From: Aleksandr Burmashev <alexander.burmas...@oracle.com>
This avoids naming collision with TPM TIS and CRB driver introduced
by subsequent patch and characterizes the functionality of the module
better.
Signed-off-by: Daniel Kiper <daniel.ki...@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmyt...@3mdeb.com>
---
docs/grub.texi | 21 +++---
grub-core/Makefile.core.def | 4 +-
grub-core/commands/tpm_verifier.c | 102 ++++++++++++++++++++++++++++++
3 files changed, 115 insertions(+), 12 deletions(-)
create mode 100644 grub-core/commands/tpm_verifier.c
diff --git a/docs/grub.texi b/docs/grub.texi
index 200e747af..5355ca356 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4136,7 +4136,7 @@ Modules can be loaded via the @command{insmod}
(@pxref{insmod}) command.
* tftp_module::
* tga_module::
* time_module::
-* tpm_module::
+* tpm_verifier_module::
* tr_module::
* trig_module::
* true_module::
@@ -5702,8 +5702,8 @@ image files in GRUB.
This module provides support for the @command{time} command to measure the
time taken by a given command and output it to the terminal.
-@node tpm_module
-@section tpm
+@node tpm_verifier_module
+@section tpm_verifier
This module provides support for interacting with a Trusted Platform Module
(TPM) with GRUB to perform Measured Boot. @xref{Measured Boot} for more
information.
@@ -8770,10 +8770,10 @@ grub-mkimage -O x86_64-efi -o grubx64.efi -p
'(tftp)/grub' --sbat sbat.csv efine
@node Measured Boot
@section Measuring boot components
-If the tpm module is loaded and the platform has a Trusted Platform Module
-installed, GRUB will log each command executed and each file loaded into the
-TPM event log and extend the PCR values in the TPM correspondingly. All events
-will be logged into the PCR described below with a type of EV_IPL and an
+If the tpm_verifier module is loaded and the platform has a Trusted Platform
+Module installed, GRUB will log each command executed and each file loaded into
+the TPM event log and extend the PCR values in the TPM correspondingly. All
+events will be logged into the PCR described below with a type of EV_IPL and an
event description as described below.
@multitable @columnfractions 0.3 0.1 0.6
@@ -8798,9 +8798,10 @@ corresponding to the filename.
GRUB will not measure its own @file{core.img} - it is expected that firmware
will carry this out. GRUB will also not perform any measurements until the
-tpm module is loaded. As such it is recommended that the tpm module be built
-into @file{core.img} in order to avoid a potential gap in measurement between
-@file{core.img} being loaded and the tpm module being loaded.
+tpm_verifier module is loaded. As such it is recommended that the tpm_verifier
+module be built into @file{core.img} in order to avoid a potential gap in
+measurement between @file{core.img} being loaded and the tpm_verifier module
+being loaded.
Measured boot is currently only supported on EFI and IBM IEEE1275 PowerPC
platforms.
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index adadd1365..363b3ff12 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2560,8 +2560,8 @@ module = {
};
module = {
- name = tpm;
- common = commands/tpm.c;
+ name = tpm_verifier;
+ common = commands/tpm_verifier.c;
efi = commands/efi/tpm.c;
enable = efi;
};
diff --git a/grub-core/commands/tpm_verifier.c
b/grub-core/commands/tpm_verifier.c
new file mode 100644
index 000000000..f72ce6730
--- /dev/null
+++ b/grub-core/commands/tpm_verifier.c
@@ -0,0 +1,102 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2018 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Core TPM support code.
+ */
+
+#include <grub/err.h>
+#include <grub/i18n.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/tpm.h>
+#include <grub/term.h>
+#include <grub/verify.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+grub_err_t
+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
+ const char *description)
+{
+ return grub_tpm_log_event (buf, size, pcr, description);
+}
+
+static grub_err_t
+grub_tpm_verify_init (grub_file_t io,
+ enum grub_file_type type __attribute__ ((unused)),
+ void **context, enum grub_verify_flags *flags)
+{
+ *context = io->name;
+ *flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+ return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_tpm_verify_write (void *context, void *buf, grub_size_t size)
+{
+ grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+ return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_tpm_verify_string (char *str, enum grub_verify_string_type type)
+{
+ const char *prefix = NULL;
+ char *description;
+
+ switch (type)
+ {
+ case GRUB_VERIFY_KERNEL_CMDLINE:
+ prefix = "kernel_cmdline: ";
+ break;
+ case GRUB_VERIFY_MODULE_CMDLINE:
+ prefix = "module_cmdline: ";
+ break;
+ case GRUB_VERIFY_COMMAND:
+ prefix = "grub_cmd: ";
+ break;
+ }
+ description = grub_malloc (grub_strlen (str) + grub_strlen (prefix) + 1);
+ if (!description)
+ return GRUB_ERR_NONE;
+ grub_memcpy (description, prefix, grub_strlen (prefix));
+ grub_memcpy (description + grub_strlen (prefix), str,
+ grub_strlen (str) + 1);
+
+ grub_tpm_measure ((unsigned char *) str, grub_strlen (str), GRUB_STRING_PCR,
+ description);
+ grub_free (description);
+ return GRUB_ERR_NONE;
+}
+
+struct grub_file_verifier grub_tpm_verifier = {
+ .name = "tpm_verifier",
+ .init = grub_tpm_verify_init,
+ .write = grub_tpm_verify_write,
+ .verify_string = grub_tpm_verify_string,
+};
+
+GRUB_MOD_INIT (tpm_verifier)
+{
+ grub_verifier_register (&grub_tpm_verifier);
+}
+
+GRUB_MOD_FINI (tpm_verifier)
+{
+ grub_verifier_unregister (&grub_tpm_verifier);
+}
--
2.47.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
