ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-20 19:48:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
de7902f5b9
heads/initrd/sbin/insmod
Jonathon Hall de7902f5b9
cbfs-init, insmod: Bring back params/filenames into PCR measurements 
cbfs-init used to measure filenames as well as the data in the files,
but after refactoring it only measures file data.  This means files
could be renamed, or contents pivoted, without affecting the PCR
measurements.  Bring back the filename measurement.

Similarly, insmod used to measure module parameters, but no longer
does.  Though we don't currently insert any modules with parameters,
there's no reason to leave this open to break later, bring back the
measurement.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-09-06 09:43:14 -04:00

56 lines
1.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# extend a TPM PCR with a module and then load it
# any arguments will also be measured.
# The default PCR to be extended is 5, but can be
# overridden with the MODULE_PCR environment variable
. /etc/functions
TRACE_FUNC
MODULE="$1"; shift
if [ -z "$MODULE_PCR" ]; then
MODULE_PCR=5
fi
if [ -z "$MODULE" ]; then
die "Usage: $0 module [args...]"
fi
if [ ! -r "$MODULE" ]; then
die "$MODULE: not found?"
fi
# Check if module is already loaded
# Transform module name changing _ for - and trailing .ko if present
# Unify lsmod output to use - instead of _ for comparison
module_name=$(basename "$MODULE" | sed 's/_/-/g' | sed 's/\.ko$//')
if lsmod | sed 's/_/-/g' | grep -q "^$module_name\\b"; then
DEBUG "$MODULE: already loaded, skipping"
exit 0
fi
if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
if [ ! -c /dev/tpmrm0 -o ! -x /bin/tpm2 ]; then
tpm_missing=1
fi
fi
if [ -z "$tpm_missing" ]; then
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
# Extend with the module parameters (even if they are empty) and the
# module. Changing the parameters or the module content will result in a
# different PCR measurement.
tpmr extend -ix "$MODULE_PCR" -ic "$*"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
fi
# Since we have replaced the real insmod, we must invoke
# the busybox insmod via the original executable
DEBUG "Loading $MODULE with busybox insmod"
busybox insmod "$MODULE" "$@" \
|| die "$MODULE: insmod failed"
Reference in New Issue View Git Blame Copy Permalink