that this section
diff --git a/src/boot/measure.c b/src/boot/measure.c
index fbeb4473f7..a62caf8a3f 100644
--- a/src/boot/measure.c
+++ b/src/boot/measure.c
@@ -18,8 +18,9 @@
#include "pretty-print.h"
#include "sha256.h"
#include "terminal-util.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "tpm2-util.h"
+#include "uki.h"
#include "verbs.h"
/* Tool for pre-calculating expected TPM PCR values based on measured resources. This is intended to be used
@@ -409,7 +410,7 @@ static int measure_kernel(PcrState *pcr_states, size_t n) {
_cleanup_free_ void *v = NULL;
size_t sz;
- if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, pcr_states[i].bank, TPM_PCR_INDEX_KERNEL_IMAGE) < 0)
+ if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%i", pcr_states[i].bank, TPM2_PCR_KERNEL_BOOT) < 0)
return log_oom();
r = read_virtual_file(p, 4096, &s, NULL);
@@ -679,9 +680,9 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
if (i == 0) {
fflush(stdout);
- fprintf(stderr, "%s# PCR[%" PRIu32 "] Phase <%s>%s\n",
+ fprintf(stderr, "%s# PCR[%i] Phase <%s>%s\n",
ansi_grey(),
- TPM_PCR_INDEX_KERNEL_IMAGE,
+ TPM2_PCR_KERNEL_BOOT,
isempty(*phase) ? ":" : *phase,
ansi_normal());
fflush(stderr);
@@ -691,7 +692,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
if (!hd)
return log_oom();
- printf("%" PRIu32 ":%s=%s\n", TPM_PCR_INDEX_KERNEL_IMAGE, pcr_states[i].bank, hd);
+ printf("%i:%s=%s\n", TPM2_PCR_KERNEL_BOOT, pcr_states[i].bank, hd);
} else {
_cleanup_(json_variant_unrefp) JsonVariant *array = NULL;
@@ -701,7 +702,7 @@ static int verb_calculate(int argc, char *argv[], void *userdata) {
&array,
JSON_BUILD_OBJECT(
JSON_BUILD_PAIR_CONDITION(!isempty(*phase), "phase", JSON_BUILD_STRING(*phase)),
- JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM_PCR_INDEX_KERNEL_IMAGE)),
+ JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(TPM2_PCR_KERNEL_BOOT)),
JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(pcr_states[i].value, pcr_states[i].value_size))));
if (r < 0)
return log_error_errno(r, "Failed to append JSON object to array: %m");
@@ -826,7 +827,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
if (tpmalg < 0)
return log_error_errno(tpmalg, "Unsupported PCR bank");
- Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM_PCR_INDEX_KERNEL_IMAGE,
+ Tpm2PCRValue pcr_value = TPM2_PCR_VALUE_MAKE(TPM2_PCR_KERNEL_BOOT,
tpmalg,
TPM2B_DIGEST_MAKE(p->value, p->value_size));
@@ -869,7 +870,7 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
return r;
_cleanup_(json_variant_unrefp) JsonVariant *a = NULL;
- r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE, &a);
+ r = tpm2_make_pcr_json_array(UINT64_C(1) << TPM2_PCR_KERNEL_BOOT, &a);
if (r < 0)
return log_error_errno(r, "Failed to build JSON PCR mask array: %m");
@@ -944,15 +945,15 @@ static int validate_stub(void) {
log_warning("Warning: current kernel image does not support measuring itself, the command line or initrd system extension images.\n"
"The PCR measurements seen are unlikely to be valid.");
- r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_IMAGE, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image");
+ r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_BOOT, EFI_LOADER_VARIABLE(StubPcrKernelImage), "kernel image");
if (r < 0)
return r;
- r = compare_reported_pcr_nr(TPM_PCR_INDEX_KERNEL_PARAMETERS, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters");
