Hi Christian,
On 6/28/2021 3:54 PM, Christian Storm wrote:
Hi Cedric,
Make use of systemd code
This is licensed differently (LGPL-2.1+) than EFI Boot Guard.
Can you elaborate on the license implications of importing this?
To the best of my knowledge, this use-case is covered by the LGPL:
"When a program is linked with a library, whether statically or using a
shared library, the combination of the two is
legally speaking a combined work, a derivative of the original library.
The ordinary General Public License therefore
permits such linking only if the entire combination fits its criteria of
freedom. The Lesser General Public License permits
more lax criteria for linking other code with the library"
and
"You may opt to apply the terms of the ordinary GNU General Public
License instead of this License to a given copy of the Library. To do
this, you must alter all the notices that refer to this License, so that
they refer to the ordinary GNU General Public License, version 2,
instead of to this License. (If a newer version than version 2 of the
ordinary GNU General Public License has appeared, then you can specify
that version instead if you wish.) Do not make any other change in these
notices."
It is my understanding that this clause allows for direct reuse of
LGPLed code in GPLed libraries and applications provided that the
derivative work (i.e. the copy) is re-licensed under the GPL (I should
therefore amend the SPDX license headers).
to measure the kernel command line for the
selected configuration into PCR#8. This also causes the firmware
to add the measurement for the loaded EFI image into PCR#4 (as per
UEFI specs).
Hm, can you point me to the according Spec section please? Maybe I have
missed it that measuring something to PCR #8 automatically causes measuring
the bootloader's chain-callee EFI binary (e.g. the UEFI-stub'd Kernel)
to PCR #4....
Page 13 of the TCG EFI Platform Spec:
What the “measure before applying relocations” described below
practically means is that the EFI implementation will
perform “LoadImage ( )” actions (e.g., copying PE/COFF to memory,
etc), measurement, and then relocation application,
and finally, the EFI service “StartImage ( ).” As such, EFI
implementations of these services MUST punctuate their flow with
this measurement action.
It's not really the measurement of our command line that causes the
measurement of our EFI application to be logged but rather the fact that
systemd's trigger_tcg2_final_events_table() that causes the pre-OS event
log to be finalized (as I understand it).
With this change both the loaded kernel and command
line options are measured. Use of the TPM may be disabled by passing
--disable-tpm to the configure script.
Signed-off-by: Cedric Hombourger <[email protected]>
---
configure.ac | 16 ++++++++++++++++
main.c | 12 ++++++++++++
2 files changed, 28 insertions(+)
diff --git a/configure.ac b/configure.ac
index b8d2b1c..2d434d5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -77,6 +77,22 @@ AC_ARG_WITH([gnuefi-lib-dir],
AC_SUBST(GNUEFI_LIB_DIR)
AC_DEFINE_UNQUOTED(GNUEFI_LIB_DIR, ["$GNUEFI_LIB_DIR"], [The lib directory
for gnuefi])
+AC_ARG_ENABLE([tpm],
+ AS_HELP_STRING([--disable-tpm], [Disable TPM support]))
+
+AS_IF([test "x$enable_tpm" != "xno"], [
+ AC_DEFINE([ENABLE_TPM], [1], [TPM support])
+])
+
+AC_ARG_WITH([options-pcr],
+ AS_HELP_STRING([--with-options-pcr=NUMBER],
+ [specify the PCR register to use for options,
defaults to 8]),
+ [OPTIONS_PCR="$withval"],
+ [OPTIONS_PCR="8"])
+
+AC_SUBST(OPTIONS_PCR)
+AC_DEFINE_UNQUOTED(OPTIONS_PCR, [$OPTIONS_PCR], [The PCR register for options])
+
dnl Define ARCH_<NAME> conditionals
SET_ARCH(I586, i586*)
SET_ARCH(I686, i686*)
diff --git a/main.c b/main.c
index 7949218..dc388a4 100644
--- a/main.c
+++ b/main.c
@@ -22,6 +22,7 @@
#include <configuration.h>
#include "version.h"
#include "utils.h"
+#include "measure.h"
extern const unsigned long init_array_start[];
extern const unsigned long init_array_end[];
@@ -192,6 +193,17 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle,
EFI_SYSTEM_TABLE *system_table)
loaded_image->LoadOptionsSize =
(StrLen(bg_loader_params.payload_options) + 1) * sizeof(CHAR16);
+#ifdef ENABLE_TPM
+ /* Try to log any options to the TPM */
+ status = tpm_log_event(OPTIONS_PCR,
+ (EFI_PHYSICAL_ADDRESS) (UINTN)
loaded_image->LoadOptions,
+ loaded_image->LoadOptionsSize,
loaded_image->LoadOptions);
Here you measure the chain-loaded kernel command line, *not* the kernel
binary itself. See above.
+ /* Try to log any options to the TPM, especially manually edited
options */
This comment is misleading for the following action:
+ if (EFI_ERROR(status)) {
+ WARNING(L"Could not measure options (%x)\n", status);
+ }
+#endif
+
INFO(L"Starting %s with watchdog set to %d seconds ...\n",
bg_loader_params.payload_path, bg_loader_params.timeout);
--
2.30.2
Kind regards,
Christian
--
You received this message because you are subscribed to the Google Groups "EFI Boot
Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/efibootguard-dev/6e53394f-6e18-0109-02ff-709382739643%40mentor.com.
