Accepting request 1138226 from home:aplanas:branches:Base:System

- Add fix_efi_measure.patch to fix the measurement of EFI binaries OBS-URL: https://build.opensuse.org/request/show/1138226 OBS-URL: https://build.opensuse.org/package/show/Base:System/pcr-oracle?expand=0&rev=21
2024-01-12 07:37:04 +00:00 · 2024-01-12 07:37:04 +00:00 · 64e374e9eb
commit 64e374e9eb
parent 3d40a4e426
3 changed files with 221 additions and 1 deletions
--- a/fix_efi_measure.patch
+++ b/fix_efi_measure.patch
@ -0,0 +1,213 @@
+From 9489d98463a596ec8e4ba9f1f4a2b2af91c0968b Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 10 Jan 2024 15:32:07 +0100
+Subject: [PATCH 1/6] Print the measured kernel
+
+The debug output can be missleading, as print information about the
+current event log, but not about the measured element, that can be
+different as in the kernel case.
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/efi-application.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/efi-application.c b/src/efi-application.c
+index 3e80083..2fd33ec 100644
+--- a/src/efi-application.c
+++ b/src/efi-application.c
+@@ -292,6 +292,12 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
+ 
+ 	/* The next boot can have a different kernel */
+ 	if (sdb_is_kernel(evspec->efi_application) && ctx->boot_entry) {
+		/* TODO: the parsed data type did not change, so all
+		 * the description correspond to the current event
+		 * log, and not the asset that has been measured.  The
+		 * debug output can then be missleading.
+		 */
+		debug("Measuring %s\n", ctx->boot_entry->image_path);
+ 		new_application = ctx->boot_entry->image_path;
+ 		if (new_application) {
+ 			evspec_clone = *evspec;
+
+From d8d97a3c233e326e0b1836b77fa08f483ea8f410 Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 10 Jan 2024 15:51:45 +0100
+Subject: [PATCH 2/6] Rename variable to cmdline
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/eventlog.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/eventlog.c b/src/eventlog.c
+index 4277d42..377f4d6 100644
+--- a/src/eventlog.c
+++ b/src/eventlog.c
+@@ -790,8 +790,8 @@ static const tpm_evdigest_t *
+ __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
+ {
+ 	const uapi_boot_entry_t *boot_entry = ctx->boot_entry;
+-	char initrd[2048];
+-	char initrd_utf16[4096];
+	char cmdline[2048];
+	char cmdline_utf16[4096];
+ 	unsigned int len;
+ 
+ 	/* If no --next-kernel option was given, do not rehash anything */
+@@ -804,15 +804,16 @@ __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
+ 	}
+ 
+ 	debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
+-	snprintf(initrd, sizeof(initrd), "initrd=%s %s",
+	snprintf(cmdline, sizeof(cmdline), "initrd=%s %s",
+ 			path_unix2dos(boot_entry->initrd_path),
+ 			boot_entry->options? : "");
+	debug("Measuring Kernel command line: %s\n", cmdline);
+ 
+-	len = (strlen(initrd) + 1) << 1;
+-	assert(len <= sizeof(initrd_utf16));
+-	__convert_to_utf16le(initrd, strlen(initrd) + 1, initrd_utf16, len);
+	len = (strlen(cmdline) + 1) << 1;
+	assert(len <= sizeof(cmdline_utf16));
+	__convert_to_utf16le(cmdline, strlen(cmdline) + 1, cmdline_utf16, len);
+ 
+-	return digest_compute(ctx->algo, initrd_utf16, len);
+	return digest_compute(ctx->algo, cmdline_utf16, len);
+ }
+ 
+ /*
+
+From 4f8e3f4760ff7fe97df1e6af569d049e30f3ee06 Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 10 Jan 2024 15:55:41 +0100
+Subject: [PATCH 3/6] Add debug output for initrd
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/eventlog.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/eventlog.c b/src/eventlog.c
+index 377f4d6..3574a4d 100644
+--- a/src/eventlog.c
+++ b/src/eventlog.c
+@@ -877,6 +877,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
+ 	}
+ 
+ 	debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
+	debug("Measuring initrd: %s\n", boot_entry->initrd_path);
+ 	return runtime_digest_efi_file(ctx->algo, boot_entry->initrd_path);
+ }
+ 
+
+From 90ee8dab9d972b741bc0c27a04a872afbecdef82 Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 10 Jan 2024 18:54:04 +0100
+Subject: [PATCH 4/6] Add debug output during extension
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/oracle.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/oracle.c b/src/oracle.c
+index 1cafafc..0afd910 100644
+--- a/src/oracle.c
+++ b/src/oracle.c
+@@ -366,6 +366,7 @@ pcr_bank_extend_register(tpm_pcr_bank_t *bank, unsigned int pcr_index, const tpm
+ static void
+ predictor_extend_hash(struct predictor *pred, unsigned int pcr_index, const tpm_evdigest_t *d)
+ {
+	debug("Extend PCR#%d: %s\n", pcr_index, digest_print(d));
+ 	pcr_bank_extend_register(&pred->prediction, pcr_index, d);
+ }
+ 
+
+From 5133fe6f3c00a41aee362a51621a278dd472497e Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Thu, 11 Jan 2024 14:09:03 +0100
+Subject: [PATCH 5/6] Update the EFI image info before rehash
+
+If the new EFI image is in a new place, the image information stored in
+the parsed event should be updated, so the rehash will use this
+information instead of the one from the event log.
