Merge pull request #2587 from haraldh/tpmv3

sd-boot: put hashed kernel command line in a PCR of the TPM

1 files changed, 13 insertions, 0 deletions

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 9633bc1792..1e250f34f4 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -20,6 +20,7 @@
 #include "pefile.h"
 #include "splash.h"
 #include "util.h"
+#include "measure.h"
 
 /* magic string to find in the binary image */
 static const char __attribute__((used)) magic[] = "#### LoaderInfo: systemd-stub " VERSION " ####";
@@ -97,6 +98,18 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
                 for (i = 0; i < cmdline_len; i++)
                         line[i] = options[i];
                 cmdline = line;
+
+#ifdef SD_BOOT_LOG_TPM
+                /* Try to log any options to the TPM, escpecially manually edited options */
+                err = tpm_log_event(SD_TPM_PCR,
+                                    (EFI_PHYSICAL_ADDRESS) loaded_image->LoadOptions,
+                                    loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
+                if (EFI_ERROR(err)) {
+                        Print(L"Unable to add image options measurement: %r", err);
+                        uefi_call_wrapper(BS->Stall, 1, 3 * 1000 * 1000);
+                        return err;
+                }
+#endif
         }
 
         /* export the device path this image is started from */