Further improvements to TPM measurements #361
Conversation
hesiod
force-pushed
the
measurement-improvements
branch
2 times, most recently
from
9927006
to
8e46bea
Compare
|
I originally wanted to add some more improvements to this PR, but I think they'll take some more time and the fix in this PR is kind of self contained, so I'm going to mark it as ready. |
hesiod
force-pushed
the
measurement-improvements
branch
from
8e46bea
to
2c4c991
Compare
| // | ||
| // As per reference: | ||
| // "Measured hash covers the PE section name in ASCII (including a trailing NUL byte!)." | ||
| let section_name_cs_utf8 = CString::new(section_name).unwrap(); |
There was a problem hiding this comment.
I think this might actually be an oversight on my part, thanks for catching it!
There was a problem hiding this comment.
I cleaned up the relevant flow by moving some section name logic into UnifiedSection
| // "Measured hash covers the PE section name in ASCII (including a trailing NUL byte!)." | ||
| let section_name_cs_utf8 = CString::new(section_name).unwrap(); | ||
|
|
||
| if tpm_log_event_ascii( |
There was a problem hiding this comment.
@RaitoBezarius Do you know why this is called _ascii?
There was a problem hiding this comment.
The name probably leans on the systemd equivalent, which is also called tpm_log_event_ascii:
https://github.com/systemd/systemd/blob/fdd4263cac327a3bc447560dbd46713524046099/src/boot/efi/measure.c#L281-L288
There was a problem hiding this comment.
Yeah, it's just a TPM log event wrapper that applies preprocessing to the description so that userspace can read it.
| if tpm_log_event_ascii( | ||
| boot_services, | ||
| TPM_PCR_INDEX_KERNEL_IMAGE, | ||
| data, |
There was a problem hiding this comment.
nit: The control flow could be simplified by measuring the empty section in case there is no section data:
pe_section_data(...).unwrap_or(&[])
Not sure whether the compiler likes that, though.
There was a problem hiding this comment.
Hmm, do you have any examples in mind where sections might be empty?
|
From the Rust side, this looks good to me. I've commented some nits, feel free to ignore those. This also does what the comments claim. @RaitoBezarius If you have a second, can you double-check that this makes sense from a high-level perspective? If so, I'd merge it. |
hesiod
force-pushed
the
measurement-improvements
branch
from
2c4c991
to
a47b99d
Compare
|
I just realized there might be a small unhandled issue: Some sections are allowed to appear multiple times, but with this PR only one section would be measured. This is not terribly important for NixOS atm, but perhaps there's a simple solution. |
hesiod
force-pushed
the
measurement-improvements
branch
from
a47b99d
to
5470fd3
Compare
systemd-stub measures both the section name and the section contents. Furthermore it measures sections in a predefined order.
hesiod
force-pushed
the
measurement-improvements
branch
from
5470fd3
to
fffc7d5
Compare
Great point! This sounds like a security issue, because the same measurements could lead to different running code. Is the simple solution to bail out when there are duplicated sections? Or is there another quick solution? |
I've been working towards getting systemd-pcrlock to work. This PR includes some further fixes, but some work remains.
There is an important caveat: While PCR 11 measurements line up with
systemd-pcrlock's expectations, they don't really make sense at the moment since they measure the section contents of the PE image, so unless I'm mistaken we actually measure the kernel/initrd file paths and not their contents. This shouldn't be too complicated to implement, but probably needs some tinkering with the current architecture.I also noticed some race conditions in the NixOS test I introduced, but @nikstur was faster.