Skip to content

sd-boot: put hashed kernel command line in a PCR of the TPM#2587

Merged
poettering merged 1 commit intosystemd:masterfrom
haraldh:tpmv3
Feb 11, 2016
Merged

sd-boot: put hashed kernel command line in a PCR of the TPM#2587
poettering merged 1 commit intosystemd:masterfrom
haraldh:tpmv3

Conversation

@haraldh
Copy link
Member

@haraldh haraldh commented Feb 11, 2016

The UEFI BIOS already hashes the contents of the loaded image, so the
initrd and the command line of the binary are recorded.

Because manually added LoadOptions are not taken into account, these
should be recorded also.

This patch logs and extends a TPM PCR register with the LoadOptions.

This feature can be enabled with configure --enable-tpm

The PCR register index can be specified with
configure --with-tpm-pcrindex=

The UEFI BIOS already hashes the contents of the loaded image, so the
initrd and the command line of the binary are recorded.

Because manually added LoadOptions are not taken into account, these
should be recorded also.

This patch logs and extends a TPM PCR register with the LoadOptions.

This feature can be enabled with configure --enable-tpm

The PCR register index can be specified with
configure --with-tpm-pcrindex=<NUM>
@poettering
Copy link
Member

coding-style-wise looks ok to me now. @kaysievers? @msekletar?

@kaysievers
Copy link
Contributor

Looks fine to me. As long as it is off by default, and only for the "distro" to decide to enable it for which of the registers.

@poettering
Copy link
Member

ok, merging then

poettering added a commit that referenced this pull request Feb 11, 2016
sd-boot: put hashed kernel command line in a PCR of the TPM
@poettering poettering merged commit c8b166b into systemd:master Feb 11, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

3 participants