+ r = compare_reported_pcr_nr(TPM2_PCR_KERNEL_CONFIG, EFI_LOADER_VARIABLE(StubPcrKernelParameters), "kernel parameters");
if (r < 0)
return r;
- r = compare_reported_pcr_nr(TPM_PCR_INDEX_INITRD_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images");
+ r = compare_reported_pcr_nr(TPM2_PCR_SYSEXTS, EFI_LOADER_VARIABLE(StubPcrInitRDSysExts), "initrd system extension images");
if (r < 0)
return r;
@@ -980,17 +981,13 @@ static int validate_stub(void) {
}
static int verb_status(int argc, char *argv[], void *userdata) {
- _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
-
- static const struct {
- uint32_t nr;
- const char *description;
- } relevant_pcrs[] = {
- { TPM_PCR_INDEX_KERNEL_IMAGE, "Unified Kernel Image" },
- { TPM_PCR_INDEX_KERNEL_PARAMETERS, "Kernel Parameters" },
- { TPM_PCR_INDEX_INITRD_SYSEXTS, "initrd System Extensions" },
+ static const uint32_t relevant_pcrs[] = {
+ TPM2_PCR_KERNEL_BOOT,
+ TPM2_PCR_KERNEL_CONFIG,
+ TPM2_PCR_SYSEXTS,
};
+ _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
int r;
r = validate_stub();
@@ -1008,7 +1005,7 @@ static int verb_status(int argc, char *argv[], void *userdata) {
if (!b)
return log_oom();
- if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i].nr) < 0)
+ if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/%" PRIu32, ascii_strlower(b), relevant_pcrs[i]) < 0)
return log_oom();
r = read_virtual_file(p, 4096, &s, NULL);
@@ -1034,21 +1031,21 @@ static int verb_status(int argc, char *argv[], void *userdata) {
fflush(stdout);
fprintf(stderr, "%s# PCR[%" PRIu32 "] %s%s%s\n",
ansi_grey(),
- relevant_pcrs[i].nr,
- relevant_pcrs[i].description,
+ relevant_pcrs[i],
+ tpm2_pcr_index_to_string(relevant_pcrs[i]),
memeqzero(h, l) ? " (NOT SET!)" : "",
ansi_normal());
fflush(stderr);
}
- printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i].nr, b, f);
+ printf("%" PRIu32 ":%s=%s\n", relevant_pcrs[i], b, f);
} else {
_cleanup_(json_variant_unrefp) JsonVariant *bv = NULL, *a = NULL;
r = json_build(&bv,
JSON_BUILD_OBJECT(
- JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i].nr)),
+ JSON_BUILD_PAIR("pcr", JSON_BUILD_INTEGER(relevant_pcrs[i])),
JSON_BUILD_PAIR("hash", JSON_BUILD_HEX(h, l))
)
);
diff --git a/src/boot/pcrphase.c b/src/boot/pcrphase.c
index fefb509ffd..08285d7318 100644
--- a/src/boot/pcrphase.c
+++ b/src/boot/pcrphase.c
@@ -18,7 +18,7 @@
#include "openssl-util.h"
#include "parse-argument.h"
#include "pretty-print.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "tpm2-util.h"
static bool arg_graceful = false;
@@ -290,7 +290,7 @@ static int run(int argc, char *argv[]) {
return log_error_errno(r, "Failed to get file system identifier string for '%s': %m", arg_file_system);
}
- target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */
+ target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */
} else if (arg_machine_id) {
sd_id128_t mid;
@@ -306,7 +306,7 @@ static int run(int argc, char *argv[]) {
if (!word)
return log_oom();
- target_pcr_nr = TPM_PCR_INDEX_VOLUME_KEY; /* → PCR 15 */
+ target_pcr_nr = TPM2_PCR_SYSTEM_IDENTITY; /* → PCR 15 */
} else {
if (optind+1 != argc)
@@ -322,7 +322,7 @@ static int run(int argc, char *argv[]) {
if (isempty(word))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "String to measure cannot be empty, refusing.");
- target_pcr_nr = TPM_PCR_INDEX_KERNEL_IMAGE; /* → PCR 11 */
+ target_pcr_nr = TPM2_PCR_KERNEL_BOOT; /* → PCR 11 */
}
if (arg_graceful && tpm2_support() != TPM2_SUPPORT_FULL) {
