Accepting request 1138227 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1138227 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pcr-oracle?expand=0&rev=9
This commit is contained in:
commit
ca20a1e932
213
fix_efi_measure.patch
Normal file
213
fix_efi_measure.patch
Normal file
@ -0,0 +1,213 @@
|
|||||||
|
From 9489d98463a596ec8e4ba9f1f4a2b2af91c0968b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Wed, 10 Jan 2024 15:32:07 +0100
|
||||||
|
Subject: [PATCH 1/6] Print the measured kernel
|
||||||
|
|
||||||
|
The debug output can be missleading, as print information about the
|
||||||
|
current event log, but not about the measured element, that can be
|
||||||
|
different as in the kernel case.
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
src/efi-application.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/efi-application.c b/src/efi-application.c
|
||||||
|
index 3e80083..2fd33ec 100644
|
||||||
|
--- a/src/efi-application.c
|
||||||
|
+++ b/src/efi-application.c
|
||||||
|
@@ -292,6 +292,12 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
|
||||||
|
|
||||||
|
/* The next boot can have a different kernel */
|
||||||
|
if (sdb_is_kernel(evspec->efi_application) && ctx->boot_entry) {
|
||||||
|
+ /* TODO: the parsed data type did not change, so all
|
||||||
|
+ * the description correspond to the current event
|
||||||
|
+ * log, and not the asset that has been measured. The
|
||||||
|
+ * debug output can then be missleading.
|
||||||
|
+ */
|
||||||
|
+ debug("Measuring %s\n", ctx->boot_entry->image_path);
|
||||||
|
new_application = ctx->boot_entry->image_path;
|
||||||
|
if (new_application) {
|
||||||
|
evspec_clone = *evspec;
|
||||||
|
|
||||||
|
From d8d97a3c233e326e0b1836b77fa08f483ea8f410 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Wed, 10 Jan 2024 15:51:45 +0100
|
||||||
|
Subject: [PATCH 2/6] Rename variable to cmdline
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
src/eventlog.c | 15 ++++++++-------
|
||||||
|
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/eventlog.c b/src/eventlog.c
|
||||||
|
index 4277d42..377f4d6 100644
|
||||||
|
--- a/src/eventlog.c
|
||||||
|
+++ b/src/eventlog.c
|
||||||
|
@@ -790,8 +790,8 @@ static const tpm_evdigest_t *
|
||||||
|
__tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
|
||||||
|
{
|
||||||
|
const uapi_boot_entry_t *boot_entry = ctx->boot_entry;
|
||||||
|
- char initrd[2048];
|
||||||
|
- char initrd_utf16[4096];
|
||||||
|
+ char cmdline[2048];
|
||||||
|
+ char cmdline_utf16[4096];
|
||||||
|
unsigned int len;
|
||||||
|
|
||||||
|
/* If no --next-kernel option was given, do not rehash anything */
|
||||||
|
@@ -804,15 +804,16 @@ __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
|
||||||
|
}
|
||||||
|
|
||||||
|
debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
|
||||||
|
- snprintf(initrd, sizeof(initrd), "initrd=%s %s",
|
||||||
|
+ snprintf(cmdline, sizeof(cmdline), "initrd=%s %s",
|
||||||
|
path_unix2dos(boot_entry->initrd_path),
|
||||||
|
boot_entry->options? : "");
|
||||||
|
+ debug("Measuring Kernel command line: %s\n", cmdline);
|
||||||
|
|
||||||
|
- len = (strlen(initrd) + 1) << 1;
|
||||||
|
- assert(len <= sizeof(initrd_utf16));
|
||||||
|
- __convert_to_utf16le(initrd, strlen(initrd) + 1, initrd_utf16, len);
|
||||||
|
+ len = (strlen(cmdline) + 1) << 1;
|
||||||
|
+ assert(len <= sizeof(cmdline_utf16));
|
||||||
|
+ __convert_to_utf16le(cmdline, strlen(cmdline) + 1, cmdline_utf16, len);
|
||||||
|
|
||||||
|
- return digest_compute(ctx->algo, initrd_utf16, len);
|
||||||
|
+ return digest_compute(ctx->algo, cmdline_utf16, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
|
||||||
|
From 4f8e3f4760ff7fe97df1e6af569d049e30f3ee06 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Wed, 10 Jan 2024 15:55:41 +0100
|
||||||
|
Subject: [PATCH 3/6] Add debug output for initrd
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
src/eventlog.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/eventlog.c b/src/eventlog.c
|
||||||
|
index 377f4d6..3574a4d 100644
|
||||||
|
--- a/src/eventlog.c
|
||||||
|
+++ b/src/eventlog.c
|
||||||
|
@@ -877,6 +877,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
|
||||||
|
}
|
||||||
|
|
||||||
|
debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
|
||||||
|
+ debug("Measuring initrd: %s\n", boot_entry->initrd_path);
|
||||||
|
return runtime_digest_efi_file(ctx->algo, boot_entry->initrd_path);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
From 90ee8dab9d972b741bc0c27a04a872afbecdef82 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Wed, 10 Jan 2024 18:54:04 +0100
|
||||||
|
Subject: [PATCH 4/6] Add debug output during extension
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
src/oracle.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/oracle.c b/src/oracle.c
|
||||||
|
index 1cafafc..0afd910 100644
|
||||||
|
--- a/src/oracle.c
|
||||||
|
+++ b/src/oracle.c
|
||||||
|
@@ -366,6 +366,7 @@ pcr_bank_extend_register(tpm_pcr_bank_t *bank, unsigned int pcr_index, const tpm
|
||||||
|
static void
|
||||||
|
predictor_extend_hash(struct predictor *pred, unsigned int pcr_index, const tpm_evdigest_t *d)
|
||||||
|
{
|
||||||
|
+ debug("Extend PCR#%d: %s\n", pcr_index, digest_print(d));
|
||||||
|
pcr_bank_extend_register(&pred->prediction, pcr_index, d);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
From 5133fe6f3c00a41aee362a51621a278dd472497e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Thu, 11 Jan 2024 14:09:03 +0100
|
||||||
|
Subject: [PATCH 5/6] Update the EFI image info before rehash
|
||||||
|
|
||||||
|
If the new EFI image is in a new place, the image information stored in
|
||||||
|
the parsed event should be updated, so the rehash will use this
|
||||||
|
information instead of the one from the event log.
