From 868219655a9aee05289676b2c46a69329d57079f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 26 Jun 2024 10:25:25 +0200 Subject: [PATCH] stub: split out calls that generate sidecar initrds --- src/boot/efi/stub.c | 120 +++++++++++++++++++++++++------------------- 1 file changed, 69 insertions(+), 51 deletions(-) diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c index f3abbe8921..4ae4b888b8 100644 --- a/src/boot/efi/stub.c +++ b/src/boot/efi/stub.c @@ -668,6 +668,74 @@ static bool initrds_need_combine(struct iovec initrds[static _INITRD_MAX]) { return false; } +static void generate_sidecar_initrds( + EFI_LOADED_IMAGE_PROTOCOL *loaded_image, + struct iovec initrds[static _INITRD_MAX], + int *parameters_measured, + int *sysext_measured, + int *confext_measured) { + + bool m; + + assert(loaded_image); + assert(initrds); + assert(parameters_measured); + assert(sysext_measured); + assert(confext_measured); + + if (pack_cpio(loaded_image, + /* dropin_dir= */ NULL, + u".cred", + /* exclude_suffix= */ NULL, + ".extra/credentials", + /* dir_mode= */ 0500, + /* access_mode= */ 0400, + /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, + u"Credentials initrd", + initrds + INITRD_CREDENTIAL, + &m) == EFI_SUCCESS) + combine_measured_flag(parameters_measured, m); + + if (pack_cpio(loaded_image, + u"\\loader\\credentials", + u".cred", + /* exclude_suffix= */ NULL, + ".extra/global_credentials", + /* dir_mode= */ 0500, + /* access_mode= */ 0400, + /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, + u"Global credentials initrd", + initrds + INITRD_GLOBAL_CREDENTIAL, + &m) == EFI_SUCCESS) + combine_measured_flag(parameters_measured, m); + + if (pack_cpio(loaded_image, + /* dropin_dir= */ NULL, + u".raw", /* ideally we'd pick up only *.sysext.raw here, but for compat we pick up *.raw instead … */ + u".confext.raw", /* … but then exclude *.confext.raw again */ + ".extra/sysext", + /* dir_mode= */ 0555, + /* access_mode= */ 0444, + /* tpm_pcr= */ TPM2_PCR_SYSEXTS, + u"System extension initrd", + initrds + INITRD_CONFEXT, + &m) == EFI_SUCCESS) + combine_measured_flag(sysext_measured, m); + + if (pack_cpio(loaded_image, + /* dropin_dir= */ NULL, + u".confext.raw", + /* exclude_suffix= */ NULL, + ".extra/confext", + /* dir_mode= */ 0555, + /* access_mode= */ 0444, + /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, + u"Configuration extension initrd", + initrds + INITRD_SYSEXT, + &m) == EFI_SUCCESS) + combine_measured_flag(confext_measured, m); +} + static EFI_STATUS run(EFI_HANDLE image) { _cleanup_(initrds_free) struct iovec initrds[_INITRD_MAX] = {}; void **dt_bases_addons_global = NULL, **dt_bases_addons_uki = NULL; @@ -773,57 +841,7 @@ static EFI_STATUS run(EFI_HANDLE image) { export_variables(loaded_image); - if (pack_cpio(loaded_image, - /* dropin_dir= */ NULL, - u".cred", - /* exclude_suffix= */ NULL, - ".extra/credentials", - /* dir_mode= */ 0500, - /* access_mode= */ 0400, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, - u"Credentials initrd", - initrds + INITRD_CREDENTIAL, - &m) == EFI_SUCCESS) - combine_measured_flag(¶meters_measured, m); - - if (pack_cpio(loaded_image, - u"\\loader\\credentials", - u".cred", - /* exclude_suffix= */ NULL, - ".extra/global_credentials", - /* dir_mode= */ 0500, - /* access_mode= */ 0400, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, - u"Global credentials initrd", - initrds + INITRD_GLOBAL_CREDENTIAL, - &m) == EFI_SUCCESS) - combine_measured_flag(¶meters_measured, m); - - if (pack_cpio(loaded_image, - /* dropin_dir= */ NULL, - u".raw", /* ideally we'd pick up only *.sysext.raw here, but for compat we pick up *.raw instead … */ - u".confext.raw", /* … but then exclude *.confext.raw again */ - ".extra/sysext", - /* dir_mode= */ 0555, - /* access_mode= */ 0444, - /* tpm_pcr= */ TPM2_PCR_SYSEXTS, - u"System extension initrd", - initrds + INITRD_CONFEXT, - &m) == EFI_SUCCESS) - combine_measured_flag(&sysext_measured, m); - - if (pack_cpio(loaded_image, - /* dropin_dir= */ NULL, - u".confext.raw", - /* exclude_suffix= */ NULL, - ".extra/confext", - /* dir_mode= */ 0555, - /* access_mode= */ 0444, - /* tpm_pcr= */ TPM2_PCR_KERNEL_CONFIG, - u"Configuration extension initrd", - initrds + INITRD_SYSEXT, - &m) == EFI_SUCCESS) - combine_measured_flag(&confext_measured, m); + generate_sidecar_initrds(loaded_image, initrds, ¶meters_measured, &sysext_measured, &confext_measured); if (PE_SECTION_VECTOR_IS_SET(sections + UNIFIED_SECTION_DTB)) { dt_size = sections[UNIFIED_SECTION_DTB].size; -- 2.25.1