pool/pcr-oracle
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1148728 from home:aplanas:branches:Base:System

Browse Source 
- Add fix_loader_conf.patch to measure the systemd-boot loader.conf file

OBS-URL: https://build.opensuse.org/request/show/1148728
OBS-URL: https://build.opensuse.org/package/show/Base:System/pcr-oracle?expand=0&rev=23
This commit is contained in:
Alberto Planas 2024-02-21 14:07:38 +00:00 committed by Git OBS Bridge
parent 64e374e9eb
commit d02e4f852b
3 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
fix_loader_conf.patch Normal file
View File

@ -0,0 +1,79 @@
From c2453df75ecdbc547e4637268dccde5cdc012881 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Tue, 20 Feb 2024 19:12:08 +0100
Subject: [PATCH] Measure systemd-boot loader.conf
Since systemd-boot v255 the /loader/loader.conf file can be measured
under a EV_EVENT_TAG event in PCR#5.
This commit measure the file in the ESP.
Fix #49
Signed-off-by: Alberto Planas <aplanas@suse.com>
---
src/eventlog.c | 18 ++++++++++++++++++
src/eventlog.h | 7 +++++--
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/eventlog.c b/src/eventlog.c
index 4277d42..2e29b0e 100644
--- a/src/eventlog.c
+++ b/src/eventlog.c
@@ -842,6 +842,19 @@ __tpm_event_tag_destroy(tpm_parsed_event_t *parsed)
{
}
+static const char *
+__tpm_event_tag_loader_conf_describe(const tpm_parsed_event_t *parsed)
+{
+ return "/loader/loader.conf (measured by systemd-boot)";
+}
+
+static const tpm_evdigest_t *
+__tpm_event_tag_loader_conf_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
+{
+ debug(" re-hashing /loader/loader.conf");
+ return runtime_digest_efi_file(ctx->algo, "/loader/loader.conf");
+}
+
static const char *
__tpm_event_tag_options_describe(const tpm_parsed_event_t *parsed)
{
@@ -880,6 +893,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
}
/*
+ * Generated by systemd-boot (PCR#5), to measure loader.conf
* Generated by the kernel (PCR#9), to measure the cmdline and initrd
*/
static bool
@@ -900,6 +914,10 @@ __tpm_event_parse_tag(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t *bp)
return false;
parsed->destroy = __tpm_event_tag_destroy;
+ if (evspec->event_id == LOADER_CONF_EVENT_TAG_ID) {
+ parsed->rehash = __tpm_event_tag_loader_conf_rehash;
+ parsed->describe = __tpm_event_tag_loader_conf_describe;
+ } else
if (evspec->event_id == LOAD_OPTIONS_EVENT_TAG_ID) {
parsed->rehash = __tpm_event_tag_options_rehash;
parsed->describe = __tpm_event_tag_options_describe;
diff --git a/src/eventlog.h b/src/eventlog.h
index 3741b58..d78e3da 100644
--- a/src/eventlog.h
+++ b/src/eventlog.h
@@ -96,8 +96,11 @@ enum {
};
enum {
- LOAD_OPTIONS_EVENT_TAG_ID = 0x8F3B22EDU,
- INITRD_EVENT_TAG_ID = 0x8F3B22ECU,
+ /* systemd-boot */
+ LOADER_CONF_EVENT_TAG_ID = 0xF5BC582A,
+ /* kernel */
+ LOAD_OPTIONS_EVENT_TAG_ID = 0x8F3B22ED,
+ INITRD_EVENT_TAG_ID = 0x8F3B22EC,
};
#define EFI_DEVICE_PATH_MAX 16

5
pcr-oracle.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Tue Feb 20 18:16:53 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
- Add fix_loader_conf.patch to measure the systemd-boot loader.conf file
-------------------------------------------------------------------
Fri Jan 12 07:28:55 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>

2
pcr-oracle.spec
View File

@ -27,6 +27,8 @@ URL: https://github.com/okirch/pcr-oracle
Source: %{name}-%{version}.tar.xz
# PATCH-FIX-UPSTREAM fix_efi_measure.patch gh#okirch/pcr-oracle!47
Patch0: fix_efi_measure.patch
# PATCH-FIX-UPSTREAM fix_loader_conf.patch gh#okirch/pcr-oracle!50
Patch1: fix_loader_conf.patch
BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: tpm2-0-tss-devel >= 2.4.0
Requires: libtss2-tcti-device0