pcr-oracle/fix_efi_measure_and_shim.patch

413 lines
14 KiB
Diff
Raw Normal View History

From 9489d98463a596ec8e4ba9f1f4a2b2af91c0968b Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 10 Jan 2024 15:32:07 +0100
Subject: [PATCH 1/8] Print the measured kernel
The debug output can be missleading, as print information about the
current event log, but not about the measured element, that can be
different as in the kernel case.
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/efi-application.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/efi-application.c b/src/efi-application.c
index 3e80083..2fd33ec 100644
--- a/src/efi-application.c
+++ b/src/efi-application.c
@@ -292,6 +292,12 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
/* The next boot can have a different kernel */
if (sdb_is_kernel(evspec->efi_application) && ctx->boot_entry) {
+ /* TODO: the parsed data type did not change, so all
+ * the description correspond to the current event
+ * log, and not the asset that has been measured. The
+ * debug output can then be missleading.
+ */
+ debug("Measuring %s\n", ctx->boot_entry->image_path);
new_application = ctx->boot_entry->image_path;
if (new_application) {
evspec_clone = *evspec;
From d8d97a3c233e326e0b1836b77fa08f483ea8f410 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 10 Jan 2024 15:51:45 +0100
Subject: [PATCH 2/8] Rename variable to cmdline
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/eventlog.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/eventlog.c b/src/eventlog.c
index 4277d42..377f4d6 100644
--- a/src/eventlog.c
+++ b/src/eventlog.c
@@ -790,8 +790,8 @@ static const tpm_evdigest_t *
__tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
{
const uapi_boot_entry_t *boot_entry = ctx->boot_entry;
- char initrd[2048];
- char initrd_utf16[4096];
+ char cmdline[2048];
+ char cmdline_utf16[4096];
unsigned int len;
/* If no --next-kernel option was given, do not rehash anything */
@@ -804,15 +804,16 @@ __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
}
debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
- snprintf(initrd, sizeof(initrd), "initrd=%s %s",
+ snprintf(cmdline, sizeof(cmdline), "initrd=%s %s",
path_unix2dos(boot_entry->initrd_path),
boot_entry->options? : "");
+ debug("Measuring Kernel command line: %s\n", cmdline);
- len = (strlen(initrd) + 1) << 1;
- assert(len <= sizeof(initrd_utf16));
- __convert_to_utf16le(initrd, strlen(initrd) + 1, initrd_utf16, len);
+ len = (strlen(cmdline) + 1) << 1;
+ assert(len <= sizeof(cmdline_utf16));
+ __convert_to_utf16le(cmdline, strlen(cmdline) + 1, cmdline_utf16, len);
- return digest_compute(ctx->algo, initrd_utf16, len);
+ return digest_compute(ctx->algo, cmdline_utf16, len);
}
/*
From 4f8e3f4760ff7fe97df1e6af569d049e30f3ee06 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 10 Jan 2024 15:55:41 +0100
Subject: [PATCH 3/8] Add debug output for initrd
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/eventlog.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/eventlog.c b/src/eventlog.c
index 377f4d6..3574a4d 100644
--- a/src/eventlog.c
+++ b/src/eventlog.c
@@ -877,6 +877,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
}
debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
+ debug("Measuring initrd: %s\n", boot_entry->initrd_path);
return runtime_digest_efi_file(ctx->algo, boot_entry->initrd_path);
}
From 90ee8dab9d972b741bc0c27a04a872afbecdef82 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Wed, 10 Jan 2024 18:54:04 +0100
Subject: [PATCH 4/8] Add debug output during extension
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/oracle.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/oracle.c b/src/oracle.c
index 1cafafc..0afd910 100644
--- a/src/oracle.c
+++ b/src/oracle.c
@@ -366,6 +366,7 @@ pcr_bank_extend_register(tpm_pcr_bank_t *bank, unsigned int pcr_index, const tpm
static void
predictor_extend_hash(struct predictor *pred, unsigned int pcr_index, const tpm_evdigest_t *d)
{
+ debug("Extend PCR#%d: %s\n", pcr_index, digest_print(d));
pcr_bank_extend_register(&pred->prediction, pcr_index, d);
}
From 5133fe6f3c00a41aee362a51621a278dd472497e Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Thu, 11 Jan 2024 14:09:03 +0100
Subject: [PATCH 5/8] Update the EFI image info before rehash
If the new EFI image is in a new place, the image information stored in
the parsed event should be updated, so the rehash will use this
information instead of the one from the event log.
