From de7902f5b905626e42e670e60ac1ceca1692fa58 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Thu, 5 Sep 2024 14:00:58 -0400 Subject: [PATCH] cbfs-init, insmod: Bring back params/filenames into PCR measurements cbfs-init used to measure filenames as well as the data in the files, but after refactoring it only measures file data. This means files could be renamed, or contents pivoted, without affecting the PCR measurements. Bring back the filename measurement. Similarly, insmod used to measure module parameters, but no longer does. Though we don't currently insert any modules with parameters, there's no reason to leave this open to break later, bring back the measurement. Signed-off-by: Jonathon Hall --- initrd/bin/cbfs-init | 6 +++++- initrd/sbin/insmod | 12 +++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init index efec2ca5..4035025c 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init @@ -22,7 +22,11 @@ for cbfsname in `echo $cbfsfiles`; do || die "$filename: cbfs file read failed" if [ "$CONFIG_TPM" = "y" ]; then echo "TPM: Extending PCR[$CONFIG_PCR with] with $filename" - tpmr extend -ix "$CONFIG_PCR" -if $filename \ + # Measure both the filename and its content. This + # ensures that renaming files or pivoting file content + # will still affect the resulting PCR measurement. + tpmr extend -ix "$CONFIG_PCR" -ic "$filename" + tpmr extend -ix "$CONFIG_PCR" -if "$filename" \ || die "$filename: tpm extend failed" fi fi diff --git a/initrd/sbin/insmod b/initrd/sbin/insmod index e383eaf4..da654257 100755 --- a/initrd/sbin/insmod +++ b/initrd/sbin/insmod @@ -39,17 +39,15 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then fi if [ -z "$tpm_missing" ]; then - echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE prior of loading into kernel" + echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" + # Extend with the module parameters (even if they are empty) and the + # module. Changing the parameters or the module content will result in a + # different PCR measurement. + tpmr extend -ix "$MODULE_PCR" -ic "$*" tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ || die "$MODULE: tpm extend failed" fi -if [ ! -z "$*" -a -z "$tpm_missing" ]; then - echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE prior of loading into kernel" - tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ - || die "$MODULE: tpm extend on arguments failed" -fi - # Since we have replaced the real insmod, we must invoke # the busybox insmod via the original executable DEBUG "Loading $MODULE with busybox insmod"