diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index cdcd3946..2b46cf46 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -17,10 +17,10 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config #export CONFIG_HAVE_GPG_KEY_BACKUP=y #Enable DEBUG output -export CONFIG_DEBUG_OUTPUT=y -export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #Enable TPM2 pcap output under /tmp -export CONFIG_TPM2_CAPTURE_PCAP=y +#export CONFIG_TPM2_CAPTURE_PCAP=y #On-demand hardware support (modules.cpio) CONFIG_LINUX_USB=y diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init index 4035025c..c54991f4 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init @@ -21,7 +21,8 @@ for cbfsname in `echo $cbfsfiles`; do cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ || die "$filename: cbfs file read failed" if [ "$CONFIG_TPM" = "y" ]; then - echo "TPM: Extending PCR[$CONFIG_PCR with] with $filename" + TRACE_FUNC + echo "TPM: Extending PCR[$CONFIG_PCR] with $filename" # Measure both the filename and its content. This # ensures that renaming files or pivoting file content # will still affect the resulting PCR measurement. diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 84bff455..0028e348 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -65,6 +65,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then fi # Override PCR 4 so that user can't read the key +TRACE_FUNC echo "TPM: Extending PCR[4] to prevent any future secret unsealing" tpmr extend -ix 4 -ic generic || die 'Unable to scramble PCR' diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index f56c6e76..b3b55c30 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -384,6 +384,7 @@ while true; do if [ "$CONFIG_TPM" = "y" ]; then if [ ! -r "$TMP_KEY_DEVICES" ]; then # Extend PCR4 as soon as possible + TRACE_FUNC DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing" tpmr extend -ix 4 -ic generic || die "Failed to extend TPM PCR[4]" diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks index 03db5915..bef6fb10 100755 --- a/initrd/bin/qubes-measure-luks +++ b/initrd/bin/qubes-measure-luks @@ -19,6 +19,7 @@ sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers" DEBUG "Removing /tmp/lukshdr-*" rm /tmp/lukshdr-* +TRACE_FUNC echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" tpmr extend -ix 6 -if /tmp/luksDump.txt || die "Unable to extend PCR" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index fb10f0c7..78b71ea1 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -235,14 +235,20 @@ tpm2_extend() { while true; do case "$1" in -ix) + # store index and shift so -ic and -if can be processed index="$2" shift 2 ;; -ic) + string=$(echo -n "$2") hash="$(echo -n "$2" | sha256sum | cut -d' ' -f1)" + TRACE_FUNC + DEBUG "TPM: Will extend PCR[$index] with hash of string $string" shift 2 ;; -if) + TRACE_FUNC + DEBUG "TPM: Will extend PCR[$index] with hash of file content $2" hash="$(sha256sum "$2" | cut -d' ' -f1)" shift 2 ;; @@ -253,7 +259,9 @@ tpm2_extend() { done tpm2 pcrextend "$index:sha256=$hash" tpm2 pcrread "sha256:$index" - DEBUG "TPM: Extended PCR[$index] with $hash" + + TRACE_FUNC + DEBUG "TPM: Extended PCR[$index] with hash $hash" } tpm2_counter_read() { @@ -767,7 +775,18 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then tpm1_destroy "$@" ;; extend) - DEBUG "TPM: Extending PCR[$3] with $5" + #check if we extend with a hash or a file + if [ "$4" = "-if" ]; then + DEBUG "TPM: Will extend PCR[$3] hash content of file $5" + hash="$(sha1sum "$5" | cut -d' ' -f1)" + elif [ "$4" = "-ic" ]; then + string=$(echo -n "$5") + DEBUG "TPM: Will extend PCR[$3] with hash of filename $string" + hash="$(echo -n "$5" | sha1sum | cut -d' ' -f1)" + fi + + TRACE_FUNC + DEBUG "TPM: Extending PCR[$3] with hash $hash" DO_WITH_DEBUG exec tpm "$@" ;; seal) @@ -808,6 +827,7 @@ calcfuturepcr) replay_pcr "sha256" "$@" ;; extend) + TRACE_FUNC DEBUG "TPM: Extending PCR[$2] with $4" tpm2_extend "$@" ;; diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index bf6c6307..f8b9f79e 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -241,6 +241,7 @@ recovery() { DEBUG "Board $CONFIG_BOARD - version $(fw_version)" if [ "$CONFIG_TPM" = "y" ]; then + TRACE_FUNC echo "TPM: Extending PCR[4] to prevent any further secret unsealing" tpmr extend -ix 4 -ic recovery fi diff --git a/initrd/sbin/insmod b/initrd/sbin/insmod index da654257..359bf68f 100755 --- a/initrd/sbin/insmod +++ b/initrd/sbin/insmod @@ -43,9 +43,18 @@ if [ -z "$tpm_missing" ]; then # Extend with the module parameters (even if they are empty) and the # module. Changing the parameters or the module content will result in a # different PCR measurement. - tpmr extend -ix "$MODULE_PCR" -ic "$*" - tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ - || die "$MODULE: tpm extend failed" + if [ -n "$*" ]; then + TRACE_FUNC + DEBUG "Extending with module parameters and the module's content" + tpmr extend -ix "$MODULE_PCR" -ic "$*" + tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ + || die "$MODULE: tpm extend failed" + else + TRACE_FUNC + DEBUG "No module parameters, extending only with the module's content" + tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ + || die "$MODULE: tpm extend failed" + fi fi # Since we have replaced the real insmod, we must invoke