From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 21 Sep 2021 17:27:25 +0000 (+0200)
Subject: boot: unify code that measures image options/kernel command line
X-Git-Tag: v250-rc1~629^2~18
X-Git-Url: http://git-history.diyao.me/?a=commitdiff_plain;h=e6e24af507f010a0b073acc44240c370e85c84f1;p=systemd%2F.git

boot: unify code that measures image options/kernel command line
---

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index e95fe870fe..704213deed 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2349,11 +2349,7 @@ static EFI_STATUS image_start(
 
 #if ENABLE_TPM
                 /* Try to log any options to the TPM, especially to catch manually edited options */
-                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
-                                    (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
-                                    loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
-                if (EFI_ERROR(err))
-                        log_error_stall(L"Unable to add image options measurement: %r", err);
+                (VOID) tpm_log_load_options(options);
 #endif
         }
 
diff --git a/src/boot/efi/measure.c b/src/boot/efi/measure.c
index fbca67bbf1..f73c9ff9ad 100644
--- a/src/boot/efi/measure.c
+++ b/src/boot/efi/measure.c
@@ -162,4 +162,18 @@ EFI_STATUS tpm_log_event(UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, UIN
         return EFI_SUCCESS;
 }
 
+EFI_STATUS tpm_log_load_options(const CHAR16 *load_options) {
+        EFI_STATUS err;
+
+        /* Measures a load options string into the TPM2, i.e. the kernel command line */
+
+        err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
+                            (EFI_PHYSICAL_ADDRESS) (UINTN) load_options,
+                            StrSize(load_options), load_options);
+        if (EFI_ERROR(err))
+                return log_error_status_stall(err, L"Unable to add load options (i.e. kernel command) line measurement: %r", err);
+
+        return EFI_SUCCESS;
+}
+
 #endif
diff --git a/src/boot/efi/measure.h b/src/boot/efi/measure.h
index e2873adae3..69eb682a2e 100644
--- a/src/boot/efi/measure.h
+++ b/src/boot/efi/measure.h
@@ -4,3 +4,5 @@
 #include <efi.h>
 
 EFI_STATUS tpm_log_event(UINT32 pcrindex, const EFI_PHYSICAL_ADDRESS buffer, UINTN buffer_size, const CHAR16 *description);
+
+EFI_STATUS tpm_log_load_options(const CHAR16 *cmdline);
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index c7232332ef..574842bc55 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -147,12 +147,11 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
                 cmdline = line;
 
 #if ENABLE_TPM
-                /* Try to log any options to the TPM, especially manually edited options */
-                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
-                                    (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
-                                    loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
-                if (EFI_ERROR(err))
-                        log_error_stall(L"Unable to add image options measurement: %r", err);
+                /* Let's measure the passed kernel command line into the TPM. Note that this possibly
+                 * duplicates what we already did in the boot menu, if that was already used. However, since
+                 * we want the boot menu to support an EFI binary, and want to this stub to be usable from
+                 * any boot menu, let's measure things anyway. */
+                (VOID) tpm_log_load_options(loaded_image->LoadOptions);
 #endif
         }