sd-stub: drop any support for TPM 1.2

TPM 1.2 is obsolete, and doesn't really provide much security guarantees
given it's build around SHA1 which is not up to today's standards.

The rest of systemd's TPM codebase never supported TPM 1.2 hence let's
drop this partial support in sd-stub too. It has created problems after
all (sd-stub reported the measuements and userspace assumed these were
for TPM2), without bringing any benefits (given that the measurements we
make are not consumed by us anyway, unlike those for TPM 2.0)

let's cut off this old support.

diff --git a/NEWS b/NEWS
index bcf42ffd8e24ac3a597dbb15e9a31720ff6d95fa..1cac8d4ad79c2f1cfa52165f61145cdeb686c093 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,13 @@ CHANGES WITH 256 in spe:
           a private VLAN variant of the proxy ARP supported by the kernel
           under the name IPv4ProxyARPPrivateVLAN=.
 
+        * TPM 1.2 PCR measurement support has been removed from
+          systemd-stub. TPM 1.2 is obsolete and — due to the (by today's
+          standards) weak cryptographic algorithms it only supports — does not
+          actually provide the security benefits it's supposed to
+          provide. Given that the rest of systemd's codebase never supported
+          TPM 1.2 the support has now been removed from systemd-stub as well.
+
 CHANGES WITH 255:
 
         Announcements of Future Feature Removals and Incompatible Changes:

diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c
index 7e440b714e56ad218bf8294728ee8deea3ce43ca..2591c52f2200ee11df5692188abdcca8d2b99cd3 100644 (file)
--- a/src/boot/efi/measure.c
+++ b/src/boot/efi/measure.c
@@ -10,39 +10,6 @@
 #include "tpm2-pcr.h"
 #include "util.h"
 
-static EFI_STATUS tpm1_measure_to_pcr_and_event_log(
-                const EFI_TCG_PROTOCOL *tcg,
-                uint32_t pcrindex,
-                EFI_PHYSICAL_ADDRESS buffer,
-                size_t buffer_size,
-                const char16_t *description) {
-
-        _cleanup_free_ TCG_PCR_EVENT *tcg_event = NULL;
-        EFI_PHYSICAL_ADDRESS event_log_last;
-        uint32_t event_number = 1;
-        size_t desc_len;
-
-        assert(tcg);
-        assert(description);
-
-        desc_len = strsize16(description);
-        tcg_event = xmalloc(offsetof(TCG_PCR_EVENT, Event) + desc_len);
-        *tcg_event = (TCG_PCR_EVENT) {
-                .EventSize = desc_len,
-                .PCRIndex = pcrindex,
-                .EventType = EV_IPL,
-        };
-        memcpy(tcg_event->Event, description, desc_len);
-
-        return tcg->HashLogExtendEvent(
-                        (EFI_TCG_PROTOCOL *) tcg,
-                        buffer, buffer_size,
-                        TCG_ALG_SHA,
-                        tcg_event,
-                        &event_number,
-                        &event_log_last);
-}
-
 static EFI_STATUS tpm2_measure_to_pcr_and_tagged_event_log(
                 EFI_TCG2_PROTOCOL *tcg,
                 uint32_t pcrindex,
@@ -187,37 +154,6 @@ static EFI_CC_MEASUREMENT_PROTOCOL *cc_interface_check(void) {
         return cc;
 }
 
-static EFI_TCG_PROTOCOL *tcg1_interface_check(void) {
-        EFI_PHYSICAL_ADDRESS event_log_location, event_log_last_entry;
-        EFI_TCG_BOOT_SERVICE_CAPABILITY capability = {
-                .Size = sizeof(capability),
-        };
-        EFI_STATUS err;
-        uint32_t features;
-        EFI_TCG_PROTOCOL *tcg;
-
-        err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_TCG_PROTOCOL), NULL, (void **) &tcg);
-        if (err != EFI_SUCCESS)
-                return NULL;
-
-        err = tcg->StatusCheck(
-                        tcg,
-                        &capability,
-                        &features,
-                        &event_log_location,
-                        &event_log_last_entry);
-        if (err != EFI_SUCCESS)
-                return NULL;
-
-        if (capability.TPMDeactivatedFlag)
-                return NULL;
-
-        if (!capability.TPMPresentFlag)
-                return NULL;
-
-        return tcg;
-}
-
 static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
         EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = {
                 .Size = sizeof(capability),
@@ -248,7 +184,7 @@ static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
 }
 
 bool tpm_present(void) {
-        return tcg2_interface_check() || tcg1_interface_check();
+        return tcg2_interface_check();
 }
 
 EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
@@ -271,25 +207,18 @@ EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t
         if (tpm2)
                 err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
         else {
-                EFI_TCG_PROTOCOL *tpm1;
+                EFI_CC_MEASUREMENT_PROTOCOL *cc;
 
-                tpm1 = tcg1_interface_check();
-                if (tpm1)
-                        err = tpm1_measure_to_pcr_and_event_log(tpm1, pcrindex, buffer, buffer_size, description);
+                cc = cc_interface_check();
+                if (cc)
+                        err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
                 else {
-                        EFI_CC_MEASUREMENT_PROTOCOL *cc;
-
-                        cc = cc_interface_check();
-                        if (cc)
-                                err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
-                        else {
-                                /* No active TPM found, so don't return an error */
+                        /* No active TPM found, so don't return an error */
 
-                                if (ret_measured)
-                                        *ret_measured = false;
+                        if (ret_measured)
+                                *ret_measured = false;
 
-                                return EFI_SUCCESS;
-                        }
+                        return EFI_SUCCESS;
                 }
         }
 

diff --git a/src/boot/efi/proto/tcg.h b/src/boot/efi/proto/tcg.h
index b4b82962ef6b43f9528a0c90b2eb0b57f8398d4f..e243bf8b72b7ed505055dfc4d0d90674a1fbd907 100644 (file)
--- a/src/boot/efi/proto/tcg.h
+++ b/src/boot/efi/proto/tcg.h
@@ -3,12 +3,9 @@
 
 #include "efi.h"
 
-#define EFI_TCG_PROTOCOL_GUID \
-        GUID_DEF(0xf541796d, 0xa62e, 0x4954, 0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd)
 #define EFI_TCG2_PROTOCOL_GUID \
         GUID_DEF(0x607f766c, 0x7455, 0x42be, 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
 
-#define TCG_ALG_SHA 0x4
 #define EFI_TCG2_EVENT_HEADER_VERSION 1
 #define EV_IPL 13
 #define EV_EVENT_TAG UINT32_C(6)
@@ -48,16 +45,6 @@ typedef struct {
         uint32_t ActivePcrBanks;
 } EFI_TCG2_BOOT_SERVICE_CAPABILITY;
 
-typedef struct {
-        uint32_t PCRIndex;
-        uint32_t EventType;
-        struct {
-                uint8_t Digest[20];
-        } Digest;
-        uint32_t EventSize;
-        uint8_t Event[];
-} _packed_ TCG_PCR_EVENT;
-
 typedef struct {
         uint32_t HeaderSize;
         uint16_t HeaderVersion;
@@ -77,27 +64,6 @@ typedef struct {
         uint8_t Event[];
 } _packed_ EFI_TCG2_TAGGED_EVENT;
 
-typedef struct EFI_TCG_PROTOCOL EFI_TCG_PROTOCOL;
-struct EFI_TCG_PROTOCOL {
-        EFI_STATUS (EFIAPI *StatusCheck)(
-                        EFI_TCG_PROTOCOL *This,
-                        EFI_TCG_BOOT_SERVICE_CAPABILITY *ProtocolCapability,
-                        uint32_t *TCGFeatureFlags,
-                        EFI_PHYSICAL_ADDRESS *EventLogLocation,
-                        EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
-        void *HashAll;
-        void *LogEvent;
-        void *PassThroughToTpm;
-        EFI_STATUS (EFIAPI *HashLogExtendEvent)(
-                        EFI_TCG_PROTOCOL *This,
-                        EFI_PHYSICAL_ADDRESS HashData,
-                        uint64_t HashDataLen,
-                        uint32_t AlgorithmId,
-                        TCG_PCR_EVENT *TCGLogData,
-                        uint32_t *EventNumber,
-                        EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
-};
-
 typedef struct EFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL;
 struct EFI_TCG2_PROTOCOL {
         EFI_STATUS (EFIAPI *GetCapability)(