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
src/efi-application.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/efi-application.c b/src/efi-application.c
|
||||||
|
index 2fd33ec..842bca6 100644
|
||||||
|
--- a/src/efi-application.c
|
||||||
|
+++ b/src/efi-application.c
|
||||||
|
@@ -40,7 +40,7 @@
|
||||||
|
*/
|
||||||
|
static const tpm_evdigest_t * __tpm_event_efi_bsa_rehash(const tpm_event_t *, const tpm_parsed_event_t *, tpm_event_log_rehash_ctx_t *);
|
||||||
|
static bool __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed);
|
||||||
|
-static bool __tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed);
|
||||||
|
+static bool __tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec);
|
||||||
|
|
||||||
|
static void
|
||||||
|
__tpm_event_efi_bsa_destroy(tpm_parsed_event_t *parsed)
|
||||||
|
@@ -111,7 +111,7 @@ __tpm_event_parse_efi_bsa(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t
|
||||||
|
assign_string(&ctx->efi_partition, evspec->efi_partition);
|
||||||
|
else
|
||||||
|
assign_string(&evspec->efi_partition, ctx->efi_partition);
|
||||||
|
- __tpm_event_efi_bsa_inspect_image(parsed);
|
||||||
|
+ __tpm_event_efi_bsa_inspect_image(evspec);
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
@@ -150,9 +150,8 @@ __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed)
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
-__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed)
|
||||||
|
+__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec)
|
||||||
|
{
|
||||||
|
- struct efi_bsa_event *evspec = &parsed->efi_bsa_event;
|
||||||
|
char path[PATH_MAX];
|
||||||
|
const char *display_name;
|
||||||
|
buffer_t *img_data;
|
||||||
|
@@ -302,6 +301,7 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
|
||||||
|
if (new_application) {
|
||||||
|
evspec_clone = *evspec;
|
||||||
|
evspec_clone.efi_application = strdup(new_application);
|
||||||
|
+ __tpm_event_efi_bsa_inspect_image(&evspec_clone);
|
||||||
|
evspec = &evspec_clone;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
From 93cbe02ca05297c638b1ac7f32b3da3a6cd2f684 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alberto Planas <aplanas@suse.com>
|
||||||
|
Date: Thu, 11 Jan 2024 14:35:07 +0100
|
||||||
|
Subject: [PATCH 6/6] Bump version to 0.5.5
|
||||||
|
|
||||||
|
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
||||||
|
---
|
||||||
|
configure | 2 +-
|
||||||
|
microconf/version | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/configure b/configure
|
||||||
|
index 1dccbdc..854cc0a 100755
|
||||||
|
--- a/configure
|
||||||
|
+++ b/configure
|
||||||
|
@@ -12,7 +12,7 @@
|
||||||
|
# Invoke with --help for a description of options
|
||||||
|
#
|
||||||
|
# microconf:begin
|
||||||
|
-# version 0.5.4
|
||||||
|
+# version 0.5.5
|
||||||
|
# require libtss2
|
||||||
|
# require json
|
||||||
|
# disable debug-authenticode
|
||||||
|
diff --git a/microconf/version b/microconf/version
|
||||||
|
index 7e913d9..591473f 100644
|
||||||
|
--- a/microconf/version
|
||||||
|
+++ b/microconf/version
|
||||||
|
@@ -1 +1 @@
|
||||||
|
-uc_version=0.5.4
|
||||||
|
+uc_version=0.5.5
|
@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 12 07:28:55 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
|
||||||
|
|
||||||
|
- Add fix_efi_measure.patch to fix the measurement of EFI binaries
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Dec 8 07:17:35 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
Fri Dec 8 07:17:35 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package pcr-oracle
|
# spec file for package pcr-oracle
|
||||||
#
|
#
|
||||||
# Copyright (c) 2023 SUSE LLC
|
# Copyright (c) 2024 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -25,6 +25,8 @@ License: GPL-2.0-only
|
|||||||
Group: System/Boot
|
Group: System/Boot
|
||||||
URL: https://github.com/okirch/pcr-oracle
|
URL: https://github.com/okirch/pcr-oracle
|
||||||
Source: %{name}-%{version}.tar.xz
|
Source: %{name}-%{version}.tar.xz
|
||||||
|
# PATCH-FIX-UPSTREAM fix_efi_measure.patch gh#okirch/pcr-oracle!47
|
||||||
|
Patch0: fix_efi_measure.patch
|
||||||
BuildRequires: libopenssl-devel >= 0.9.8
|
BuildRequires: libopenssl-devel >= 0.9.8
|
||||||
BuildRequires: tpm2-0-tss-devel >= 2.4.0
|
BuildRequires: tpm2-0-tss-devel >= 2.4.0
|
||||||
Requires: libtss2-tcti-device0
|
Requires: libtss2-tcti-device0
|
||||||
|
Loading…
Reference in New Issue
Block a user