From 35a956580838cbef69b654824182fa5e76182ba860af094aaab638c9404aca75 Mon Sep 17 00:00:00 2001
From: Alberto Planas Dominguez <aplanas@suse.com>
Date: Thu, 14 Mar 2024 17:32:29 +0000
Subject: [PATCH] Accepting request 1158064 from
 home:aplanas:branches:Base:System

Update GRUB BLS logic

OBS-URL: https://build.opensuse.org/request/show/1158064
OBS-URL: https://build.opensuse.org/package/show/Base:System/pcr-oracle?expand=0&rev=28
---
 fix_grub_bls_entry.patch | 116 +++++++++++++++++++++++++++++----------
 1 file changed, 87 insertions(+), 29 deletions(-)

diff --git a/fix_grub_bls_entry.patch b/fix_grub_bls_entry.patch
index be95519..e22fc98 100644
--- a/fix_grub_bls_entry.patch
+++ b/fix_grub_bls_entry.patch
@@ -1,20 +1,23 @@
-From 3083803b5a8a445bf93d74e908b7d8568d092cf3 Mon Sep 17 00:00:00 2001
+From b0c4c5fbdcc89b44cee2300c5a12cb5e8de0e446 Mon Sep 17 00:00:00 2001
 From: Alberto Planas <aplanas@suse.com>
 Date: Wed, 13 Mar 2024 22:57:17 +0100
 Subject: [PATCH] GRUB with BLS measure boot entries
 
+This includes the boot entry file, the kernel and the initrd specified
+in the entry file.
+
 Signed-off-by: Alberto Planas <aplanas@suse.com>
 ---
- src/eventlog.c | 11 +++++++++--
- src/eventlog.h |  2 ++
- src/oracle.c   |  9 ++++++---
- src/sd-boot.c  |  9 +++++++++
- src/sd-boot.h  |  1 +
+ src/eventlog.c | 21 +++++++++++++++++++--
+ src/eventlog.h |  1 +
+ src/oracle.c   | 12 +++++++++---
+ src/sd-boot.c  | 28 ++++++++++++++++++++++++----
+ src/sd-boot.h  |  2 ++
  src/uapi.h     |  3 ++-
- 6 files changed, 29 insertions(+), 6 deletions(-)
+ 6 files changed, 57 insertions(+), 10 deletions(-)
 
 diff --git a/src/eventlog.c b/src/eventlog.c
-index 3574a4d..b7b4205 100644
+index 3574a4d..db18f41 100644
 --- a/src/eventlog.c
 +++ b/src/eventlog.c
 @@ -33,6 +33,7 @@
@@ -25,16 +28,26 @@ index 3574a4d..b7b4205 100644
  
  #define TPM_EVENT_LOG_MAX_ALGOS		64
  
-@@ -582,8 +583,14 @@ __tpm_event_grub_file_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pa
+@@ -582,8 +583,24 @@ __tpm_event_grub_file_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pa
  		debug("  assuming the file resides on system partition\n");
  		md = runtime_digest_rootfs_file(ctx->algo, evspec->path);
  	} else {
 -		debug("  assuming the file resides on EFI boot partition\n");
 -		md = runtime_digest_efi_file(ctx->algo, evspec->path);
-+		if (sdb_is_boot_entry(evspec->path) && ctx->boot_entry) {
++		if (sdb_is_boot_entry(evspec->path) && ctx->boot_entry_path) {
 +			debug("  getting different boot entry file from EFI boot partition: %s\n",
 +			      ctx->boot_entry_path);
 +			md = runtime_digest_rootfs_file(ctx->algo, ctx->boot_entry_path);
++		} else
++		if (sdb_is_kernel(evspec->path) && ctx->boot_entry) {
++			debug("  getting different kernel from EFI boot partition: %s\n",
++			      ctx->boot_entry->image_path);
++			md = runtime_digest_efi_file(ctx->algo, ctx->boot_entry->image_path);
++		} else
++		if (sdb_is_initrd(evspec->path) && ctx->boot_entry) {
++			debug("  getting different initrd from EFI boot partition: %s\n",
++			      ctx->boot_entry->initrd_path);
++			md = runtime_digest_efi_file(ctx->algo, ctx->boot_entry->initrd_path);
 +		} else {
 +			debug("  assuming the file resides on EFI boot partition\n");
 +			md = runtime_digest_efi_file(ctx->algo, evspec->path);
@@ -43,30 +56,38 @@ index 3574a4d..b7b4205 100644
  
  	return md;
 diff --git a/src/eventlog.h b/src/eventlog.h
-index 8af5eb0..b471031 100644
+index 8af5eb0..d142744 100644
 --- a/src/eventlog.h
 +++ b/src/eventlog.h
-@@ -21,6 +21,7 @@
- #ifndef EVENTLOG_H
- #define EVENTLOG_H
- 
-+#include <limits.h>
- #include "types.h"
- 
- typedef struct tpm_event {
-@@ -202,6 +203,7 @@ typedef struct tpm_event_log_rehash_ctx {
+@@ -202,6 +202,7 @@ typedef struct tpm_event_log_rehash_ctx {
  	const pecoff_image_info_t *next_stage_img;
  
