okirch · aplanas · Jan 10, 2024 · Jan 10, 2024 · Jan 10, 2024 · Jan 10, 2024
diff --git a/Makefile.in b/Makefile.in
@@ -34,7 +34,8 @@ ORACLE_SRCS	= oracle.c \
 		  store.c \
 		  util.c \
 		  sd-boot.c \
-		  uapi.c
+		  uapi.c \
+		  secure_boot.c
 ORACLE_OBJS	= $(addprefix build/,$(patsubst %.c,%.o,$(ORACLE_SRCS)))
 
 all: $(TOOLS) $(MANPAGES)

diff --git a/configure b/configure
@@ -12,7 +12,7 @@
 # Invoke with --help for a description of options
 #
 # microconf:begin
-# version 0.5.4
+# version 0.5.5
 # require libtss2
 # require json
 # disable debug-authenticode

diff --git a/microconf/version b/microconf/version
@@ -1 +1 @@
-uc_version=0.5.4
+uc_version=0.5.5
diff --git a/src/efi-application.c b/src/efi-application.c
@@ -40,7 +40,9 @@
  */
 static const tpm_evdigest_t *	__tpm_event_efi_bsa_rehash(const tpm_event_t *, const tpm_parsed_event_t *, tpm_event_log_rehash_ctx_t *);
 static bool			__tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed);
-static bool			__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed);
+static bool			__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec);
+
+static bool			__is_shim_issue(const tpm_event_t *ev, const struct efi_bsa_event *evspec);
 
 static void
 __tpm_event_efi_bsa_destroy(tpm_parsed_event_t *parsed)
@@ -111,9 +113,18 @@ __tpm_event_parse_efi_bsa(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t
 			assign_string(&ctx->efi_partition, evspec->efi_partition);
 		else
 			assign_string(&evspec->efi_partition, ctx->efi_partition);
-		__tpm_event_efi_bsa_inspect_image(parsed);
+		__tpm_event_efi_bsa_inspect_image(evspec);
 	}
 
+	/* When the shim issue is present the efi_application will be
+	 * empty.  The binary path will be reconstructed with the
+	 * --next-kernel parameter, but to generate the full path the
+	 * `efi_partition` is needed.
+	 */
+	if (__is_shim_issue(ev, evspec))
+		assign_string(&evspec->efi_partition, ctx->efi_partition);
+
+
 	return true;
 }
 
@@ -150,9 +161,8 @@ __tpm_event_efi_bsa_extract_location(tpm_parsed_event_t *parsed)
 }
 
 static bool
-__tpm_event_efi_bsa_inspect_image(tpm_parsed_event_t *parsed)
+__tpm_event_efi_bsa_inspect_image(struct efi_bsa_event *evspec)
 {
-        struct efi_bsa_event *evspec = &parsed->efi_bsa_event;
 	char path[PATH_MAX];
 	const char *display_name;
 	buffer_t *img_data;
@@ -274,6 +284,31 @@ efi_application_extract_signer(const tpm_parsed_event_t *parsed)
 	return authenticode_get_signer(evspec->img_info);
 }
 
+static bool __is_shim_issue(const tpm_event_t *ev, const struct efi_bsa_event *evspec)
+{
+	/* When secure boot is enabled and shim is installed,
+	 * systemd-boot installs some security overrides that will
+	 * delegate into shim (via shim_validate from systemd-boot)
+	 * the validation of the kernel signature.
+	 *
+	 * The shim_validate function receives the device path from
+	 * the firmware, and is used to load the kernel into memory.
+	 * At the end call shim_verify from shim, but pass only the
+	 * buffer with the loaded image.
+	 *
+	 * The net result is that the event log
+	 * EV_EFI_BOOT_SERVICES_APPLICATION registered by shim_verify
+	 * will not contain the device path that pcr-oracle requires
+	 * to rehash the binary.
+	 *
+	 * So far only the kernel is presenting this issue (when
+	 * systemd-boot is used, GRUB2 needs to be evaluated), so this
+	 * can be detected if there is an event registered in PCR 4
+	 * without path.
+	 */
+	return (secure_boot_enabled() && ev->pcr_index == 4 && !evspec->efi_application);
+}
+
 static const tpm_evdigest_t *
 __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
 {
@@ -285,17 +320,30 @@ __tpm_event_efi_bsa_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
 	 * We're not yet prepared to handle these, so we hope the user doesn't mess with them, and
 	 * return the original digest from the event log.
 	 */
-	if (!evspec->efi_application) {
-		debug("Unable to locate boot service application - probably not a file\n");
+	if (!evspec->efi_application && !(__is_shim_issue(ev, evspec) && ctx->boot_entry)) {
+		if (__is_shim_issue(ev, evspec) && !ctx->boot_entry)
+			debug("Unable to locate boot service application - missing device path because shim issue");
+		else
+			debug("Unable to locate boot service application - probably not a file\n");
 		return tpm_event_get_digest(ev, ctx->algo);
 	}
 
