Skip to content

Commit de7902f

Browse files
JonathonHall-Purismtlaurion
JonathonHall-Purism
authored and
tlaurion
committed
cbfs-init, insmod: Bring back params/filenames into PCR measurements
cbfs-init used to measure filenames as well as the data in the files, but after refactoring it only measures file data. This means files could be renamed, or contents pivoted, without affecting the PCR measurements. Bring back the filename measurement. Similarly, insmod used to measure module parameters, but no longer does. Though we don't currently insert any modules with parameters, there's no reason to leave this open to break later, bring back the measurement. Signed-off-by: Jonathon Hall <[email protected]>
1 parent 250a144 commit de7902f

File tree

2 files changed

+10
-8
lines changed

2 files changed

+10
-8
lines changed

initrd/bin/cbfs-init

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,11 @@ for cbfsname in `echo $cbfsfiles`; do
2222
|| die "$filename: cbfs file read failed"
2323
if [ "$CONFIG_TPM" = "y" ]; then
2424
echo "TPM: Extending PCR[$CONFIG_PCR with] with $filename"
25-
tpmr extend -ix "$CONFIG_PCR" -if $filename \
25+
# Measure both the filename and its content. This
26+
# ensures that renaming files or pivoting file content
27+
# will still affect the resulting PCR measurement.
28+
tpmr extend -ix "$CONFIG_PCR" -ic "$filename"
29+
tpmr extend -ix "$CONFIG_PCR" -if "$filename" \
2630
|| die "$filename: tpm extend failed"
2731
fi
2832
fi

initrd/sbin/insmod

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -39,17 +39,15 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
3939
fi
4040

4141
if [ -z "$tpm_missing" ]; then
42-
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE prior of loading into kernel"
42+
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
43+
# Extend with the module parameters (even if they are empty) and the
44+
# module. Changing the parameters or the module content will result in a
45+
# different PCR measurement.
46+
tpmr extend -ix "$MODULE_PCR" -ic "$*"
4347
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
4448
|| die "$MODULE: tpm extend failed"
4549
fi
4650

47-
if [ ! -z "$*" -a -z "$tpm_missing" ]; then
48-
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE prior of loading into kernel"
49-
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
50-
|| die "$MODULE: tpm extend on arguments failed"
51-
fi
52-
5351
# Since we have replaced the real insmod, we must invoke
5452
# the busybox insmod via the original executable
5553
DEBUG "Loading $MODULE with busybox insmod"

0 commit comments

Comments
 (0)