Author: sjg Date: Sun May 19 20:28:49 2019 New Revision: 347981 URL: https://svnweb.freebsd.org/changeset/base/347981
Log: libsecureboot: allow control of when pseudo pcr is updated During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20297 Modified: head/lib/libsecureboot/h/libsecureboot.h head/lib/libsecureboot/tests/tvo.c head/lib/libsecureboot/vepcr.c head/lib/libsecureboot/verify_file.c Modified: head/lib/libsecureboot/h/libsecureboot.h ============================================================================== --- head/lib/libsecureboot/h/libsecureboot.h Sun May 19 20:24:17 2019 (r347980) +++ head/lib/libsecureboot/h/libsecureboot.h Sun May 19 20:28:49 2019 (r347981) @@ -81,6 +81,8 @@ unsigned char *verify_asc(const char *, int); /* OpenP void ve_pcr_init(void); void ve_pcr_update(unsigned char *, size_t); ssize_t ve_pcr_get(unsigned char *, size_t); +int ve_pcr_updating_get(void); +void ve_pcr_updating_set(int); /* flags for verify_{asc,sig,signed} */ #define VEF_VERBOSE 1 Modified: head/lib/libsecureboot/tests/tvo.c ============================================================================== --- head/lib/libsecureboot/tests/tvo.c Sun May 19 20:24:17 2019 (r347980) +++ head/lib/libsecureboot/tests/tvo.c Sun May 19 20:28:49 2019 (r347981) @@ -74,6 +74,9 @@ main(int argc, char *argv[]) } } +#ifdef VE_PCR_SUPPORT + ve_pcr_updating_set(1); +#endif ve_self_tests(); for ( ; optind < argc; optind++) { @@ -176,6 +179,10 @@ main(int argc, char *argv[]) } } } +#ifdef VE_PCR_SUPPORT + verify_pcr_export(); + printf("pcr=%s\n", getenv("loader.ve.pcr")); +#endif return (0); } Modified: head/lib/libsecureboot/vepcr.c ============================================================================== --- head/lib/libsecureboot/vepcr.c Sun May 19 20:24:17 2019 (r347980) +++ head/lib/libsecureboot/vepcr.c Sun May 19 20:28:49 2019 (r347981) @@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$"); static const br_hash_class *pcr_md = NULL; static br_hash_compat_context pcr_ctx; static size_t pcr_hlen = 0; +static int pcr_updating; /** * @brief initialize pcr context @@ -53,18 +54,37 @@ static size_t pcr_hlen = 0; void ve_pcr_init(void) { + pcr_updating = 0; pcr_hlen = br_sha256_SIZE; pcr_md = &br_sha256_vtable; pcr_md->init(&pcr_ctx.vtable); } /** + * @brief get pcr_updating state + */ +int +ve_pcr_updating_get(void) +{ + return (pcr_updating); +} + +/** + * @brief set pcr_updating state + */ +void +ve_pcr_updating_set(int updating) +{ + pcr_updating = updating; +} + +/** * @brief update pcr context */ void ve_pcr_update(unsigned char *data, size_t dlen) { - if (pcr_md) + if (pcr_updating != 0 && pcr_md != NULL) pcr_md->update(&pcr_ctx.vtable, data, dlen); } Modified: head/lib/libsecureboot/verify_file.c ============================================================================== --- head/lib/libsecureboot/verify_file.c Sun May 19 20:24:17 2019 (r347980) +++ head/lib/libsecureboot/verify_file.c Sun May 19 20:28:49 2019 (r347981) @@ -340,6 +340,14 @@ verify_file(int fd, const char *filename, off_t off, i if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) { if (severity <= VE_GUESS) severity = severity_guess(filename); +#ifdef VE_PCR_SUPPORT + /* + * Only update pcr with things that must verify + * these tend to be processed in a more deterministic + * order, which makes our pseudo pcr more useful. + */ + ve_pcr_updating_set((severity == VE_MUST)); +#endif if ((rc = verify_fd(fd, filename, off, &st)) >= 0) { if (verbose || severity > VE_WANT) { #if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0 _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
