mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
de7902f5b9
cbfs-init used to measure filenames as well as the data in the files, but after refactoring it only measures file data. This means files could be renamed, or contents pivoted, without affecting the PCR measurements. Bring back the filename measurement. Similarly, insmod used to measure module parameters, but no longer does. Though we don't currently insert any modules with parameters, there's no reason to leave this open to break later, bring back the measurement. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
36 lines
1.0 KiB
Bash
Executable File
36 lines
1.0 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TRACE_FUNC
|
|
|
|
# Update initrd with CBFS files
|
|
if [ -z "$CONFIG_PCR" ]; then
|
|
CONFIG_PCR=7
|
|
fi
|
|
|
|
# Load individual files
|
|
cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"`
|
|
|
|
for cbfsname in `echo $cbfsfiles`; do
|
|
filename=${cbfsname:12}
|
|
if [ ! -z "$filename" ]; then
|
|
mkdir -p `dirname $filename` \
|
|
|| die "$filename: mkdir failed"
|
|
echo "Extracting CBFS file $cbfsname into $filename"
|
|
cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
|
|
|| die "$filename: cbfs file read failed"
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
echo "TPM: Extending PCR[$CONFIG_PCR with] with $filename"
|
|
# Measure both the filename and its content. This
|
|
# ensures that renaming files or pivoting file content
|
|
# will still affect the resulting PCR measurement.
|
|
tpmr extend -ix "$CONFIG_PCR" -ic "$filename"
|
|
tpmr extend -ix "$CONFIG_PCR" -if "$filename" \
|
|
|| die "$filename: tpm extend failed"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract
|