 	/* The next boot can have a different kernel */
-	if (sdb_is_kernel(evspec->efi_application) && ctx->boot_entry) {
+	if ((sdb_is_kernel(evspec->efi_application) || __is_shim_issue(ev, evspec)) && ctx->boot_entry) {
+		if (__is_shim_issue(ev, evspec))
+			debug("Empty device path for the kernel - building one based on next kernel\n");
+
+		/* TODO: the parsed data type did not change, so all
+		 * the description correspond to the current event
+		 * log, and not the asset that has been measured.  The
+		 * debug output can then be missleading.
+		 */
+		debug("Measuring %s\n", ctx->boot_entry->image_path);
 		new_application = ctx->boot_entry->image_path;
 		if (new_application) {
 			evspec_clone = *evspec;
 			evspec_clone.efi_application = strdup(new_application);
+			__tpm_event_efi_bsa_inspect_image(&evspec_clone);
 			evspec = &evspec_clone;
 		}
 	}

diff --git a/src/eventlog.c b/src/eventlog.c
@@ -790,8 +790,8 @@ static const tpm_evdigest_t *
 __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
 {
 	const uapi_boot_entry_t *boot_entry = ctx->boot_entry;
-	char initrd[2048];
-	char initrd_utf16[4096];
+	char cmdline[2048];
+	char cmdline_utf16[4096];
 	unsigned int len;
 
 	/* If no --next-kernel option was given, do not rehash anything */
@@ -804,15 +804,16 @@ __tpm_event_systemd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *pars
 	}
 
 	debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
-	snprintf(initrd, sizeof(initrd), "initrd=%s %s",
+	snprintf(cmdline, sizeof(cmdline), "initrd=%s %s",
 			path_unix2dos(boot_entry->initrd_path),
 			boot_entry->options? : "");
+	debug("Measuring Kernel command line: %s\n", cmdline);
 
-	len = (strlen(initrd) + 1) << 1;
-	assert(len <= sizeof(initrd_utf16));
-	__convert_to_utf16le(initrd, strlen(initrd) + 1, initrd_utf16, len);
+	len = (strlen(cmdline) + 1) << 1;
+	assert(len <= sizeof(cmdline_utf16));
+	__convert_to_utf16le(cmdline, strlen(cmdline) + 1, cmdline_utf16, len);
 
-	return digest_compute(ctx->algo, initrd_utf16, len);
+	return digest_compute(ctx->algo, cmdline_utf16, len);
 }
 
 /*
@@ -876,6 +877,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
 	}
 
 	debug("Next boot entry expected from: %s %s\n", boot_entry->title, boot_entry->version? : "");
+	debug("Measuring initrd: %s\n", boot_entry->initrd_path);
 	return runtime_digest_efi_file(ctx->algo, boot_entry->initrd_path);
 }
 

diff --git a/src/eventlog.h b/src/eventlog.h
@@ -323,4 +323,6 @@ extern bool			shim_variable_name_valid(const char *name);
 extern const char *		shim_variable_get_rtname(const char *name);
 extern const char *		shim_variable_get_full_rtname(const char *name);
 
+extern bool			secure_boot_enabled();
+
 #endif /* EVENTLOG_H */
diff --git a/src/oracle.c b/src/oracle.c
@@ -366,6 +366,7 @@ pcr_bank_extend_register(tpm_pcr_bank_t *bank, unsigned int pcr_index, const tpm
 static void
 predictor_extend_hash(struct predictor *pred, unsigned int pcr_index, const tpm_evdigest_t *d)
 {
+	debug("Extend PCR#%d: %s\n", pcr_index, digest_print(d));
 	pcr_bank_extend_register(&pred->prediction, pcr_index, d);
 }
 

diff --git a/src/sd-boot.c b/src/sd-boot.c
@@ -138,6 +138,9 @@ sdb_is_kernel(const char *application)
 	char *path_copy;
 	int found = 0;
 
+	if (!application)
+		return false;
+
 	match = get_valid_kernel_entry_tokens();
 	path_copy = strdup(application);
 

diff --git a/src/secure_boot.c b/src/secure_boot.c
@@ -0,0 +1,44 @@
+/*
+ *   Copyright (C) 2023 SUSE LLC
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Written by Alberto Planas <[email protected]>
+ */
+
+#include <stdio.h>
+#include "bufparser.h"
+#include "runtime.h"
+
+#define SECURE_BOOT_EFIVAR_NAME	"SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+
+
+bool
+secure_boot_enabled()
+{
+	buffer_t *data;
+	uint8_t enabled;
+
+	data = runtime_read_efi_variable(SECURE_BOOT_EFIVAR_NAME);
+	if (data == NULL) {
+		return false;
+	}
+
+	if (!buffer_get_u8(data,  &enabled)) {
+		 return false;
+	}
+
+	return enabled == 1;
+}