diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-07-07 21:45:54 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2023-08-30 12:59:34 +0200 |
| commit | cb19bdaebf3ceeb2d7e3e0347b285cd8eda1bf13 (patch) | |
| tree | 2321fec40e391545d5bbb851a05b72298c99a1f6 /src/shared/tpm2-util.h | |
| parent | Merge pull request #29013 from yuwata/sd-dhcp-client-ensure-iaid-and-duid (diff) | |
| download | systemd-cb19bdaebf3ceeb2d7e3e0347b285cd8eda1bf13.tar.xz systemd-cb19bdaebf3ceeb2d7e3e0347b285cd8eda1bf13.zip | |
tpm2: whenever we measure, also write a tpm log record
Previously we only logged our measurements to the journal. This is not a
great solution though, since regular logs are subject to rotation, which
is something we really cannot have for measurements (as it means we can
never reproduce the PCR values from the data). Hence, let's maintain an
explicit log.
Ideally, we'd just use the TCG Canonical Event Log format 1:1
(https://trustedcomputinggroup.org/resource/canonical-event-log-format/).
However it's not a perfect fit fo us, for various reasons. But let's
follow it (in its JSON incantation) as closely at it makes sense, so
that it can easily be converted to the full format by programs consuming
it.
Code comments explain where we deviate from the TCG CEL-JSON, and what
to do about it when reading the data.
Diffstat (limited to '')
| -rw-r--r-- | src/shared/tpm2-util.h | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 73dec34b77..35bcd62759 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -112,7 +112,21 @@ int tpm2_get_good_pcr_banks(Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH **r int tpm2_get_good_pcr_banks_strv(Tpm2Context *c, uint32_t pcr_mask, char ***ret); int tpm2_get_best_pcr_bank(Tpm2Context *c, uint32_t pcr_mask, TPMI_ALG_HASH *ret); -int tpm2_extend_bytes(Tpm2Context *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size); +const char *tpm2_userspace_log_path(void); + +typedef enum Tpm2UserspaceEventType { + TPM2_EVENT_PHASE, + TPM2_EVENT_FILESYSTEM, + TPM2_EVENT_VOLUME_KEY, + TPM2_EVENT_MACHINE_ID, + _TPM2_USERSPACE_EVENT_TYPE_MAX, + _TPM2_USERSPACE_EVENT_TYPE_INVALID = -EINVAL, +} Tpm2UserspaceEventType; + +const char* tpm2_userspace_event_type_to_string(Tpm2UserspaceEventType type) _const_; +Tpm2UserspaceEventType tpm2_userspace_event_type_from_string(const char *s) _pure_; + +int tpm2_extend_bytes(Tpm2Context *c, char **banks, unsigned pcr_index, const void *data, size_t data_size, const void *secret, size_t secret_size, Tpm2UserspaceEventType event, const char *description); uint32_t tpm2_tpms_pcr_selection_to_mask(const TPMS_PCR_SELECTION *s); void tpm2_tpms_pcr_selection_from_mask(uint32_t mask, TPMI_ALG_HASH hash, TPMS_PCR_SELECTION *ret); |