| Message ID | 20200326202054.826301-4-stefanb@linux.vnet.ibm.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | vTPM: Measure the bootloader | expand |
On 27/03/2020 07:20, Stefan Berger wrote: > From: Stefan Berger <stefanb@linux.ibm.com> > > Measure the bootloader file read from disk into PCR 4 and log it with > the description 'BOOTLOADER' and the event type EV_COMPACT_HASH > (code 0xc). Since the loaded file should be an ELF file, have its size > determined and only the bytes from the ELF image measured rather than > the whole buffer that it was read into and is much bigger (0x700000). > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > slof/fs/packages/disk-label.fs | 19 ++++++++++++++++++- > 1 file changed, 18 insertions(+), 1 deletion(-) > > diff --git a/slof/fs/packages/disk-label.fs b/slof/fs/packages/disk-label.fs > index bb64022..d7b6418 100644 > --- a/slof/fs/packages/disk-label.fs > +++ b/slof/fs/packages/disk-label.fs > @@ -452,6 +452,20 @@ CREATE GPT-LINUX-PARTITION 10 allot > THEN > ; > > +\ Measure the boot loader file into PCR 4 as event type EV_COMPACT_HASH (0xc) > + > +: measure-file ( data-ptr data-len -- ) > + s" /ibm,vtpm" find-node IF > + 4 -rot ( 4 data-ptr data-len ) > + c -rot ( 4 c data-ptr data-len ) > + s" BOOTLOADER" ( 4 c data-ptr data-len desc-ptr desc-len ) > + true tpm-hash-log-extend-event-file ( rc ) > + drop This is what I commented in 2/3 - these "true" and "drop" are not used. > + ELSE > + 2drop > + THEN > +; > + > : load-from-gpt-prep-partition ( addr -- size ) So it is GPT only, not MBR? > get-gpt-partition 0= IF false EXIT THEN > block gpt>num-part-entry l@-le dup 0= IF false exit THEN > @@ -465,7 +479,10 @@ CREATE GPT-LINUX-PARTITION 10 allot > swap ( addr blocks first-lba ) > block-size * to part-offset ( addr blocks ) > 0 0 seek drop ( addr blocks ) > - block-size * read ( size ) > + over -rot ( addr addr blocks) Nit: "swap" instead of "-rot". Thanks, > + block-size * read ( addr size ) > + 2dup measure-file ( addr size ) > + nip ( size) > UNLOOP EXIT > THEN > seek-pos gpt-part-size + to seek-pos >
On 4/1/20 12:31 AM, Alexey Kardashevskiy wrote: > > On 27/03/2020 07:20, Stefan Berger wrote: >> From: Stefan Berger <stefanb@linux.ibm.com> >> >> Measure the bootloader file read from disk into PCR 4 and log it with >> the description 'BOOTLOADER' and the event type EV_COMPACT_HASH >> (code 0xc). Since the loaded file should be an ELF file, have its size >> determined and only the bytes from the ELF image measured rather than >> the whole buffer that it was read into and is much bigger (0x700000). >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> slof/fs/packages/disk-label.fs | 19 ++++++++++++++++++- >> 1 file changed, 18 insertions(+), 1 deletion(-) >> >> diff --git a/slof/fs/packages/disk-label.fs b/slof/fs/packages/disk-label.fs >> index bb64022..d7b6418 100644 >> --- a/slof/fs/packages/disk-label.fs >> +++ b/slof/fs/packages/disk-label.fs >> @@ -452,6 +452,20 @@ CREATE GPT-LINUX-PARTITION 10 allot >> THEN >> ; >> >> +\ Measure the boot loader file into PCR 4 as event type EV_COMPACT_HASH (0xc) >> + >> +: measure-file ( data-ptr data-len -- ) >> + s" /ibm,vtpm" find-node IF >> + 4 -rot ( 4 data-ptr data-len ) >> + c -rot ( 4 c data-ptr data-len ) >> + s" BOOTLOADER" ( 4 c data-ptr data-len desc-ptr desc-len ) >> + true tpm-hash-log-extend-event-file ( rc ) >> + drop > This is what I commented in 2/3 - these "true" and "drop" are not used. I would like to keep them though since this function will have different callers. Also, practically all functions return a return code. > > >> + ELSE >> + 2drop >> + THEN >> +; >> + >> : load-from-gpt-prep-partition ( addr -- size ) > So it is GPT only, not MBR? for MBR we have this here already: : load-from-dos-boot-partition ( addr -- size ) no-mbr? IF drop FALSE EXIT THEN \ read MBR and check for DOS disk-label magic [..] block-size * read ( size ) block block-size measure-mbr UNLOOP EXIT [...] I thought for MBR there was a tiny piece of code in the sectors that are read here and that's all there is. > > >> get-gpt-partition 0= IF false EXIT THEN >> block gpt>num-part-entry l@-le dup 0= IF false exit THEN >> @@ -465,7 +479,10 @@ CREATE GPT-LINUX-PARTITION 10 allot >> swap ( addr blocks first-lba ) >> block-size * to part-offset ( addr blocks ) >> 0 0 seek drop ( addr blocks ) >> - block-size * read ( size ) >> + over -rot ( addr addr blocks) > > Nit: "swap" instead of "-rot". Thanks, Yes, easier. Done. Stefan > > >> + block-size * read ( addr size ) >> + 2dup measure-file ( addr size ) >> + nip ( size) >> UNLOOP EXIT >> THEN >> seek-pos gpt-part-size + to seek-pos >>
diff --git a/slof/fs/packages/disk-label.fs b/slof/fs/packages/disk-label.fs index bb64022..d7b6418 100644 --- a/slof/fs/packages/disk-label.fs +++ b/slof/fs/packages/disk-label.fs @@ -452,6 +452,20 @@ CREATE GPT-LINUX-PARTITION 10 allot THEN ; +\ Measure the boot loader file into PCR 4 as event type EV_COMPACT_HASH (0xc) + +: measure-file ( data-ptr data-len -- ) + s" /ibm,vtpm" find-node IF + 4 -rot ( 4 data-ptr data-len ) + c -rot ( 4 c data-ptr data-len ) + s" BOOTLOADER" ( 4 c data-ptr data-len desc-ptr desc-len ) + true tpm-hash-log-extend-event-file ( rc ) + drop + ELSE + 2drop + THEN +; + : load-from-gpt-prep-partition ( addr -- size ) get-gpt-partition 0= IF false EXIT THEN block gpt>num-part-entry l@-le dup 0= IF false exit THEN @@ -465,7 +479,10 @@ CREATE GPT-LINUX-PARTITION 10 allot swap ( addr blocks first-lba ) block-size * to part-offset ( addr blocks ) 0 0 seek drop ( addr blocks ) - block-size * read ( size ) + over -rot ( addr addr blocks) + block-size * read ( addr size ) + 2dup measure-file ( addr size ) + nip ( size) UNLOOP EXIT THEN seek-pos gpt-part-size + to seek-pos