Use systemd code introduced with 0c4aa25 to measure the kernel image into PCR[8] and options in PCR[9].
Signed-off-by: Cedric Hombourger <[email protected]> --- configure.ac | 18 ++++++++++++++++++ include/loader.h | 2 +- loader.c | 11 ++++++++++- main.c | 12 +++++++++++- 4 files changed, 40 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index b8d2b1c..6440ef2 100644 --- a/configure.ac +++ b/configure.ac @@ -77,6 +77,24 @@ AC_ARG_WITH([gnuefi-lib-dir], AC_SUBST(GNUEFI_LIB_DIR) AC_DEFINE_UNQUOTED(GNUEFI_LIB_DIR, ["$GNUEFI_LIB_DIR"], [The lib directory for gnuefi]) +AC_ARG_WITH([kernel-pcr], + AS_HELP_STRING([--with-kernel-pcr=NUMBER], + [specify the PCR register to use for the kernel image, defaults to 8]), + [KERNEL_PCR="$withval"], + [KERNEL_PCR="8"]) + +AC_SUBST(KERNEL_PCR) +AC_DEFINE_UNQUOTED(KERNEL_PCR, [$KERNEL_PCR], [The PCR register for the kernel image]) + +AC_ARG_WITH([options-pcr], + AS_HELP_STRING([--with-options-pcr=NUMBER], + [specify the PCR register to use for options, defaults to 9]), + [OPTIONS_PCR="$withval"], + [OPTIONS_PCR="9"]) + +AC_SUBST(OPTIONS_PCR) +AC_DEFINE_UNQUOTED(OPTIONS_PCR, [$OPTIONS_PCR], [The PCR register for options]) + dnl Define ARCH_<NAME> conditionals SET_ARCH(I586, i586*) SET_ARCH(I686, i686*) diff --git a/include/loader.h b/include/loader.h index 5cf639e..5ccb9ba 100644 --- a/include/loader.h +++ b/include/loader.h @@ -18,4 +18,4 @@ #include <efilib.h> EFI_STATUS -load_from_device_path (IN OUT EFI_DEVICE_PATH **device_path, OUT VOID **data, OUT UINTN *size); +load_from_device_path (IN OUT EFI_DEVICE_PATH **device_path, IN UINTN pcr, OUT VOID **data, OUT UINTN *size); diff --git a/loader.c b/loader.c index 6029781..69b2570 100644 --- a/loader.c +++ b/loader.c @@ -15,6 +15,7 @@ #include <efi.h> #include <efilib.h> #include "loader.h" +#include "measure.h" static EFI_STATUS opened_file_size (EFI_FILE_HANDLE file_handle, UINT64 *size) { @@ -45,7 +46,7 @@ opened_file_size (EFI_FILE_HANDLE file_handle, UINT64 *size) { } EFI_STATUS -load_from_device_path (IN OUT EFI_DEVICE_PATH **device_path, OUT VOID **data, OUT UINTN *size) +load_from_device_path (IN OUT EFI_DEVICE_PATH **device_path, UINTN pcr, OUT VOID **data, OUT UINTN *size) { EFI_DEVICE_PATH *file_path; MEMMAP_DEVICE_PATH *memory_path = NULL; @@ -107,6 +108,14 @@ load_from_device_path (IN OUT EFI_DEVICE_PATH **device_path, OUT VOID **data, OU goto free_data; } + /* Measure the loaded binary */ + if (pcr > 0) { + status = tpm_log_event(pcr, (EFI_PHYSICAL_ADDRESS) (UINTN) file_data, file_size, file_data); + if (EFI_ERROR(status)) { + goto free_data; + } + } + memory_path = AllocatePool (2 * sizeof (MEMMAP_DEVICE_PATH)); if (memory_path == NULL) { status = EFI_OUT_OF_RESOURCES; diff --git a/main.c b/main.c index c47af74..b5ab5c2 100644 --- a/main.c +++ b/main.c @@ -23,6 +23,7 @@ #include "loader.h" #include "version.h" #include "utils.h" +#include "measure.h" extern const unsigned long init_array_start[]; extern const unsigned long init_array_end[]; @@ -173,7 +174,7 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table) } /* Load specified kernel image to memory */ - status = load_from_device_path (&payload_dev_path, &payload_data, &payload_size); + status = load_from_device_path (&payload_dev_path, KERNEL_PCR, &payload_data, &payload_size); if (EFI_ERROR(status)) { error_exit(L"Cannot load specified kernel image to memory", status); } @@ -201,6 +202,15 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table) loaded_image->LoadOptionsSize = (StrLen(bg_loader_params.payload_options) + 1) * sizeof(CHAR16); + /* Try to log any options to the TPM */ + status = tpm_log_event(OPTIONS_PCR, + (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions, + loaded_image->LoadOptionsSize, loaded_image->LoadOptions); + /* Try to log any options to the TPM, especially manually edited options */ + if (EFI_ERROR(status)) { + WARNING(L"Could not measure options (%x)\n", status); + } + INFO(L"Starting %s with watchdog set to %d seconds ...\n", bg_loader_params.payload_path, bg_loader_params.timeout); -- 2.30.2 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210704180009.383-4-Cedric_Hombourger%40mentor.com.
