|
|
d1e1c8 |
From 0a8f7ade76ff3eede486027eaa638181e6bed3b8 Mon Sep 17 00:00:00 2001
|
|
|
d1e1c8 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
d1e1c8 |
Date: Tue, 18 Feb 2020 12:03:17 +0100
|
|
|
d1e1c8 |
Subject: [PATCH 46/62] tpm: Include information about PE/COFF images in the
|
|
|
d1e1c8 |
TPM Event Log
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
The "TCG PC Client Specific Platform Firmware Profile Specification" says
|
|
|
d1e1c8 |
that when measuring a PE/COFF image, the TCG_PCR_EVENT2 structure Event
|
|
|
d1e1c8 |
field MUST contain a UEFI_IMAGE_LOAD_EVENT structure.
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
Currently an empty UEFI_IMAGE_LOAD_EVENT structure is passed so users only
|
|
|
d1e1c8 |
have the hash of the PE/COFF image, but not information such the file path
|
|
|
d1e1c8 |
of the binary.
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
d1e1c8 |
Upstream-commit-id: c252b9ee94c
|
|
|
d1e1c8 |
---
|
|
|
d1e1c8 |
shim.c | 7 +++++--
|
|
|
d1e1c8 |
tpm.c | 46 ++++++++++++++++++++++++++++++++--------------
|
|
|
d1e1c8 |
include/tpm.h | 5 +++--
|
|
|
d1e1c8 |
3 files changed, 40 insertions(+), 18 deletions(-)
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
diff --git a/shim.c b/shim.c
|
|
|
d1e1c8 |
index a4f7769b38b..b35b0ad90cc 100644
|
|
|
d1e1c8 |
--- a/shim.c
|
|
|
d1e1c8 |
+++ b/shim.c
|
|
|
d1e1c8 |
@@ -1274,7 +1274,9 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
|
|
|
d1e1c8 |
#ifdef REQUIRE_TPM
|
|
|
d1e1c8 |
efi_status =
|
|
|
d1e1c8 |
#endif
|
|
|
d1e1c8 |
- tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4);
|
|
|
d1e1c8 |
+ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize,
|
|
|
d1e1c8 |
+ (EFI_PHYSICAL_ADDRESS)(UINTN)context.ImageAddress,
|
|
|
d1e1c8 |
+ li->FilePath, sha1hash, 4);
|
|
|
d1e1c8 |
#ifdef REQUIRE_TPM
|
|
|
d1e1c8 |
if (efi_status != EFI_SUCCESS) {
|
|
|
d1e1c8 |
return efi_status;
|
|
|
d1e1c8 |
@@ -1788,7 +1790,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
|
|
|
d1e1c8 |
#ifdef REQUIRE_TPM
|
|
|
d1e1c8 |
efi_status =
|
|
|
d1e1c8 |
#endif
|
|
|
d1e1c8 |
- tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
|
|
|
d1e1c8 |
+ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, 0, NULL,
|
|
|
d1e1c8 |
+ sha1hash, 4);
|
|
|
d1e1c8 |
#ifdef REQUIRE_TPM
|
|
|
d1e1c8 |
if (EFI_ERROR(efi_status))
|
|
|
d1e1c8 |
goto done;
|
|
|
d1e1c8 |
diff --git a/tpm.c b/tpm.c
|
|
|
d1e1c8 |
index 196b93c30f6..22ad148b35a 100644
|
|
|
d1e1c8 |
--- a/tpm.c
|
|
|
d1e1c8 |
+++ b/tpm.c
|
|
|
d1e1c8 |
@@ -210,21 +210,39 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr,
|
|
|
d1e1c8 |
strlen(description) + 1, 0xd, NULL);
|
|
|
d1e1c8 |
}
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
-EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash,
|
|
|
d1e1c8 |
- UINT8 pcr)
|
|
|
d1e1c8 |
+EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size,
|
|
|
d1e1c8 |
+ EFI_PHYSICAL_ADDRESS addr, EFI_DEVICE_PATH *path,
|
|
|
d1e1c8 |