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/efi-application.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/efi-application.c b/src/efi-application.c
index 2fd33ec..842bca6 100644
--- a/src/efi-application.c
+++ b/src/efi-application.c
@@ -40,7 +40,7 @@
*/
static const tpm_evdigest_t * __tpm_event_efi_bsa_rehash(const tpm_event_t *, const tpm_parsed_event_t *, tpm_event_log_rehash_ctx_t *);
static bool __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed);
-static bool __tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed);
+static bool __tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec);
static void
__tpm_event_efi_bsa_destroy(tpm_parsed_event_t *parsed)
@@ -111,7 +111,7 @@ __tpm_event_parse_efi_bsa(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t
assign_string(&ctx->efi_partition, evspec->efi_partition);
else
assign_string(&evspec->efi_partition, ctx->efi_partition);
- __tpm_event_efi_bsa_inspect_image(parsed);
+ __tpm_event_efi_bsa_inspect_image(evspec);
}
return true;
@@ -150,9 +150,8 @@ __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed)
}
static bool
-__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed)
+__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec)
{
- struct efi_bsa_event *evspec = &parsed->efi_bsa_event;
char path[PATH_MAX];
const char *display_name;
buffer_t *img_data;
@@ -302,6 +301,7 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
if (new_application) {
evspec_clone = *evspec;
evspec_clone.efi_application = strdup(new_application);
+ __tpm_event_efi_bsa_inspect_image(&evspec_clone);
evspec = &evspec_clone;
}
}
From 93cbe02ca05297c638b1ac7f32b3da3a6cd2f684 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Thu, 11 Jan 2024 14:35:07 +0100
Subject: [PATCH 6/8] Bump version to 0.5.5
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
configure | 2 +-
microconf/version | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index 1dccbdc..854cc0a 100755
--- a/configure
+++ b/configure
@@ -12,7 +12,7 @@
# Invoke with --help for a description of options
#
# microconf:begin
-# version 0.5.4
+# version 0.5.5
# require libtss2
# require json
# disable debug-authenticode
diff --git a/microconf/version b/microconf/version
index 7e913d9..591473f 100644
--- a/microconf/version
+++ b/microconf/version
@@ -1 +1 @@
-uc_version=0.5.4
+uc_version=0.5.5
From e622620a8de5eaf499265adf6c5e8d2ecdaa295b Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Mon, 26 Feb 2024 13:34:13 +0100
Subject: [PATCH 7/8] Add secure boot detector
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
Makefile.in | 3 ++-
src/eventlog.h | 2 ++
src/secure_boot.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 48 insertions(+), 1 deletion(-)
create mode 100644 src/secure_boot.c
diff --git a/Makefile.in b/Makefile.in
index 02a915b..9698253 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -34,7 +34,8 @@ ORACLE_SRCS = oracle.c \
store.c \
util.c \
sd-boot.c \
- uapi.c
+ uapi.c \
+ secure_boot.c
ORACLE_OBJS = $(addprefix build/,$(patsubst %.c,%.o,$(ORACLE_SRCS)))
all: $(TOOLS) $(MANPAGES)
diff --git a/src/eventlog.h b/src/eventlog.h
index 3741b58..8af5eb0 100644
--- a/src/eventlog.h
+++ b/src/eventlog.h
@@ -323,4 +323,6 @@ extern bool shim_variable_name_valid(const char *name);
extern const char * shim_variable_get_rtname(const char *name);
extern const char * shim_variable_get_full_rtname(const char *name);
+extern bool secure_boot_enabled();
+
#endif /* EVENTLOG_H */
diff --git a/src/secure_boot.c b/src/secure_boot.c
new file mode 100644
index 0000000..215baa6
--- /dev/null
+++ b/src/secure_boot.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2023 SUSE LLC
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Written by Alberto Planas <aplanas@suse.com>
+ */
+
+#include <stdio.h>
+#include "bufparser.h"
+#include "runtime.h"
+
+#define SECURE_BOOT_EFIVAR_NAME "SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+
+
+bool
+secure_boot_enabled()
+{
+ buffer_t *data;
+ uint8_t enabled;
+
+ data = runtime_read_efi_variable(SECURE_BOOT_EFIVAR_NAME);
+ if (data == NULL) {
+ return false;
+ }
+
+ if (!buffer_get_u8(data, &enabled)) {
+ return false;
+ }
+
+ return enabled == 1;
