pool/pcr-oracle
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1158064 from home:aplanas:branches:Base:System

Browse Source 
Update GRUB BLS logic

OBS-URL: https://build.opensuse.org/request/show/1158064
OBS-URL: https://build.opensuse.org/package/show/Base:System/pcr-oracle?expand=0&rev=28
This commit is contained in:
Alberto Planas 2024-03-14 17:32:29 +00:00 committed by Git OBS Bridge
parent b1b6d47435
commit 35a9565808
1 changed files with 87 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
fix_grub_bls_entry.patch
View File

@ -1,20 +1,23 @@
From 3083803b5a8a445bf93d74e908b7d8568d092cf3 Mon Sep 17 00:00:00 2001 From b0c4c5fbdcc89b44cee2300c5a12cb5e8de0e446 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com> From: Alberto Planas <aplanas@suse.com>
Date: Wed, 13 Mar 2024 22:57:17 +0100 Date: Wed, 13 Mar 2024 22:57:17 +0100
Subject: [PATCH] GRUB with BLS measure boot entries Subject: [PATCH] GRUB with BLS measure boot entries
This includes the boot entry file, the kernel and the initrd specified
in the entry file.
Signed-off-by: Alberto Planas <aplanas@suse.com> Signed-off-by: Alberto Planas <aplanas@suse.com>
--- ---
src/eventlog.c | 11 +++++++++-- src/eventlog.c | 21 +++++++++++++++++++--
src/eventlog.h | 2 ++ src/eventlog.h | 1 +
src/oracle.c | 9 ++++++--- src/oracle.c | 12 +++++++++---
src/sd-boot.c | 9 +++++++++ src/sd-boot.c | 28 ++++++++++++++++++++++++----
src/sd-boot.h | 1 + src/sd-boot.h | 2 ++
src/uapi.h | 3 ++- src/uapi.h | 3 ++-
6 files changed, 29 insertions(+), 6 deletions(-) 6 files changed, 57 insertions(+), 10 deletions(-)
diff --git a/src/eventlog.c b/src/eventlog.c diff --git a/src/eventlog.c b/src/eventlog.c
index 3574a4d..b7b4205 100644 index 3574a4d..db18f41 100644
--- a/src/eventlog.c --- a/src/eventlog.c
+++ b/src/eventlog.c +++ b/src/eventlog.c
@@ -33,6 +33,7 @@ @@ -33,6 +33,7 @@
@ -25,16 +28,26 @@ index 3574a4d..b7b4205 100644
#define TPM_EVENT_LOG_MAX_ALGOS 64 #define TPM_EVENT_LOG_MAX_ALGOS 64
@@ -582,8 +583,14 @@ __tpm_event_grub_file_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pa @@ -582,8 +583,24 @@ __tpm_event_grub_file_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pa
debug(" assuming the file resides on system partition\n"); debug(" assuming the file resides on system partition\n");
md = runtime_digest_rootfs_file(ctx->algo, evspec->path); md = runtime_digest_rootfs_file(ctx->algo, evspec->path);
} else { } else {
- debug(" assuming the file resides on EFI boot partition\n"); - debug(" assuming the file resides on EFI boot partition\n");
- md = runtime_digest_efi_file(ctx->algo, evspec->path); - md = runtime_digest_efi_file(ctx->algo, evspec->path);
+ if (sdb_is_boot_entry(evspec->path) && ctx->boot_entry) { + if (sdb_is_boot_entry(evspec->path) && ctx->boot_entry_path) {
+ debug(" getting different boot entry file from EFI boot partition: %s\n", + debug(" getting different boot entry file from EFI boot partition: %s\n",
+ ctx->boot_entry_path); + ctx->boot_entry_path);
+ md = runtime_digest_rootfs_file(ctx->algo, ctx->boot_entry_path); + md = runtime_digest_rootfs_file(ctx->algo, ctx->boot_entry_path);
+ } else
+ if (sdb_is_kernel(evspec->path) && ctx->boot_entry) {
+ debug(" getting different kernel from EFI boot partition: %s\n",
+ ctx->boot_entry->image_path);
+ md = runtime_digest_efi_file(ctx->algo, ctx->boot_entry->image_path);
+ } else
+ if (sdb_is_initrd(evspec->path) && ctx->boot_entry) {
+ debug(" getting different initrd from EFI boot partition: %s\n",
+ ctx->boot_entry->initrd_path);
+ md = runtime_digest_efi_file(ctx->algo, ctx->boot_entry->initrd_path);
+ } else { + } else {
+ debug(" assuming the file resides on EFI boot partition\n"); + debug(" assuming the file resides on EFI boot partition\n");
+ md = runtime_digest_efi_file(ctx->algo, evspec->path); + md = runtime_digest_efi_file(ctx->algo, evspec->path);
@ -43,30 +56,38 @@ index 3574a4d..b7b4205 100644
return md; return md;
diff --git a/src/eventlog.h b/src/eventlog.h diff --git a/src/eventlog.h b/src/eventlog.h
index 8af5eb0..b471031 100644 index 8af5eb0..d142744 100644
--- a/src/eventlog.h --- a/src/eventlog.h
+++ b/src/eventlog.h +++ b/src/eventlog.h
@@ -21,6 +21,7 @@ @@ -202,6 +202,7 @@ typedef struct tpm_event_log_rehash_ctx {
#ifndef EVENTLOG_H
#define EVENTLOG_H
+#include <limits.h>
#include "types.h"
typedef struct tpm_event {
@@ -202,6 +203,7 @@ typedef struct tpm_event_log_rehash_ctx {
const pecoff_image_info_t *next_stage_img; const pecoff_image_info_t *next_stage_img;
/* This get set when the user specifies --next-kernel */ /* This get set when the user specifies --next-kernel */
+ char boot_entry_path[PATH_MAX]; + char * boot_entry_path;
