Re: [PATCH 2/2] main: measure the kernel command line into the TPM

[Cedric Hombourger]

On 6/29/2021 3:39 PM, Jan Kiszka wrote:
On 28.06.21 13:28, Cedric Hombourger wrote:
Make use of systemd code to measure the kernel command line for the
selected configuration into PCR#8. This also causes the firmware
to add the measurement for the loaded EFI image into PCR#4 (as per
UEFI specs). With this change both the loaded kernel and command
line options are measured. Use of the TPM may be disabled by passing
--disable-tpm to the configure script.

Signed-off-by: Cedric Hombourger <cedric_hombour...@mentor.com>
---
  configure.ac | 16 ++++++++++++++++
  main.c       | 12 ++++++++++++
  2 files changed, 28 insertions(+)

diff --git a/configure.ac b/configure.ac
index b8d2b1c..2d434d5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -77,6 +77,22 @@ AC_ARG_WITH([gnuefi-lib-dir],
  AC_SUBST(GNUEFI_LIB_DIR)
  AC_DEFINE_UNQUOTED(GNUEFI_LIB_DIR, ["$GNUEFI_LIB_DIR"], [The lib directory 
for gnuefi])
  
+AC_ARG_ENABLE([tpm],
+             AS_HELP_STRING([--disable-tpm], [Disable TPM support]))
+
+AS_IF([test "x$enable_tpm" != "xno"], [
+       AC_DEFINE([ENABLE_TPM], [1], [TPM support])
+])
+
+AC_ARG_WITH([options-pcr],
+           AS_HELP_STRING([--with-options-pcr=NUMBER],
+                          [specify the PCR register to use for options, 
defaults to 8]),
+           [OPTIONS_PCR="$withval"],
+           [OPTIONS_PCR="8"])
+
+AC_SUBST(OPTIONS_PCR)
+AC_DEFINE_UNQUOTED(OPTIONS_PCR, [$OPTIONS_PCR], [The PCR register for options])
+
  dnl Define ARCH_<NAME> conditionals
  SET_ARCH(I586, i586*)
  SET_ARCH(I686, i686*)
diff --git a/main.c b/main.c
index 7949218..dc388a4 100644
--- a/main.c
+++ b/main.c
@@ -22,6 +22,7 @@
  #include <configuration.h>
  #include "version.h"
  #include "utils.h"
+#include "measure.h"
  
  extern const unsigned long init_array_start[];
  extern const unsigned long init_array_end[];
@@ -192,6 +193,17 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, 
EFI_SYSTEM_TABLE *system_table)
        loaded_image->LoadOptionsSize =
            (StrLen(bg_loader_params.payload_options) + 1) * sizeof(CHAR16);
  
+#ifdef ENABLE_TPM
+       /* Try to log any options to the TPM */
+        status = tpm_log_event(OPTIONS_PCR,
+                       (EFI_PHYSICAL_ADDRESS) (UINTN) 
loaded_image->LoadOptions,
+                       loaded_image->LoadOptionsSize, 
loaded_image->LoadOptions);
+       /* Try to log any options to the TPM, especially manually edited 
options */
+       if (EFI_ERROR(status)) {
+               WARNING(L"Could not measure options (%x)\n", status);
+       }
+#endif
+
        INFO(L"Starting %s with watchdog set to %d seconds ...\n",
             bg_loader_params.payload_path, bg_loader_params.timeout);
  

So, all this is just for measuring the parameters passed to the kernel
image, right? Does it actually make sense in secure scenarios to use
that feature? We are currently using unified kernel images, with the
kernel parameters baked in. That permits to reject booting at all and
automatically measures the options as well.

So are we but systemd's measure module will do two things (1) finalize 
the event table (only when called for the 1st time) (2) measure the 
provided buffer (options both in their case and in this patch-series). 
My understanding is that tables need to be finalized for the measurement 
produced by LoadImage() to extend PCR[4]. At least that's my observation 
on the different pieces of hardware (and VMs) I was able to test this 
change on.

The specs clearly state that LoadImage() must measure the PE/COFF image 
before it gets relocated and that makes sense. They are not very clear 
as to why the events table need to be finalized for PCR[4] to be 
extended with the loaded image.


Jan


--
You received this message because you are subscribed to the Google Groups "EFI Boot 
Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to efibootguard-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/efibootguard-dev/8ffc2dcc-ac13-319e-5458-b06cdcbb30bc%40mentor.com.