[2/3] libstb/stb.c: measure the IMA_CATALOG partition

Message ID 1504166040-16531-3-git-send-email-cclaudio@linux.vnet.ibm.com
State Under Review
Headers show
Series
  • libstb: add support to ibm,secureboot-v2
Related show

Commit Message

Claudio Carvalho Aug. 31, 2017, 7:53 a.m.
This maps a PCR number for the IMA_CATALOG partition so that it can be
measured (extended to the mapped PCR).

Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
---
 libstb/stb.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stewart Smith Sept. 20, 2017, 6:19 a.m. | #1
Claudio Carvalho <cclaudio@linux.vnet.ibm.com> writes:
> This maps a PCR number for the IMA_CATALOG partition so that it can be
> measured (extended to the mapped PCR).
>
> Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
> ---
>  libstb/stb.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/libstb/stb.c b/libstb/stb.c
> index eab04eb..15aa682 100644
> --- a/libstb/stb.c
> +++ b/libstb/stb.c
> @@ -58,6 +58,7 @@ static struct {
>  	enum resource_id id;
>  	TPM_Pcr pcr;
>  } resources[] = {
> +	{ RESOURCE_ID_IMA_CATALOG, PCR_4 },
>  	{ RESOURCE_ID_KERNEL, PCR_4 },
>  	{ RESOURCE_ID_CAPP,   PCR_2 },
>  };

Our current async resource loading *currently* does so serially,
although there's no real requirement that this would be the
case in the future. Thus, we probably want something here to enforce
order if we're extending the same PCR?

Otherwise I forsee accepting an amazing patch that subtley makes the
order non-deterministic and we only find out ages later when somebody is
looking at PCR values and wondering why they're only consistent 99/100
boots.
Stewart Smith Sept. 20, 2017, 6:20 a.m. | #2
Claudio Carvalho <cclaudio@linux.vnet.ibm.com> writes:
> This maps a PCR number for the IMA_CATALOG partition so that it can be
> measured (extended to the mapped PCR).
>
> Signed-off-by: Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
> ---
>  libstb/stb.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/libstb/stb.c b/libstb/stb.c
> index eab04eb..15aa682 100644
> --- a/libstb/stb.c
> +++ b/libstb/stb.c
> @@ -58,6 +58,7 @@ static struct {
>  	enum resource_id id;
>  	TPM_Pcr pcr;
>  } resources[] = {
> +	{ RESOURCE_ID_IMA_CATALOG, PCR_4 },
>  	{ RESOURCE_ID_KERNEL, PCR_4 },
>  	{ RESOURCE_ID_CAPP,   PCR_2 },

Any reason why PCR4 rather than PCR2?

The IMA_CATALOG seems more like CAPP than KERNEL, as in, bits of
data/microcode rather than other firmware component.

Patch

diff --git a/libstb/stb.c b/libstb/stb.c
index eab04eb..15aa682 100644
--- a/libstb/stb.c
+++ b/libstb/stb.c
@@ -58,6 +58,7 @@  static struct {
 	enum resource_id id;
 	TPM_Pcr pcr;
 } resources[] = {
+	{ RESOURCE_ID_IMA_CATALOG, PCR_4 },
 	{ RESOURCE_ID_KERNEL, PCR_4 },
 	{ RESOURCE_ID_CAPP,   PCR_2 },
 };