ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-13 06:05:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log)

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-11-27 10:38:37 -05:00
parent 496d93031e
commit 1f029123e9
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
7 changed files with 22 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
initrd/bin/cbfs-init
View File

@ -17,12 +17,12 @@ for cbfsname in `echo $cbfsfiles`; do
if [ ! -z "$filename" ]; then if [ ! -z "$filename" ]; then
mkdir -p `dirname $filename` \ mkdir -p `dirname $filename` \
|| die "$filename: mkdir failed" || die "$filename: mkdir failed"
echo "Extracting CBFS file $cbfsname into $filename" LOG "Extracting CBFS file $cbfsname into $filename"
cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
|| die "$filename: cbfs file read failed" || die "$filename: cbfs file read failed"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
TRACE_FUNC TRACE_FUNC
echo "TPM: Extending PCR[$CONFIG_PCR] with $filename" LOG "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
# Measure both the filename and its content. This # Measure both the filename and its content. This
# ensures that renaming files or pivoting file content # ensures that renaming files or pivoting file content
# will still affect the resulting PCR measurement. # will still affect the resulting PCR measurement.
@ -32,5 +32,3 @@ for cbfsname in `echo $cbfsfiles`; do
fi fi
fi fi
done done
# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract

2
initrd/bin/kexec-insert-key
View File

@ -66,7 +66,7 @@ fi
# Override PCR 4 so that user can't read the key # Override PCR 4 so that user can't read the key
TRACE_FUNC TRACE_FUNC
echo "TPM: Extending PCR[4] to prevent any future secret unsealing" LOG "TPM: Extending PCR[4] to prevent any future secret unsealing"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR' die 'Unable to scramble PCR'

2
initrd/bin/kexec-select-boot
View File

@ -385,7 +385,7 @@ while true; do
if [ ! -r "$TMP_KEY_DEVICES" ]; then if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
TRACE_FUNC TRACE_FUNC
DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing" LOG "TPM: Extending PCR[4] to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die "Failed to extend TPM PCR[4]" die "Failed to extend TPM PCR[4]"
fi fi

2
initrd/bin/qubes-measure-luks
View File

@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-* rm /tmp/lukshdr-*
TRACE_FUNC TRACE_FUNC
echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" LOG "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt || tpmr extend -ix 6 -if /tmp/luksDump.txt ||
die "Unable to extend PCR" die "Unable to extend PCR"

6
initrd/bin/tpmr
View File

@ -258,7 +258,7 @@ tpm2_extend() {
esac esac
done done
tpm2 pcrextend "$index:sha256=$hash" tpm2 pcrextend "$index:sha256=$hash"
tpm2 pcrread "sha256:$index" LOG $(tpm2 pcrread "sha256:$index" 2>&1)
TRACE_FUNC TRACE_FUNC
DEBUG "TPM: Extended PCR[$index] with hash $hash" DEBUG "TPM: Extended PCR[$index] with hash $hash"
@ -786,7 +786,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
fi fi
TRACE_FUNC TRACE_FUNC
DEBUG "TPM: Extending PCR[$3] with hash $hash" LOG "TPM: Extending PCR[$3] with hash $hash"
DO_WITH_DEBUG exec tpm "$@" DO_WITH_DEBUG exec tpm "$@"
;; ;;
seal) seal)
@ -828,7 +828,7 @@ calcfuturepcr)
;; ;;
extend) extend)
TRACE_FUNC TRACE_FUNC
DEBUG "TPM: Extending PCR[$2] with $4" LOG "TPM: Extending PCR[$2] with $4"
tpm2_extend "$@" tpm2_extend "$@"
;; ;;
counter_read) counter_read)

13
initrd/etc/ash_functions
View File

@ -39,7 +39,16 @@ TRACE() {
# Write directly to the debug log (but not kmsg), never appears on console # Write directly to the debug log (but not kmsg), never appears on console
LOG() { LOG() {
echo "LOG: $*" >>/tmp/debug.log # if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
DEBUG "$*"
elif [ "$CONFIG_QUIET_MODE" = "y" ]; then
# if in quiet mode, output solely to debug.log
echo "$*" >> /tmp/debug.log
else
# if not in quiet mode, output to console
echo "$*"
fi
} }
fw_version() { fw_version() {
@ -241,7 +250,7 @@ recovery() {
DEBUG "Board $CONFIG_BOARD - version $(fw_version)" DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
echo "TPM: Extending PCR[4] to prevent any further secret unsealing" LOG "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery tpmr extend -ix 4 -ic recovery
fi fi

6
initrd/sbin/insmod
View File

@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
fi fi
if [ -z "$tpm_missing" ]; then if [ -z "$tpm_missing" ]; then
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" LOG "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
# Extend with the module parameters (even if they are empty) and the # Extend with the module parameters (even if they are empty) and the
# module. Changing the parameters or the module content will result in a # module. Changing the parameters or the module content will result in a
# different PCR measurement. # different PCR measurement.
if [ -n "$*" ]; then if [ -n "$*" ]; then
TRACE_FUNC TRACE_FUNC
DEBUG "Extending with module parameters and the module's content" LOG "Extending with module parameters and the module's content"
tpmr extend -ix "$MODULE_PCR" -ic "$*" tpmr extend -ix "$MODULE_PCR" -ic "$*"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed" || die "$MODULE: tpm extend failed"
else else
TRACE_FUNC TRACE_FUNC
DEBUG "No module parameters, extending only with the module's content" LOG "No module parameters, extending only with the module's content"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed" || die "$MODULE: tpm extend failed"
fi fi