+}
From 211502ec5cac7e252f8af251ee34872f7adae9ca Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Mon, 26 Feb 2024 14:52:37 +0100
Subject: [PATCH 8/8] Detect when device path is missing for kernel
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/efi-application.c | 48 ++++++++++++++++++++++++++++++++++++++++---
src/sd-boot.c | 3 +++
2 files changed, 48 insertions(+), 3 deletions(-)
diff --git a/src/efi-application.c b/src/efi-application.c
index 842bca6..1f434fc 100644
--- a/src/efi-application.c
+++ b/src/efi-application.c
@@ -42,6 +42,8 @@ static const tpm_evdigest_t * __tpm_event_efi_bsa_rehash(const tpm_event_t *, co
static bool __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed);
static bool __tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec);
+static bool __is_shim_issue(const tpm_event_t *ev, const struct efi_bsa_event *evspec);
+
static void
__tpm_event_efi_bsa_destroy(tpm_parsed_event_t *parsed)
{
@@ -114,6 +116,15 @@ __tpm_event_parse_efi_bsa(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t
__tpm_event_efi_bsa_inspect_image(evspec);
}
+ /* When the shim issue is present the efi_application will be
+ * empty. The binary path will be reconstructed with the
+ * --next-kernel parameter, but to generate the full path the
+ * `efi_partition` is needed.
+ */
+ if (__is_shim_issue(ev, evspec))
+ assign_string(&evspec->efi_partition, ctx->efi_partition);
+
+
return true;
}
@@ -273,6 +284,31 @@ efi_application_extract_signer(const tpm_parsed_event_t *parsed)
return authenticode_get_signer(evspec->img_info);
}
+static bool __is_shim_issue(const tpm_event_t *ev, const struct efi_bsa_event *evspec)
+{
+ /* When secure boot is enabled and shim is installed,
+ * systemd-boot installs some security overrides that will
+ * delegate into shim (via shim_validate from systemd-boot)
+ * the validation of the kernel signature.
+ *
+ * The shim_validate function receives the device path from
+ * the firmware, and is used to load the kernel into memory.
+ * At the end call shim_verify from shim, but pass only the
+ * buffer with the loaded image.
+ *
+ * The net result is that the event log
+ * EV_EFI_BOOT_SERVICES_APPLICATION registered by shim_verify
+ * will not contain the device path that pcr-oracle requires
+ * to rehash the binary.
+ *
+ * So far only the kernel is presenting this issue (when
+ * systemd-boot is used, GRUB2 needs to be evaluated), so this
+ * can be detected if there is an event registered in PCR 4
+ * without path.
+ */
+ return (secure_boot_enabled() && ev->pcr_index == 4 && !evspec->efi_application);
+}
+
static const tpm_evdigest_t *
__tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
{
@@ -284,13 +320,19 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
* We're not yet prepared to handle these, so we hope the user doesn't mess with them, and
* return the original digest from the event log.
*/
- if (!evspec->efi_application) {
- debug("Unable to locate boot service application - probably not a file\n");
+ if (!evspec->efi_application && !(__is_shim_issue(ev, evspec) && ctx->boot_entry)) {
+ if (__is_shim_issue(ev, evspec) && !ctx->boot_entry)
+ debug("Unable to locate boot service application - missing device path because shim issue");
+ else
+ debug("Unable to locate boot service application - probably not a file\n");
return tpm_event_get_digest(ev, ctx->algo);
}
/* The next boot can have a different kernel */
- if (sdb_is_kernel(evspec->efi_application) && ctx->boot_entry) {
+ if ((sdb_is_kernel(evspec->efi_application) || __is_shim_issue(ev, evspec)) && ctx->boot_entry) {
+ if (__is_shim_issue(ev, evspec))
+ debug("Empty device path for the kernel - building one based on next kernel\n");
+
/* TODO: the parsed data type did not change, so all
* the description correspond to the current event
* log, and not the asset that has been measured. The
diff --git a/src/sd-boot.c b/src/sd-boot.c
index cbdaa49..ede2569 100644
--- a/src/sd-boot.c
+++ b/src/sd-boot.c
@@ -138,6 +138,9 @@ sdb_is_kernel(const char *application)
char *path_copy;
int found = 0;
+ if (!application)
+ return false;
+
match = get_valid_kernel_entry_tokens();
path_copy = strdup(application);