Hi Cedric, > Make use of systemd code
This is licensed differently (LGPL-2.1+) than EFI Boot Guard. Can you elaborate on the license implications of importing this? > to measure the kernel command line for the > selected configuration into PCR#8. This also causes the firmware > to add the measurement for the loaded EFI image into PCR#4 (as per > UEFI specs). Hm, can you point me to the according Spec section please? Maybe I have missed it that measuring something to PCR #8 automatically causes measuring the bootloader's chain-callee EFI binary (e.g. the UEFI-stub'd Kernel) to PCR #4.... > With this change both the loaded kernel and command > line options are measured. Use of the TPM may be disabled by passing > --disable-tpm to the configure script. > > Signed-off-by: Cedric Hombourger <[email protected]> > --- > configure.ac | 16 ++++++++++++++++ > main.c | 12 ++++++++++++ > 2 files changed, 28 insertions(+) > > diff --git a/configure.ac b/configure.ac > index b8d2b1c..2d434d5 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -77,6 +77,22 @@ AC_ARG_WITH([gnuefi-lib-dir], > AC_SUBST(GNUEFI_LIB_DIR) > AC_DEFINE_UNQUOTED(GNUEFI_LIB_DIR, ["$GNUEFI_LIB_DIR"], [The lib directory > for gnuefi]) > > +AC_ARG_ENABLE([tpm], > + AS_HELP_STRING([--disable-tpm], [Disable TPM support])) > + > +AS_IF([test "x$enable_tpm" != "xno"], [ > + AC_DEFINE([ENABLE_TPM], [1], [TPM support]) > +]) > + > +AC_ARG_WITH([options-pcr], > + AS_HELP_STRING([--with-options-pcr=NUMBER], > + [specify the PCR register to use for options, > defaults to 8]), > + [OPTIONS_PCR="$withval"], > + [OPTIONS_PCR="8"]) > + > +AC_SUBST(OPTIONS_PCR) > +AC_DEFINE_UNQUOTED(OPTIONS_PCR, [$OPTIONS_PCR], [The PCR register for > options]) > + > dnl Define ARCH_<NAME> conditionals > SET_ARCH(I586, i586*) > SET_ARCH(I686, i686*) > diff --git a/main.c b/main.c > index 7949218..dc388a4 100644 > --- a/main.c > +++ b/main.c > @@ -22,6 +22,7 @@ > #include <configuration.h> > #include "version.h" > #include "utils.h" > +#include "measure.h" > > extern const unsigned long init_array_start[]; > extern const unsigned long init_array_end[]; > @@ -192,6 +193,17 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, > EFI_SYSTEM_TABLE *system_table) > loaded_image->LoadOptionsSize = > (StrLen(bg_loader_params.payload_options) + 1) * sizeof(CHAR16); > > +#ifdef ENABLE_TPM > + /* Try to log any options to the TPM */ > + status = tpm_log_event(OPTIONS_PCR, > + (EFI_PHYSICAL_ADDRESS) (UINTN) > loaded_image->LoadOptions, > + loaded_image->LoadOptionsSize, > loaded_image->LoadOptions); Here you measure the chain-loaded kernel command line, *not* the kernel binary itself. See above. > + /* Try to log any options to the TPM, especially manually edited > options */ This comment is misleading for the following action: > + if (EFI_ERROR(status)) { > + WARNING(L"Could not measure options (%x)\n", status); > + } > +#endif > + > INFO(L"Starting %s with watchdog set to %d seconds ...\n", > bg_loader_params.payload_path, bg_loader_params.timeout); > > -- > 2.30.2 > Kind regards, Christian -- Dr. Christian Storm Siemens AG, Technology, T RDA IOT SES-DE Otto-Hahn-Ring 6, 81739 München, Germany -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210628135455.luys7nxzn65lo5kn%40MD1ZFJVC.ad001.siemens.net.