uapi_boot_entry_t * boot_entry; uapi_boot_entry_t * boot_entry;
} tpm_event_log_rehash_ctx_t; } tpm_event_log_rehash_ctx_t;
diff --git a/src/oracle.c b/src/oracle.c diff --git a/src/oracle.c b/src/oracle.c
index 0afd910..155ec59 100644 index 0afd910..ac48823 100644
--- a/src/oracle.c --- a/src/oracle.c
+++ b/src/oracle.c +++ b/src/oracle.c
@@ -663,9 +663,12 @@ predictor_update_eventlog(struct predictor *pred) @@ -23,6 +23,7 @@
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
+#include <limits.h>
#include "oracle.h"
#include "util.h"
@@ -653,6 +654,7 @@ predictor_update_eventlog(struct predictor *pred)
tpm_event_log_rehash_ctx_t rehash_ctx;
tpm_event_t *ev, *stop_event = NULL;
bool okay = true;
+ char boot_entry_path[PATH_MAX];
predictor_pre_scan_eventlog(pred, &stop_event);
@@ -663,9 +665,13 @@ predictor_update_eventlog(struct predictor *pred)
* systemd ID of the next kernel entry to be booted. * systemd ID of the next kernel entry to be booted.
* FIXME: we should probably hide this behind a target_platform function. * FIXME: we should probably hide this behind a target_platform function.
*/ */
@ -74,8 +95,9 @@ index 0afd910..155ec59 100644
- && !(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id))) - && !(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id)))
- fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id); - fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id);
+ if (pred->boot_entry_id != NULL) { + if (pred->boot_entry_id != NULL) {
+ snprintf(rehash_ctx.boot_entry_path, sizeof(rehash_ctx.boot_entry_path), + snprintf(boot_entry_path, sizeof(boot_entry_path),
+ "%s/%s", UAPI_BOOT_DIRECTORY, pred->boot_entry_id); + "%s/%s", UAPI_BOOT_DIRECTORY, pred->boot_entry_id);
+ assign_string(&rehash_ctx.boot_entry_path, boot_entry_path);
+ if (!(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id))) + if (!(rehash_ctx.boot_entry = sdb_identify_boot_entry(pred->boot_entry_id)))
+ fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id); + fatal("unable to identify next kernel \"%s\"\n", pred->boot_entry_id);
+ } + }
@ -83,13 +105,47 @@ index 0afd910..155ec59 100644
for (ev = pred->event_log; ev; ev = ev->next) { for (ev = pred->event_log; ev; ev = ev->next) {
tpm_evdigest_t *pcr; tpm_evdigest_t *pcr;
diff --git a/src/sd-boot.c b/src/sd-boot.c diff --git a/src/sd-boot.c b/src/sd-boot.c
index ede2569..4c3a692 100644 index ede2569..a16f814 100644
--- a/src/sd-boot.c --- a/src/sd-boot.c
+++ b/src/sd-boot.c +++ b/src/sd-boot.c
@@ -160,6 +160,15 @@ sdb_is_kernel(const char *application) @@ -130,10 +130,9 @@ get_valid_kernel_entry_tokens(void)
/*
* This should probably use UAPI boot entry logic as well
*/
-bool
-sdb_is_kernel(const char *application)
+static bool
+is_valid_entry_token(const char *application, const char *prefix)
{
- static const char prefix[] = "linux-";
const uapi_kernel_entry_tokens_t *match;
char *path_copy;
int found = 0;
@@ -151,7 +150,7 @@ sdb_is_kernel(const char *application)
if (!strcmp(ptr, token))
found |= 1;
- else if (!strncmp(ptr, prefix, sizeof(prefix) - 1))
+ else if (!strncmp(ptr, prefix, strlen(prefix)))
found |= 2;
}
}
@@ -160,6 +159,27 @@ sdb_is_kernel(const char *application)
return (found == 3); return (found == 3);
} }
+bool
+sdb_is_kernel(const char *application)
+{
+ return is_valid_entry_token(application, "linux-");
+}
+
+bool
+sdb_is_initrd(const char *application)
+{
+ return is_valid_entry_token(application, "initrd-");
+}
+
+bool +bool
+sdb_is_boot_entry(const char *application) +sdb_is_boot_entry(const char *application)
+{ +{
@ -103,14 +159,16 @@ index ede2569..4c3a692 100644
* Identify the next kernel and initrd given an ID * Identify the next kernel and initrd given an ID
*/ */
diff --git a/src/sd-boot.h b/src/sd-boot.h diff --git a/src/sd-boot.h b/src/sd-boot.h
index 0472320..ca1be6f 100644 index 0472320..ceab13d 100644
--- a/src/sd-boot.h --- a/src/sd-boot.h
+++ b/src/sd-boot.h +++ b/src/sd-boot.h
@@ -44,6 +44,7 @@ typedef struct sdb_entry_list { @@ -43,7 +43,9 @@ typedef struct sdb_entry_list {
} sdb_entry_list_t;
extern uapi_boot_entry_t * sdb_identify_boot_entry(const char *id); extern uapi_boot_entry_t * sdb_identify_boot_entry(const char *id);
extern bool sdb_is_kernel(const char *application);
+extern bool sdb_is_boot_entry(const char *application); +extern bool sdb_is_boot_entry(const char *application);
extern bool sdb_is_kernel(const char *application);
+extern bool sdb_is_initrd(const char *application);
/* This will have to update the systemd json file, and add a new entry. */ /* This will have to update the systemd json file, and add a new entry. */
extern bool sdb_policy_file_add_entry(const char *filename, extern bool sdb_policy_file_add_entry(const char *filename,