libsecureboot: allow control of when pseudo pcr is updated

During boot we only want to measure things which *must* be verified - this should provide more deterministic ordering. Reviewed by: stevek MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D20297
2019-05-19 20:28:49 +00:00 · 2019-05-19 20:28:49 +00:00 · 633b0421a3
commit 633b0421a3
parent d8da000647
4 changed files with 38 additions and 1 deletions
--- a/lib/libsecureboot/h/libsecureboot.h
+++ b/lib/libsecureboot/h/libsecureboot.h
@ -81,6 +81,8 @@ unsigned char *verify_asc(const char *, int); /* OpenPGP */
 void ve_pcr_init(void);
 void ve_pcr_update(unsigned char *, size_t);
 ssize_t ve_pcr_get(unsigned char *, size_t);
+int ve_pcr_updating_get(void);
+void ve_pcr_updating_set(int);

 /* flags for verify_{asc,sig,signed} */
 #define VEF_VERBOSE		1
--- a/lib/libsecureboot/tests/tvo.c
+++ b/lib/libsecureboot/tests/tvo.c
@ -74,6 +74,9 @@ main(int argc, char *argv[])
 		}
 	}

+#ifdef VE_PCR_SUPPORT
+	ve_pcr_updating_set(1);
+#endif
 	ve_self_tests();

 	for ( ; optind < argc; optind++) {
@ -176,6 +179,10 @@ main(int argc, char *argv[])
 			}
 		}
 	}
+#ifdef VE_PCR_SUPPORT
+	verify_pcr_export();
+	printf("pcr=%s\n", getenv("loader.ve.pcr"));
+#endif
 	return (0);
 }

--- a/lib/libsecureboot/vepcr.c
+++ b/lib/libsecureboot/vepcr.c
@ -43,6 +43,7 @@ __FBSDID("$FreeBSD$");
 static const br_hash_class *pcr_md = NULL;
 static br_hash_compat_context pcr_ctx;
 static size_t pcr_hlen = 0;
+static int pcr_updating;

 /**
 * @brief initialize pcr context
@ -53,18 +54,37 @@ static size_t pcr_hlen = 0;
 void
 ve_pcr_init(void)
 {
+	pcr_updating = 0;
 	pcr_hlen = br_sha256_SIZE;
 	pcr_md = &br_sha256_vtable;
 	pcr_md->init(&pcr_ctx.vtable);
 }

+/**
+ * @brief get pcr_updating state
+ */
+int
+ve_pcr_updating_get(void)
+{
+	return (pcr_updating);
+}
+
+/**
+ * @brief set pcr_updating state
+ */
+void
+ve_pcr_updating_set(int updating)
+{
+	pcr_updating = updating;
+}
+
 /**
 * @brief update pcr context
 */
 void
 ve_pcr_update(unsigned char *data, size_t dlen)
 {
-	if (pcr_md)
+	if (pcr_updating != 0 && pcr_md != NULL)
 		pcr_md->update(&pcr_ctx.vtable, data, dlen);
 }

--- a/lib/libsecureboot/verify_file.c
+++ b/lib/libsecureboot/verify_file.c
@ -340,6 +340,14 @@ verify_file(int fd, const char *filename, off_t off, int severity)
 	if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
 		if (severity <= VE_GUESS)
 			severity = severity_guess(filename);
+#ifdef VE_PCR_SUPPORT
+		/*
+		 * Only update pcr with things that must verify
+		 * these tend to be processed in a more deterministic
+		 * order, which makes our pseudo pcr more useful.
+		 */
+		ve_pcr_updating_set((severity == VE_MUST));
+#endif
 		if ((rc = verify_fd(fd, filename, off, &st)) >= 0) {
 			if (verbose || severity > VE_WANT) {
 #if defined(VE_DEBUG_LEVEL) && VE_DEBUG_LEVEL > 0