From d02e4f852b4d7365ca5e6bc81bc37b478bb2f1bfafca91badadfefa18c6cbab6 Mon Sep 17 00:00:00 2001
From: Alberto Planas Dominguez <aplanas@suse.com>
Date: Wed, 21 Feb 2024 14:07:38 +0000
Subject: [PATCH] Accepting request 1148728 from
 home:aplanas:branches:Base:System

- Add fix_loader_conf.patch to measure the systemd-boot loader.conf file

OBS-URL: https://build.opensuse.org/request/show/1148728
OBS-URL: https://build.opensuse.org/package/show/Base:System/pcr-oracle?expand=0&rev=23
---
 fix_loader_conf.patch | 79 +++++++++++++++++++++++++++++++++++++++++++
 pcr-oracle.changes    |  5 +++
 pcr-oracle.spec       |  2 ++
 3 files changed, 86 insertions(+)
 create mode 100644 fix_loader_conf.patch

diff --git a/fix_loader_conf.patch b/fix_loader_conf.patch
new file mode 100644
index 0000000..8205e04
--- /dev/null
+++ b/fix_loader_conf.patch
@@ -0,0 +1,79 @@
+From c2453df75ecdbc547e4637268dccde5cdc012881 Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Tue, 20 Feb 2024 19:12:08 +0100
+Subject: [PATCH] Measure systemd-boot loader.conf
+
+Since systemd-boot v255 the /loader/loader.conf file can be measured
+under a EV_EVENT_TAG event in PCR#5.
+
+This commit measure the file in the ESP.
+
+Fix #49
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ src/eventlog.c | 18 ++++++++++++++++++
+ src/eventlog.h |  7 +++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/eventlog.c b/src/eventlog.c
+index 4277d42..2e29b0e 100644
+--- a/src/eventlog.c
++++ b/src/eventlog.c
+@@ -842,6 +842,19 @@ __tpm_event_tag_destroy(tpm_parsed_event_t *parsed)
+ {
+ }
+ 
++static const char *
++__tpm_event_tag_loader_conf_describe(const tpm_parsed_event_t *parsed)
++{
++	return "/loader/loader.conf (measured by systemd-boot)";
++}
++
++static const tpm_evdigest_t *
++__tpm_event_tag_loader_conf_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
++{
++	debug("  re-hashing /loader/loader.conf");
++	return runtime_digest_efi_file(ctx->algo, "/loader/loader.conf");
++}
++
+ static const char *
+ __tpm_event_tag_options_describe(const tpm_parsed_event_t *parsed)
+ {
+@@ -880,6 +893,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
+ }
+ 
+ /*
++ * Generated by systemd-boot (PCR#5), to measure loader.conf
+  * Generated by the kernel (PCR#9), to measure the cmdline and initrd
+  */
+ static bool
+@@ -900,6 +914,10 @@ __tpm_event_parse_tag(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t *bp)
+ 		return false;
+ 
+ 	parsed->destroy = __tpm_event_tag_destroy;
++	if (evspec->event_id == LOADER_CONF_EVENT_TAG_ID) {
++		parsed->rehash = __tpm_event_tag_loader_conf_rehash;
++		parsed->describe = __tpm_event_tag_loader_conf_describe;
++	} else
+ 	if (evspec->event_id == LOAD_OPTIONS_EVENT_TAG_ID) {
+ 		parsed->rehash = __tpm_event_tag_options_rehash;
+ 		parsed->describe = __tpm_event_tag_options_describe;
+diff --git a/src/eventlog.h b/src/eventlog.h
+index 3741b58..d78e3da 100644
+--- a/src/eventlog.h
++++ b/src/eventlog.h
+@@ -96,8 +96,11 @@ enum {
+ };
+ 
+ enum {
+-	LOAD_OPTIONS_EVENT_TAG_ID	     = 0x8F3B22EDU,
+-	INITRD_EVENT_TAG_ID		     = 0x8F3B22ECU,
++	/* systemd-boot */
++	LOADER_CONF_EVENT_TAG_ID             = 0xF5BC582A,
++	/* kernel */
++	LOAD_OPTIONS_EVENT_TAG_ID	     = 0x8F3B22ED,
++	INITRD_EVENT_TAG_ID		     = 0x8F3B22EC,
+ };
+ 
+ #define EFI_DEVICE_PATH_MAX		16
diff --git a/pcr-oracle.changes b/pcr-oracle.changes
index 5cbf6e3..646fce6 100644
--- a/pcr-oracle.changes
+++ b/pcr-oracle.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Feb 20 18:16:53 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add fix_loader_conf.patch to measure the systemd-boot loader.conf file
+
 -------------------------------------------------------------------
 Fri Jan 12 07:28:55 UTC 2024 - Alberto Planas Dominguez <aplanas@suse.com>
 
diff --git a/pcr-oracle.spec b/pcr-oracle.spec
index 199c673..47c72df 100644
--- a/pcr-oracle.spec
+++ b/pcr-oracle.spec
@@ -27,6 +27,8 @@ URL:            https://github.com/okirch/pcr-oracle
 Source:         %{name}-%{version}.tar.xz
 # PATCH-FIX-UPSTREAM fix_efi_measure.patch gh#okirch/pcr-oracle!47
 Patch0:         fix_efi_measure.patch
+# PATCH-FIX-UPSTREAM fix_loader_conf.patch gh#okirch/pcr-oracle!50
+Patch1:         fix_loader_conf.patch
 BuildRequires:  libopenssl-devel >= 0.9.8
 BuildRequires:  tpm2-0-tss-devel >= 2.4.0
 Requires:       libtss2-tcti-device0