+ UINT8 *sha1hash, UINT8 pcr)
|
|
|
d1e1c8 |
{
|
|
|
d1e1c8 |
- EFI_IMAGE_LOAD_EVENT ImageLoad;
|
|
|
d1e1c8 |
-
|
|
|
d1e1c8 |
- // All of this is informational and forces us to do more parsing before
|
|
|
d1e1c8 |
- // we can generate it, so let's just leave it out for now
|
|
|
d1e1c8 |
- ImageLoad.ImageLocationInMemory = 0;
|
|
|
d1e1c8 |
- ImageLoad.ImageLengthInMemory = 0;
|
|
|
d1e1c8 |
- ImageLoad.ImageLinkTimeAddress = 0;
|
|
|
d1e1c8 |
- ImageLoad.LengthOfDevicePath = 0;
|
|
|
d1e1c8 |
-
|
|
|
d1e1c8 |
- return tpm_log_event_raw(buf, size, pcr, (CHAR8 *)&ImageLoad,
|
|
|
d1e1c8 |
- sizeof(ImageLoad),
|
|
|
d1e1c8 |
- EV_EFI_BOOT_SERVICES_APPLICATION, sha1hash);
|
|
|
d1e1c8 |
+ EFI_IMAGE_LOAD_EVENT *ImageLoad = NULL;
|
|
|
d1e1c8 |
+ EFI_STATUS efi_status;
|
|
|
d1e1c8 |
+ UINTN path_size = 0;
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ if (path)
|
|
|
d1e1c8 |
+ path_size = DevicePathSize(path);
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ ImageLoad = AllocateZeroPool(sizeof(*ImageLoad) + path_size);
|
|
|
d1e1c8 |
+ if (!ImageLoad) {
|
|
|
d1e1c8 |
+ perror(L"Unable to allocate image load event structure\n");
|
|
|
d1e1c8 |
+ return EFI_OUT_OF_RESOURCES;
|
|
|
d1e1c8 |
+ }
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ ImageLoad->ImageLocationInMemory = buf;
|
|
|
d1e1c8 |
+ ImageLoad->ImageLengthInMemory = size;
|
|
|
d1e1c8 |
+ ImageLoad->ImageLinkTimeAddress = addr;
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ if (path_size > 0) {
|
|
|
d1e1c8 |
+ CopyMem(ImageLoad->DevicePath, path, path_size);
|
|
|
d1e1c8 |
+ ImageLoad->LengthOfDevicePath = path_size;
|
|
|
d1e1c8 |
+ }
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ efi_status = tpm_log_event_raw(buf, size, pcr, (CHAR8 *)ImageLoad,
|
|
|
d1e1c8 |
+ sizeof(*ImageLoad) + path_size,
|
|
|
d1e1c8 |
+ EV_EFI_BOOT_SERVICES_APPLICATION,
|
|
|
d1e1c8 |
+ sha1hash);
|
|
|
d1e1c8 |
+ FreePool(ImageLoad);
|
|
|
d1e1c8 |
+
|
|
|
d1e1c8 |
+ return efi_status;
|
|
|
d1e1c8 |
}
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
typedef struct {
|
|
|
d1e1c8 |
diff --git a/include/tpm.h b/include/tpm.h
|
|
|
d1e1c8 |
index 746e871ff22..a05c24949e5 100644
|
|
|
d1e1c8 |
--- a/include/tpm.h
|
|
|
d1e1c8 |
+++ b/include/tpm.h
|
|
|
d1e1c8 |
@@ -10,8 +10,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr,
|
|
|
d1e1c8 |
const CHAR8 *description);
|
|
|
d1e1c8 |
EFI_STATUS fallback_should_prefer_reset(void);
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
-EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash,
|
|
|
d1e1c8 |
- UINT8 pcr);
|
|
|
d1e1c8 |
+EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size,
|
|
|
d1e1c8 |
+ EFI_PHYSICAL_ADDRESS addr, EFI_DEVICE_PATH *path,
|
|
|
d1e1c8 |
+ UINT8 *sha1hash, UINT8 pcr);
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
EFI_STATUS tpm_measure_variable(CHAR16 *dbname, EFI_GUID guid, UINTN size, void *data);
|
|
|
d1e1c8 |
|
|
|
d1e1c8 |
--
|
|
|
d1e1c8 |
2.26.2
|
|
|
d1e1c8 |
|