  	/* This get set when the user specifies --next-kernel */
-+	char			boot_entry_path[PATH_MAX];
++	char *			boot_entry_path;
  	uapi_boot_entry_t *	boot_entry;
  } tpm_event_log_rehash_ctx_t;
  
 diff --git a/src/oracle.c b/src/oracle.c
-index 0afd910..155ec59 100644
+index 0afd910..ac48823 100644
 --- a/src/oracle.c
 +++ b/src/oracle.c
-@@ -663,9 +663,12 @@ predictor_update_eventlog(struct predictor *pred)
+@@ -23,6 +23,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ 
+ #include "oracle.h"
+ #include "util.h"
+@@ -653,6 +654,7 @@ predictor_update_eventlog(struct predictor *pred)
+ 	tpm_event_log_rehash_ctx_t rehash_ctx;
+ 	tpm_event_t *ev, *stop_event = NULL;
+ 	bool okay = true;
++	char boot_entry_path[PATH_MAX];
+ 
+ 	predictor_pre_scan_eventlog(pred, &stop_event);
+ 
+@@ -663,9 +665,13 @@ predictor_update_eventlog(struct predictor *pred)
  	 * systemd ID of the next kernel entry to be booted.
  	 * FIXME: we should probably hide this behind a target_platform function.
  	 */
@@ -74,8 +95,9 @@ index 0afd910..155ec59 100644
 -	 && !(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id)))
 -		fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id);
 +	if (pred->boot_entry_id != NULL) {
-+		snprintf(rehash_ctx.boot_entry_path, sizeof(rehash_ctx.boot_entry_path),
++		snprintf(boot_entry_path, sizeof(boot_entry_path),
 +			 "%s/%s", UAPI_BOOT_DIRECTORY, pred->boot_entry_id);
++		assign_string(&rehash_ctx.boot_entry_path, boot_entry_path);
 +		if (!(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id)))
 +			fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id);
 +	}
@@ -83,13 +105,47 @@ index 0afd910..155ec59 100644
  	for (ev = pred->event_log; ev; ev = ev->next) {
  		tpm_evdigest_t *pcr;
 diff --git a/src/sd-boot.c b/src/sd-boot.c
-index ede2569..4c3a692 100644
+index ede2569..a16f814 100644
 --- a/src/sd-boot.c
 +++ b/src/sd-boot.c
-@@ -160,6 +160,15 @@ sdb_is_kernel(const char *application)
+@@ -130,10 +130,9 @@ get_valid_kernel_entry_tokens(void)
+ /*
+  * This should probably use UAPI boot entry logic as well
+  */
+-bool
+-sdb_is_kernel(const char *application)
++static bool
++is_valid_entry_token(const char *application, const char *prefix)
+ {
+-	static const char prefix[] = "linux-";
+ 	const uapi_kernel_entry_tokens_t *match;
+ 	char *path_copy;
+ 	int found = 0;
+@@ -151,7 +150,7 @@ sdb_is_kernel(const char *application)
+ 
+ 			if (!strcmp(ptr, token))
+ 				found |= 1;
+-			else if (!strncmp(ptr, prefix, sizeof(prefix) - 1))
++			else if (!strncmp(ptr, prefix, strlen(prefix)))
+ 				found |= 2;
+ 		}
+ 	}
+@@ -160,6 +159,27 @@ sdb_is_kernel(const char *application)
  	return (found == 3);
  }
  
++bool
++sdb_is_kernel(const char *application)
++{
++	return is_valid_entry_token(application, "linux-");
++}
++
++bool
++sdb_is_initrd(const char *application)
++{
++	return is_valid_entry_token(application, "initrd-");
++}
++
 +bool
 +sdb_is_boot_entry(const char *application)
 +{
@@ -103,14 +159,16 @@ index ede2569..4c3a692 100644
   * Identify the next kernel and initrd given an ID
   */
 diff --git a/src/sd-boot.h b/src/sd-boot.h
-index 0472320..ca1be6f 100644
+index 0472320..ceab13d 100644
 --- a/src/sd-boot.h
 +++ b/src/sd-boot.h
-@@ -44,6 +44,7 @@ typedef struct sdb_entry_list {
+@@ -43,7 +43,9 @@ typedef struct sdb_entry_list {
+ } sdb_entry_list_t;
  
  extern uapi_boot_entry_t *	sdb_identify_boot_entry(const char *id);
- extern bool			sdb_is_kernel(const char *application);
 +extern bool			sdb_is_boot_entry(const char *application);
+ extern bool			sdb_is_kernel(const char *application);
++extern bool			sdb_is_initrd(const char *application);
  
  /* This will have to update the systemd json file, and add a new entry. */
  extern bool			sdb_policy_file_add_entry(const char *filename,