@@ -337,7 +337,7 @@ static int run(int argc, char *argv[]) {
if (r < 0)
return r;
if (r == 0) {
- log_info("Kernel stub did not measure kernel image into PCR %u, skipping userspace measurement, too.", TPM_PCR_INDEX_KERNEL_IMAGE);
+ log_info("Kernel stub did not measure kernel image into PCR %i, skipping userspace measurement, too.", TPM2_PCR_KERNEL_BOOT);
return EXIT_SUCCESS;
}
diff --git a/src/creds/creds.c b/src/creds/creds.c
index 36531d7d18..0bc55a36d2 100644
--- a/src/creds/creds.c
+++ b/src/creds/creds.c
@@ -22,7 +22,7 @@
#include "stat-util.h"
#include "string-table.h"
#include "terminal-util.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "tpm2-util.h"
#include "verbs.h"
@@ -930,7 +930,7 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_tpm2_pcr_mask == UINT32_MAX)
arg_tpm2_pcr_mask = TPM2_PCR_MASK_DEFAULT;
if (arg_tpm2_public_key_pcr_mask == UINT32_MAX)
- arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM_PCR_INDEX_KERNEL_IMAGE;
+ arg_tpm2_public_key_pcr_mask = UINT32_C(1) << TPM2_PCR_KERNEL_BOOT;
return 1;
}
diff --git a/src/cryptenroll/cryptenroll.c b/src/cryptenroll/cryptenroll.c
index 1ac2c6951e..1ffa2fb5f2 100644
--- a/src/cryptenroll/cryptenroll.c
+++ b/src/cryptenroll/cryptenroll.c
@@ -27,7 +27,7 @@
#include "string-table.h"
#include "strv.h"
#include "terminal-util.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
static EnrollType arg_enroll_type = _ENROLL_TYPE_INVALID;
static char *arg_unlock_keyfile = NULL;
@@ -482,7 +482,7 @@ static int parse_argv(int argc, char *argv[]) {
return r;
if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key)
- arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE);
+ arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND(
arg_tpm2_hash_pcr_values,
diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c
index 1ce95b3d7e..adf881dc5c 100644
--- a/src/cryptsetup/cryptsetup.c
+++ b/src/cryptsetup/cryptsetup.c
@@ -40,7 +40,7 @@
#include "random-util.h"
#include "string-table.h"
#include "strv.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "tpm2-util.h"
/* internal helper */
@@ -434,7 +434,7 @@ static int parse_one_option(const char *option) {
return 0;
}
- pcr = r ? TPM_PCR_INDEX_VOLUME_KEY : UINT_MAX;
+ pcr = r ? TPM2_PCR_SYSTEM_IDENTITY : UINT_MAX;
} else if (!TPM2_PCR_INDEX_VALID(pcr)) {
log_warning("Selected TPM index for measurement %u outside of allowed range 0…%u, ignoring.", pcr, TPM2_PCRS_MAX-1);
return 0;
diff --git a/src/fundamental/meson.build b/src/fundamental/meson.build
index a55a5faa53..b7ca6cf10e 100644
--- a/src/fundamental/meson.build
+++ b/src/fundamental/meson.build
@@ -7,5 +7,5 @@ fundamental_sources = files(
'efivars-fundamental.c',
'sha256.c',
'string-util-fundamental.c',
- 'tpm-pcr.c',
+ 'uki.c',
)
diff --git a/src/fundamental/tpm2-pcr.h b/src/fundamental/tpm2-pcr.h
new file mode 100644
index 0000000000..57befdf83b
--- /dev/null
+++ b/src/fundamental/tpm2-pcr.h
@@ -0,0 +1,45 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include "macro-fundamental.h"
+
+/* The various TPM PCRs we measure into from sd-stub and sd-boot. */
+
+enum {
+ /* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform
+ * Firmware Profile Specification"
+ * (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */
+ TPM2_PCR_PLATFORM_CODE = 0,
+ TPM2_PCR_PLATFORM_CONFIG = 1,
+ TPM2_PCR_EXTERNAL_CODE = 2,
+ TPM2_PCR_EXTERNAL_CONFIG = 3,
