diff options
| author | Luca Boccassi <bluca@debian.org> | 2023-08-28 18:43:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-28 18:43:10 +0200 |
| commit | cd4ed8579b436656295ef36b02f071b3904da722 (patch) | |
| tree | 29cf58682590f4b7dc74362f64aba3fad870d7a6 /src/fundamental | |
| parent | Merge pull request #28916 from ddstreet/tpm2_pcr_value_post_merge (diff) | |
| parent | fundamental: rename tpm-pcr.h → tpm2-pcr.h (diff) | |
| download | systemd-cd4ed8579b436656295ef36b02f071b3904da722.tar.xz systemd-cd4ed8579b436656295ef36b02f071b3904da722.zip | |
Merge pull request #28948 from poettering/tpm2-duplicate-pcr-names
tpm2: unify tpm2 PCR symbolic identifiers
Diffstat (limited to 'src/fundamental')
| -rw-r--r-- | src/fundamental/meson.build | 2 | ||||
| -rw-r--r-- | src/fundamental/tpm2-pcr.h | 45 | ||||
| -rw-r--r-- | src/fundamental/uki.c (renamed from src/fundamental/tpm-pcr.c) | 2 | ||||
| -rw-r--r-- | src/fundamental/uki.h (renamed from src/fundamental/tpm-pcr.h) | 19 |
4 files changed, 48 insertions, 20 deletions
diff --git a/src/fundamental/meson.build b/src/fundamental/meson.build index a55a5faa53..b7ca6cf10e 100644 --- a/src/fundamental/meson.build +++ b/src/fundamental/meson.build @@ -7,5 +7,5 @@ fundamental_sources = files( 'efivars-fundamental.c', 'sha256.c', 'string-util-fundamental.c', - 'tpm-pcr.c', + 'uki.c', ) diff --git a/src/fundamental/tpm2-pcr.h b/src/fundamental/tpm2-pcr.h new file mode 100644 index 0000000000..57befdf83b --- /dev/null +++ b/src/fundamental/tpm2-pcr.h @@ -0,0 +1,45 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +#include "macro-fundamental.h" + +/* The various TPM PCRs we measure into from sd-stub and sd-boot. */ + +enum { + /* The following names for PCRs 0…7 are based on the names in the "TCG PC Client Specific Platform + * Firmware Profile Specification" + * (https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/) */ + TPM2_PCR_PLATFORM_CODE = 0, + TPM2_PCR_PLATFORM_CONFIG = 1, + TPM2_PCR_EXTERNAL_CODE = 2, + TPM2_PCR_EXTERNAL_CONFIG = 3, + TPM2_PCR_BOOT_LOADER_CODE = 4, + TPM2_PCR_BOOT_LOADER_CONFIG = 5, + TPM2_PCR_HOST_PLATFORM = 6, + TPM2_PCR_SECURE_BOOT_POLICY = 7, + + /* The following names for PCRs 9…15 are based on the "Linux TPM PCR Registry" + (https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) */ + TPM2_PCR_KERNEL_INITRD = 9, + TPM2_PCR_IMA = 10, + + /* systemd: This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel + * ELF image, embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given + * the whole surrounding PE image is measured into it) this should be reasonably pre-calculatable, + * because it *only* consists of static data from the kernel PE image. */ + TPM2_PCR_KERNEL_BOOT = 11, + + /* systemd: This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ + TPM2_PCR_KERNEL_CONFIG = 12, + + /* systemd: This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ + TPM2_PCR_SYSEXTS = 13, + TPM2_PCR_SHIM_POLICY = 14, + + /* systemd: This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */ + TPM2_PCR_SYSTEM_IDENTITY = 15, + + /* As per "TCG PC Client Specific Platform Firmware Profile Specification" again, see above */ + TPM2_PCR_DEBUG = 16, + TPM2_PCR_APPLICATION_SUPPORT = 23, +}; diff --git a/src/fundamental/tpm-pcr.c b/src/fundamental/uki.c index 2f7e9b428d..ec37d74e03 100644 --- a/src/fundamental/tpm-pcr.c +++ b/src/fundamental/uki.c @@ -2,7 +2,7 @@ #include <stddef.h> -#include "tpm-pcr.h" +#include "uki.h" const char* const unified_sections[_UNIFIED_SECTION_MAX + 1] = { [UNIFIED_SECTION_LINUX] = ".linux", diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/uki.h index f8ed816894..ffa960f01b 100644 --- a/src/fundamental/tpm-pcr.h +++ b/src/fundamental/uki.h @@ -3,25 +3,8 @@ #include "macro-fundamental.h" -/* The various TPM PCRs we measure into from sd-stub and sd-boot. */ - -/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image, - * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole - * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only* - * consists of static data from the kernel PE image. */ -#define TPM_PCR_INDEX_KERNEL_IMAGE 11U - -/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */ -#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U - -/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */ -#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U - -/* This TPM PCR is where we measure the root fs volume key (and maybe /var/'s) if it is split off */ -#define TPM_PCR_INDEX_VOLUME_KEY 15U - /* List of PE sections that have special meaning for us in unified kernels. This is the canonical order in - * which we measure the sections into TPM PCR 11 (see above). PLEASE DO NOT REORDER! */ + * which we measure the sections into TPM PCR 11. PLEASE DO NOT REORDER! */ typedef enum UnifiedSection { UNIFIED_SECTION_LINUX, UNIFIED_SECTION_OSREL, |