From 92ed3bb49e460b11aa86c828083e36373ae039dd Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 3 Feb 2016 17:39:24 +0100
Subject: sd-boot: put hashed kernel command line in a PCR of the TPM

The UEFI BIOS already hashes the contents of the loaded image, so the
initrd and the command line of the binary are recorded.

Because manually added LoadOptions are not taken into account, these
should be recorded also.

This patch logs and extends a TPM PCR register with the LoadOptions.

This feature can be enabled with configure --enable-tpm

The PCR register index can be specified with
configure --with-tpm-pcrindex=<NUM>
---
 configure.ac | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'configure.ac')

diff --git a/configure.ac b/configure.ac
index d05d0ba31f..7a9ecb02da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1217,6 +1217,28 @@ AS_IF([test "x$enable_gnuefi" != "xno"], [
 ])
 AM_CONDITIONAL(HAVE_GNUEFI, [test "x$have_gnuefi" = xyes])
 
+# ------------------------------------------------------------------------------
+have_tpm=no
+AC_ARG_ENABLE([tpm], AS_HELP_STRING([--enable-tpm],[Enable optional TPM support]),
+                [case "${enableval}" in
+                        yes) have_tpm=yes ;;
+                        no) have_tpm=no ;;
+                        *) AC_MSG_ERROR(bad value ${enableval} for --enable-tpm) ;;
+                esac],
+                [have_tpm=no])
+
+if test "x${have_tpm}" != xno ; then
+        AC_DEFINE(SD_BOOT_LOG_TPM, 1, [Define if TPM should be used to log events and extend the registers])
+fi
+
+AC_ARG_WITH(tpm-pcrindex,
+        AS_HELP_STRING([--with-tpm-pcrindex=<NUM>],
+                [TPM PCR register number to use]),
+        [SD_TPM_PCR="$withval"],
+        [SD_TPM_PCR="8"])
+
+AC_DEFINE_UNQUOTED(SD_TPM_PCR, [$SD_TPM_PCR], [TPM PCR register number to use])
+
 # ------------------------------------------------------------------------------
 have_kdbus=no
 AC_ARG_ENABLE(kdbus, AS_HELP_STRING([--disable-kdbus], [do not connect to kdbus by default]))
@@ -1571,6 +1593,7 @@ AC_MSG_RESULT([
         dbus:                    ${have_dbus}
         nss-myhostname:          ${have_myhostname}
         hwdb:                    ${enable_hwdb}
+        tpm:                     ${have_tpm}
         kdbus:                   ${have_kdbus}
         Python:                  ${have_python}
         man pages:               ${have_manpages}
-- 
cgit v1.2.3-54-g00ecf