+ TPM2_PCR_BOOT_LOADER_CODE = 4,
+ TPM2_PCR_BOOT_LOADER_CONFIG = 5,
+ TPM2_PCR_HOST_PLATFORM = 6,
+ TPM2_PCR_SECURE_BOOT_POLICY = 7,
+
+ /* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry"
+ (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */
+ TPM2_PCR_KERNEL_INITRD = 9,
+ TPM2_PCR_IMA = 10,
+
+ /* systemd: This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel
+ * ELF image, embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given
+ * the whole surrounding PE image is measured into it) this should be reasonably pre-calculatable,
+ * because it *only* consists of static data from the kernel PE image. */
+ TPM2_PCR_KERNEL_BOOT = 11,
+
+ /* systemd: This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
+ TPM2_PCR_KERNEL_CONFIG = 12,
+
+ /* systemd: This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
+ TPM2_PCR_SYSEXTS = 13,
+ TPM2_PCR_SHIM_POLICY = 14,
+
+ /* systemd: This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */
+ TPM2_PCR_SYSTEM_IDENTITY = 15,
+
+ /* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */
+ TPM2_PCR_DEBUG = 16,
+ TPM2_PCR_APPLICATION_SUPPORT = 23,
+};
diff --git a/src/fundamental/tpm-pcr.c b/src/fundamental/uki.c
index 2f7e9b428d..ec37d74e03 100644
--- a/src/fundamental/tpm-pcr.c
+++ b/src/fundamental/uki.c
@@ -2,7 +2,7 @@
#include <stddef.h>
-#include "tpm-pcr.h"
+#include "uki.h"
const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = {
[UNIFIED_SECTION_LINUX] = ".linux",
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/uki.h
index f8ed816894..ffa960f01b 100644
--- a/src/fundamental/tpm-pcr.h
+++ b/src/fundamental/uki.h
@@ -3,25 +3,8 @@
#include "macro-fundamental.h"
-/* The various TPM PCRs we measure into from sd-stub and sd-boot. */
-
-/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image,
- * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole
- * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only*
- * consists of static data from the kernel PE image. */
-#define TPM_PCR_INDEX_KERNEL_IMAGE 11U
-
-/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
-#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U
-
-/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
-#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U
-
-/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */
-#define TPM_PCR_INDEX_VOLUME_KEY 15U
-
/* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in
- * which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */
+ * which we measure the sections into TPM PCR 11. PLEASE DO NOT REORDER! */
typedef enum UnifiedSection {
UNIFIED_SECTION_LINUX,
UNIFIED_SECTION_OSREL,
diff --git a/src/partition/repart.c b/src/partition/repart.c
index aed17cc922..e403012e92 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -68,9 +68,9 @@
#include "string-util.h"
#include "strv.h"
#include "sync-util.h"
-#include "tmpfile-util.h"
#include "terminal-util.h"
-#include "tpm-pcr.h"
+#include "tmpfile-util.h"
+#include "tpm2-pcr.h"
#include "tpm2-util.h"
#include "user-util.h"
#include "utf8.h"
@@ -6837,7 +6837,7 @@ static int parse_argv(int argc, char *argv[]) {
"A path to a loopback file must be specified when --split is used.");
if (arg_tpm2_public_key_pcr_mask_use_default && arg_tpm2_public_key)
- arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM_PCR_INDEX_KERNEL_IMAGE);
+ arg_tpm2_public_key_pcr_mask = INDEX_TO_MASK(uint32_t, TPM2_PCR_KERNEL_BOOT);
