proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-15 13:29:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Log measurements in PCR4 for applications being verified through shim_lock

Browse Source 
Currently the only measurement the shim logs in the TPM is that of the EFI
application it directly loads. However, there are no measurements being taken
of application that are being verified through the shim_lock protocol. In this
patch we extend PCR4 for any binary for which Verify is being called through
the shim_lock protocol.

Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
This commit is contained in:
Tamas K Lengyel 2017-10-26 11:00:25 -06:00 committed by Peter Jones
parent 3d93263198
commit 829d3c8265
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.tpm
View File

@ -3,6 +3,8 @@ The following PCRs are extended by shim:
PCR4: PCR4:
- the Authenticode hash of the binary being loaded will be extended into - the Authenticode hash of the binary being loaded will be extended into
PCR4 before SB verification. PCR4 before SB verification.
- the hash of any binary for which Verify is called through the shim_lock
protocol
PCR7: PCR7:
- Any certificate in one of our certificate databases that matches a binary - Any certificate in one of our certificate databases that matches a binary

4
shim.c
View File

@ -1820,7 +1820,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (status != EFI_SUCCESS) if (status != EFI_SUCCESS)
goto done; goto done;
/* Measure the binary into the TPM */
tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
status = verify_buffer(buffer, size, &context, sha256hash, sha1hash); status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
done: done:
in_protocol = 0; in_protocol = 0;
return status; return status;