Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 May 2019 20:28:50 +0000 (UTC)
From:      "Simon J. Gerraty" <sjg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r347981 - in head/lib/libsecureboot: . h tests
Message-ID:  <201905192028.x4JKSoWw087076@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: sjg
Date: Sun May 19 20:28:49 2019
New Revision: 347981
URL: https://svnweb.freebsd.org/changeset/base/347981

Log:
  libsecureboot: allow control of when pseudo pcr is updated
  
  During boot we only want to measure things which *must*
  be verified - this should provide more deterministic ordering.
  
  Reviewed by:	stevek
  MFC after:	1 week
  Sponsored by:	Juniper Networks
  Differential Revision:	https://reviews.freebsd.org/D20297

Modified:
  head/lib/libsecureboot/h/libsecureboot.h
  head/lib/libsecureboot/tests/tvo.c
  head/lib/libsecureboot/vepcr.c
  head/lib/libsecureboot/verify_file.c

Modified: head/lib/libsecureboot/h/libsecureboot.h
==============================================================================
--- head/lib/libsecureboot/h/libsecureboot.h	Sun May 19 20:24:17 2019	(r347980)
+++ head/lib/libsecureboot/h/libsecureboot.h	Sun May 19 20:28:49 2019	(r347981)
@@ -81,6 +81,8 @@ unsigned char *verify_asc(const char *, int); /* OpenP
 void ve_pcr_init(void);
 void ve_pcr_update(unsigned char *, size_t);
 ssize_t ve_pcr_get(unsigned char *, size_t);
+int ve_pcr_updating_get(void);
+void ve_pcr_updating_set(int);
 
 /* flags for verify_{asc,sig,signed} */
 #define VEF_VERBOSE		1

Modified: head/lib/libsecureboot/tests/tvo.c
==============================================================================
--- head/lib/libsecureboot/tests/tvo.c	Sun May 19 20:24:17 2019	(r347980)
+++ head/lib/libsecureboot/tests/tvo.c	Sun May 19 20:28:49 2019	(r347981)
@@ -74,6 +74,9 @@ main(int argc, char *argv[])
 		}
 	}
 
+#ifdef VE_PCR_SUPPORT
+	ve_pcr_updating_set(1);
+#endif
 	ve_self_tests();
 
 	for ( ; optind < argc; optind++) {
@@ -176,6 +179,10 @@ main(int argc, char *argv[])
 			}
 		}
 	}
+#ifdef VE_PCR_SUPPORT
+	verify_pcr_export();
+	printf("pcr=%s\n", getenv("loader.ve.pcr"));
+#endif
 	return (0);
 }
 

Modified: head/lib/libsecureboot/vepcr.c
==============================================================================
--- head/lib/libsecureboot/vepcr.c	Sun May 19 20:24:17 2019	(r347980)
+++ head/lib/libsecureboot/vepcr.c	Sun May 19 20:28:49 2019	(r347981)
@@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$");
 static const br_hash_class *pcr_md = NULL;
 static br_hash_compat_context pcr_ctx;
 static size_t pcr_hlen = 0;
+static int pcr_updating;
 
 /**
  * @brief initialize pcr context
@@ -53,18 +54,37 @@ static size_t pcr_hlen = 0;
 void
 ve_pcr_init(void)
 {
+	pcr_updating = 0;
 	pcr_hlen = br_sha256_SIZE;
 	pcr_md = &br_sha256_vtable;
 	pcr_md->init(&pcr_ctx.vtable);
 }
 
 /**
+ * @brief get pcr_updating state
+ */
+int
+ve_pcr_updating_get(void)
+{
+	return (pcr_updating);
+}
+
+/**
+ * @brief set pcr_updating state
+ */
+void
+ve_pcr_updating_set(int updating)
+{
+	pcr_updating = updating;
+}
+
+/**
  * @brief update pcr context
  */
 void
 ve_pcr_update(unsigned char *data, size_t dlen)
 {
-	if (pcr_md)
+	if (pcr_updating != 0 && pcr_md != NULL)
 		pcr_md->update(&pcr_ctx.vtable, data, dlen);
 }
 

Modified: head/lib/libsecureboot/verify_file.c
==============================================================================
--- head/lib/libsecureboot/verify_file.c	Sun May 19 20:24:17 2019	(r347980)
+++ head/lib/libsecureboot/verify_file.c	Sun May 19 20:28:49 2019	(r347981)
@@ -340,6 +340,14 @@ verify_file(int fd, const char *filename, off_t off, i
 	if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
 		if (severity <= VE_GUESS)
 			severity = severity_guess(filename);
+#ifdef VE_PCR_SUPPORT
+		/*
+		 * Only update pcr with things that must verify
+		 * these tend to be processed in a more deterministic
+		 * order, which makes our pseudo pcr more useful.
+		 */
+		ve_pcr_updating_set((severity == VE_MUST));
+#endif
 		if ((rc = verify_fd(fd, filename, off, &st)) >= 0) {
 			if (verbose || severity > VE_WANT) {
 #if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201905192028.x4JKSoWw087076>