if (arg_tpm2_hash_pcr_values_use_default && !GREEDY_REALLOC_APPEND(
arg_tpm2_hash_pcr_values,
diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c
index e3ec91b877..7cbd69bfb0 100644
--- a/src/shared/efi-loader.c
+++ b/src/shared/efi-loader.c
@@ -7,7 +7,7 @@
#include "path-util.h"
#include "stat-util.h"
#include "strv.h"
-#include "tpm-pcr.h"
+#include "tpm2-pcr.h"
#include "utf8.h"
#if ENABLE_EFI
@@ -271,10 +271,10 @@ int efi_stub_measured(int log_level) {
if (r < 0)
return log_full_errno(log_level, r,
"Failed to parse StubPcrKernelImage EFI variable: %s", pcr_string);
- if (pcr_nr != TPM_PCR_INDEX_KERNEL_IMAGE)
+ if (pcr_nr != TPM2_PCR_KERNEL_BOOT)
return log_full_errno(log_level, SYNTHETIC_ERRNO(EREMOTE),
- "Kernel stub measured kernel image into PCR %u, which is different than expected %u.",
- pcr_nr, TPM_PCR_INDEX_KERNEL_IMAGE);
+ "Kernel stub measured kernel image into PCR %u, which is different than expected %i.",
+ pcr_nr, TPM2_PCR_KERNEL_BOOT);
return 1;
}
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 83070ab824..d77b95e59f 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -1737,7 +1737,7 @@ int tpm2_pcr_value_from_string(const char *arg, Tpm2PCRValue *ret_pcr_value) {
if (r < 1)
return log_error_errno(r, "Could not parse pcr value '%s': %m", p);
- r = pcr_index_from_string(index);
+ r = tpm2_pcr_index_from_string(index);
if (r < 0)
return log_error_errno(r, "Invalid pcr index '%s': %m", index);
pcr_value.index = (unsigned) r;
@@ -5036,25 +5036,25 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass,
return 0;
}
-static const char* const pcr_index_table[_PCR_INDEX_MAX_DEFINED] = {
- [PCR_PLATFORM_CODE] = "platform-code",
- [PCR_PLATFORM_CONFIG] = "platform-config",
- [PCR_EXTERNAL_CODE] = "external-code",
- [PCR_EXTERNAL_CONFIG] = "external-config",
- [PCR_BOOT_LOADER_CODE] = "boot-loader-code",
- [PCR_BOOT_LOADER_CONFIG] = "boot-loader-config",
- [PCR_HOST_PLATFORM] = "host-platform",
- [PCR_SECURE_BOOT_POLICY] = "secure-boot-policy",
- [PCR_KERNEL_INITRD] = "kernel-initrd",
- [PCR_IMA] = "ima",
- [PCR_KERNEL_BOOT] = "kernel-boot",
- [PCR_KERNEL_CONFIG] = "kernel-config",
- [PCR_SYSEXTS] = "sysexts",
- [PCR_SHIM_POLICY] = "shim-policy",
- [PCR_SYSTEM_IDENTITY] = "system-identity",
- [PCR_DEBUG] = "debug",
- [PCR_APPLICATION_SUPPORT] = "application-support",
+static const char* const tpm2_pcr_index_table[_TPM2_PCR_INDEX_MAX_DEFINED] = {
+ [TPM2_PCR_PLATFORM_CODE] = "platform-code",
+ [TPM2_PCR_PLATFORM_CONFIG] = "platform-config",
+ [TPM2_PCR_EXTERNAL_CODE] = "external-code",
+ [TPM2_PCR_EXTERNAL_CONFIG] = "external-config",
+ [TPM2_PCR_BOOT_LOADER_CODE] = "boot-loader-code",
+ [TPM2_PCR_BOOT_LOADER_CONFIG] = "boot-loader-config",
+ [TPM2_PCR_HOST_PLATFORM] = "host-platform",
+ [TPM2_PCR_SECURE_BOOT_POLICY] = "secure-boot-policy",
+ [TPM2_PCR_KERNEL_INITRD] = "kernel-initrd",
+ [TPM2_PCR_IMA] = "ima",
+ [TPM2_PCR_KERNEL_BOOT] = "kernel-boot",
+ [TPM2_PCR_KERNEL_CONFIG] = "kernel-config",
+ [TPM2_PCR_SYSEXTS] = "sysexts",
+ [TPM2_PCR_SHIM_POLICY] = "shim-policy",
+ [TPM2_PCR_SYSTEM_IDENTITY] = "system-identity",
+ [TPM2_PCR_DEBUG] = "debug",
+ [TPM2_PCR_APPLICATION_SUPPORT] = "application-support",
};
-DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(pcr_index, int, TPM2_PCRS_MAX - 1);
-DEFINE_STRING_TABLE_LOOKUP_TO_STRING(pcr_index, int);
+DEFINE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_FALLBACK(tpm2_pcr_index, int, TPM2_PCRS_MAX - 1);
