svn commit: r347981 - in head/lib/libsecureboot: . h tests
Simon J. Gerraty
sjg at FreeBSD.org
Sun May 19 20:28:51 UTC 2019
Author: sjg
Date: Sun May 19 20:28:49 2019
New Revision: 347981
URL: https://svnweb.freebsd.org/changeset/base/347981
Log:
libsecureboot: allow control of when pseudo pcr is updated
During boot we only want to measure things which *must*
be verified - this should provide more deterministic ordering.
Reviewed by: stevek
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D20297
Modified:
head/lib/libsecureboot/h/libsecureboot.h
head/lib/libsecureboot/tests/tvo.c
head/lib/libsecureboot/vepcr.c
head/lib/libsecureboot/verify_file.c
Modified: head/lib/libsecureboot/h/libsecureboot.h
==============================================================================
--- head/lib/libsecureboot/h/libsecureboot.h Sun May 19 20:24:17 2019 (r347980)
+++ head/lib/libsecureboot/h/libsecureboot.h Sun May 19 20:28:49 2019 (r347981)
@@ -81,6 +81,8 @@ unsigned char *verify_asc(const char *, int); /* OpenP
void ve_pcr_init(void);
void ve_pcr_update(unsigned char *, size_t);
ssize_t ve_pcr_get(unsigned char *, size_t);
+int ve_pcr_updating_get(void);
+void ve_pcr_updating_set(int);
/* flags for verify_{asc,sig,signed} */
#define VEF_VERBOSE 1
Modified: head/lib/libsecureboot/tests/tvo.c
==============================================================================
--- head/lib/libsecureboot/tests/tvo.c Sun May 19 20:24:17 2019 (r347980)
+++ head/lib/libsecureboot/tests/tvo.c Sun May 19 20:28:49 2019 (r347981)
@@ -74,6 +74,9 @@ main(int argc, char *argv[])
}
}
+#ifdef VE_PCR_SUPPORT
+ ve_pcr_updating_set(1);
+#endif
ve_self_tests();
for ( ; optind < argc; optind++) {
@@ -176,6 +179,10 @@ main(int argc, char *argv[])
}
}
}
+#ifdef VE_PCR_SUPPORT
+ verify_pcr_export();
+ printf("pcr=%s\n", getenv("loader.ve.pcr"));
+#endif
return (0);
}
Modified: head/lib/libsecureboot/vepcr.c
==============================================================================
--- head/lib/libsecureboot/vepcr.c Sun May 19 20:24:17 2019 (r347980)
+++ head/lib/libsecureboot/vepcr.c Sun May 19 20:28:49 2019 (r347981)
@@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$");
static const br_hash_class *pcr_md = NULL;
static br_hash_compat_context pcr_ctx;
static size_t pcr_hlen = 0;
+static int pcr_updating;
/**
* @brief initialize pcr context
@@ -53,18 +54,37 @@ static size_t pcr_hlen = 0;
void
ve_pcr_init(void)
{
+ pcr_updating = 0;
pcr_hlen = br_sha256_SIZE;
pcr_md = &br_sha256_vtable;
pcr_md->init(&pcr_ctx.vtable);
}
/**
+ * @brief get pcr_updating state
+ */
+int
+ve_pcr_updating_get(void)
+{
+ return (pcr_updating);
+}
+
+/**
+ * @brief set pcr_updating state
+ */
+void
+ve_pcr_updating_set(int updating)
+{
+ pcr_updating = updating;
+}
+
+/**
* @brief update pcr context
*/
void
ve_pcr_update(unsigned char *data, size_t dlen)
{
- if (pcr_md)
+ if (pcr_updating != 0 && pcr_md != NULL)
pcr_md->update(&pcr_ctx.vtable, data, dlen);
}
Modified: head/lib/libsecureboot/verify_file.c
==============================================================================
--- head/lib/libsecureboot/verify_file.c Sun May 19 20:24:17 2019 (r347980)
+++ head/lib/libsecureboot/verify_file.c Sun May 19 20:28:49 2019 (r347981)
@@ -340,6 +340,14 @@ verify_file(int fd, const char *filename, off_t off, i
if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
if (severity <= VE_GUESS)
severity = severity_guess(filename);
+#ifdef VE_PCR_SUPPORT
+ /*
+ * Only update pcr with things that must verify
+ * these tend to be processed in a more deterministic
+ * order, which makes our pseudo pcr more useful.
+ */
+ ve_pcr_updating_set((severity == VE_MUST));
+#endif
if ((rc = verify_fd(fd, filename, off, &st)) >= 0) {
if (verbose || severity > VE_WANT) {
#if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0
More information about the svn-src-head
mailing list