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/efi-application.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/efi-application.c b/src/efi-application.c
+index 2fd33ec..842bca6 100644
+--- a/src/efi-application.c
+++ b/src/efi-application.c
+@@ -40,7 +40,7 @@
+  */
+ static const tpm_evdigest_t *	__tpm_event_efi_bsa_rehash(const tpm_event_t *, const tpm_parsed_event_t *, tpm_event_log_rehash_ctx_t *);
+ static bool			__tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed);
+-static bool			__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed);
+static bool			__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec);
+ 
+ static void
+ __tpm_event_efi_bsa_destroy(tpm_parsed_event_t *parsed)
+@@ -111,7 +111,7 @@ __tpm_event_parse_efi_bsa(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t
+ 			assign_string(&ctx->efi_partition, evspec->efi_partition);
+ 		else
+ 			assign_string(&evspec->efi_partition, ctx->efi_partition);
+-		__tpm_event_efi_bsa_inspect_image(parsed);
+		__tpm_event_efi_bsa_inspect_image(evspec);
+ 	}
+ 
+ 	return true;
+@@ -150,9 +150,8 @@ __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed)
+ }
+ 
+ static bool
+-__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed)
+__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec)
+ {
+-        struct efi_bsa_event *evspec = &parsed->efi_bsa_event;
+ 	char path[PATH_MAX];
+ 	const char *display_name;
+ 	buffer_t *img_data;
+@@ -302,6 +301,7 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
+ 		if (new_application) {
+ 			evspec_clone = *evspec;
+ 			evspec_clone.efi_application = strdup(new_application);
+			__tpm_event_efi_bsa_inspect_image(&evspec_clone);
+ 			evspec = &evspec_clone;
+ 		}
+ 	}
+
+From 93cbe02ca05297c638b1ac7f32b3da3a6cd2f684 Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Thu, 11 Jan 2024 14:35:07 +0100
+Subject: [PATCH 6/6] Bump version to 0.5.5
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ configure         | 2 +-
+ microconf/version | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 1dccbdc..854cc0a 100755
+--- a/configure
+++ b/configure
+@@ -12,7 +12,7 @@
+ # Invoke with --help for a description of options
+ #
+ # microconf:begin
+-# version 0.5.4
+# version 0.5.5
+ # require libtss2
+ # require json
+ # disable debug-authenticode
+diff --git a/microconf/version b/microconf/version
+index 7e913d9..591473f 100644
+--- a/microconf/version
+++ b/microconf/version
+@@ -1 +1 @@
+-uc_version=0.5.4
+uc_version=0.5.5
--- a/pcr-oracle.changes
+++ b/pcr-oracle.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jan 12 07:28:55 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add fix_efi_measure.patch to fix the measurement of EFI binaries
+
 -------------------------------------------------------------------
 Fri Dec  8 07:17:35 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>

--- a/pcr-oracle.spec
+++ b/pcr-oracle.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pcr-oracle
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -25,6 +25,8 @@ License:        GPL-2.0-only
 Group:          System/Boot
 URL:            https://github.com/okirch/pcr-oracle
 Source:         %{name}-%{version}.tar.xz
+# PATCH-FIX-UPSTREAM fix_efi_measure.patch gh#okirch/pcr-oracle!47
+Patch0:         fix_efi_measure.patch
 BuildRequires:  libopenssl-devel >= 0.9.8
 BuildRequires:  tpm2-0-tss-devel >= 2.4.0
 Requires:       libtss2-tcti-device0