+DEFINE_STRING_TABLE_LOOKUP_TO_STRING(tpm2_pcr_index, int);
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h
index 1db28bf034..73dec34b77 100644
--- a/src/shared/tpm2-util.h
+++ b/src/shared/tpm2-util.h
@@ -9,6 +9,7 @@
#include "macro.h"
#include "openssl-util.h"
#include "sha256.h"
+#include "tpm2-pcr.h"
typedef enum TPM2Flags {
TPM2_FLAGS_USE_PIN = 1 << 0,
@@ -18,6 +19,7 @@ typedef enum TPM2Flags {
* TPM2 on a Client PC must have at least 24 PCRs. This hardcodes our expectation of 24. */
#define TPM2_PCRS_MAX 24U
#define TPM2_PCRS_MASK ((UINT32_C(1) << TPM2_PCRS_MAX) - 1)
+
static inline bool TPM2_PCR_INDEX_VALID(unsigned pcr) {
return pcr < TPM2_PCRS_MAX;
}
@@ -306,34 +308,6 @@ typedef enum Tpm2Support {
TPM2_SUPPORT_FULL = TPM2_SUPPORT_FIRMWARE|TPM2_SUPPORT_DRIVER|TPM2_SUPPORT_SYSTEM|TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_LIBRARIES,
} Tpm2Support;
-enum {
- /* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform
- * Firmware Profile Specification"
- * (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */
- PCR_PLATFORM_CODE = 0,
- PCR_PLATFORM_CONFIG = 1,
- PCR_EXTERNAL_CODE = 2,
- PCR_EXTERNAL_CONFIG = 3,
- PCR_BOOT_LOADER_CODE = 4,
- PCR_BOOT_LOADER_CONFIG = 5,
- PCR_HOST_PLATFORM = 6,
- PCR_SECURE_BOOT_POLICY = 7,
- /* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry"
- (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */
- PCR_KERNEL_INITRD = 9,
- PCR_IMA = 10,
- PCR_KERNEL_BOOT = 11,
- PCR_KERNEL_CONFIG = 12,
- PCR_SYSEXTS = 13,
- PCR_SHIM_POLICY = 14,
- PCR_SYSTEM_IDENTITY = 15,
- /* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */
- PCR_DEBUG = 16,
- PCR_APPLICATION_SUPPORT = 23,
- _PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX,
- _PCR_INDEX_INVALID = -EINVAL,
-};
-
Tpm2Support tpm2_support(void);
int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
@@ -349,5 +323,11 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass,
size_t saltlen,
uint8_t res[static SHA256_DIGEST_SIZE]);
-int pcr_index_from_string(const char *s) _pure_;
-const char *pcr_index_to_string(int pcr) _const_;
+enum {
+ /* Additional defines for the PCR index naming enum from "fundamental/tpm2-pcr.h" */
+ _TPM2_PCR_INDEX_MAX_DEFINED = TPM2_PCRS_MAX,
+ _TPM2_PCR_INDEX_INVALID = -EINVAL,
+};
+
+int tpm2_pcr_index_from_string(const char *s) _pure_;
+const char *tpm2_pcr_index_to_string(int pcr) _const_;
diff --git a/src/test/test-tpm2.c b/src/test/test-tpm2.c
index 7e65396b14..e2c700896a 100644
--- a/src/test/test-tpm2.c
+++ b/src/test/test-tpm2.c
@@ -4,44 +4,44 @@
#include "tpm2-util.h"
#include "tests.h"
-TEST(pcr_index_from_string) {
- assert_se(pcr_index_from_string("platform-code") == 0);
- assert_se(pcr_index_from_string("0") == 0);
- assert_se(pcr_index_from_string("platform-config") == 1);
- assert_se(pcr_index_from_string("1") == 1);
- assert_se(pcr_index_from_string("external-code") == 2);
- assert_se(pcr_index_from_string("2") == 2);
- assert_se(pcr_index_from_string("external-config") == 3);
- assert_se(pcr_index_from_string("3") == 3);
- assert_se(pcr_index_from_string("boot-loader-code") == 4);
- assert_se(pcr_index_from_string("4") == 4);
- assert_se(pcr_index_from_string("boot-loader-config") == 5);
- assert_se(pcr_index_from_string("5") == 5);
- assert_se(pcr_index_from_string("secure-boot-policy") == 7);
- assert_se(pcr_index_from_string("7") == 7);
- assert_se(pcr_index_from_string("kernel-initrd") == 9);
- assert_se(pcr_index_from_string("9") == 9);
- assert_se(pcr_index_from_string("ima") == 10);
- assert_se(pcr_index_from_string("10") == 10);
- assert_se(pcr_index_from_string("kernel-boot") == 11);
- assert_se(pcr_index_from_string("11") == 11);
- assert_se(pcr_index_from_string("kernel-config") == 12);
- assert_se(pcr_index_from_string("12") == 12);
- assert_se(pcr_index_from_string("sysexts") == 13);
- assert_se(pcr_index_from_string("13") == 13);
- assert_se(pcr_index_from_string("shim-policy") == 14);
- assert_se(pcr_index_from_string("14") == 14);
- assert_se(pcr_index_from_string("system-identity") == 15);
- assert_se(pcr_index_from_string("15") == 15);
- assert_se(pcr_index_from_string("debug") == 16);
- assert_se(pcr_index_from_string("16") == 16);
- assert_se(pcr_index_from_string("application-support") == 23);
- assert_se(pcr_index_from_string("23") == 23);
- assert_se(pcr_index_from_string("hello") == -EINVAL);
- assert_se(pcr_index_from_string("8") == 8);
- assert_se(pcr_index_from_string("44") == -EINVAL);
- assert_se(pcr_index_from_string("-5") == -EINVAL);
- assert_se(pcr_index_from_string("24") == -EINVAL);
+TEST(tpm2_pcr_index_from_string) {
+ assert_se(tpm2_pcr_index_from_string("platform-code") == 0);
+ assert_se(tpm2_pcr_index_from_string("0") == 0);
+ assert_se(tpm2_pcr_index_from_string("platform-config") == 1);
+ assert_se(tpm2_pcr_index_from_string("1") == 1);
+ assert_se(tpm2_pcr_index_from_string("external-code") == 2);
+ assert_se(tpm2_pcr_index_from_string("2") == 2);
+ assert_se(tpm2_pcr_index_from_string("external-config") == 3);
+ assert_se(tpm2_pcr_index_from_string("3") == 3);
+ assert_se(tpm2_pcr_index_from_string("boot-loader-code") == 4);
+ assert_se(tpm2_pcr_index_from_string("4") == 4);
+ assert_se(tpm2_pcr_index_from_string("boot-loader-config") == 5);
+ assert_se(tpm2_pcr_index_from_string("5") == 5);
+ assert_se(tpm2_pcr_index_from_string("secure-boot-policy") == 7);
+ assert_se(tpm2_pcr_index_from_string("7") == 7);
+ assert_se(tpm2_pcr_index_from_string("kernel-initrd") == 9);
+ assert_se(tpm2_pcr_index_from_string("9") == 9);
+ assert_se(tpm2_pcr_index_from_string("ima") == 10);
+ assert_se(tpm2_pcr_index_from_string("10") == 10);
+ assert_se(tpm2_pcr_index_from_string("kernel-boot") == 11);
+ assert_se(tpm2_pcr_index_from_string("11") == 11);
+ assert_se(tpm2_pcr_index_from_string("kernel-config") == 12);
+ assert_se(tpm2_pcr_index_from_string("12") == 12);
+ assert_se(tpm2_pcr_index_from_string("sysexts") == 13);
+ assert_se(tpm2_pcr_index_from_string("13") == 13);
+ assert_se(tpm2_pcr_index_from_string("shim-policy") == 14);
+ assert_se(tpm2_pcr_index_from_string("14") == 14);
+ assert_se(tpm2_pcr_index_from_string("system-identity") == 15);
+ assert_se(tpm2_pcr_index_from_string("15") == 15);
+ assert_se(tpm2_pcr_index_from_string("debug") == 16);
+ assert_se(tpm2_pcr_index_from_string("16") == 16);
+ assert_se(tpm2_pcr_index_from_string("application-support") == 23);
+ assert_se(tpm2_pcr_index_from_string("23") == 23);
+ assert_se(tpm2_pcr_index_from_string("hello") == -EINVAL);
+ assert_se(tpm2_pcr_index_from_string("8") == 8);
+ assert_se(tpm2_pcr_index_from_string("44") == -EINVAL);
+ assert_se(tpm2_pcr_index_from_string("-5") == -EINVAL);
+ assert_se(tpm2_pcr_index_from_string("24") == -EINVAL);
}
TEST(tpm2_util_pbkdf2_hmac_sha256) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 03:48:52 +0100