grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v4 3/3] tpm: Don't propagate measurement failures to the verifier


From: Robbie Harwood
Subject: [PATCH v4 3/3] tpm: Don't propagate measurement failures to the verifiers layer
Date: Fri, 4 Nov 2022 12:13:36 -0400

Currently if an EFI firmware fails to do a TPM measurement for a file,
the error will be propagated to the verifiers framework which will
prevent it to be opened.  This mean that buggy firmwares will lead to
the system not booting because files won't be allowed to be loaded. But
a failure to do a TPM measurement isn't expected to be a fatal error
that causes the system to be unbootable.

To avoid this, don't return errors from .write and .verify_string
callbacks and just print a debug message in the case of a TPM
measurement failure.  Add an environment variable (tpm_fail_fatal) to
restore the previous behavior.

Also-authored-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 docs/grub.texi           | 10 ++++++++++
 grub-core/commands/tpm.c | 21 +++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 2d6cd83580..4ab5e9b588 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -3318,6 +3318,7 @@ These variables have special meaning to GRUB.
 * theme::
 * timeout::
 * timeout_style::
+* tpm_fail_fatal::
 @end menu
 
 
@@ -3825,6 +3826,15 @@ displaying the menu.  See the documentation of 
@samp{GRUB_TIMEOUT_STYLE}
 (@pxref{Simple configuration}) for details.
 
 
+@node tpm_fail_fatal
+@subsection tpm_fail_fatal
+
+If this variable is set and true (i.e., not set to ``0'', ``false'',
+``disable'', or ``no''), TPM measurements that fail will be treated as
+fatal.  Otherwise, they will merely be debug-logged and boot will
+continue.
+
+
 @node Environment block
 @section The GRUB environment block
 
diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
index 2052c36eab..3437e8e03b 100644
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -18,6 +18,7 @@
  *  Core TPM support code.
  */
 
+#include <grub/env.h>
 #include <grub/err.h>
 #include <grub/i18n.h>
 #include <grub/misc.h>
@@ -39,10 +40,22 @@ grub_tpm_verify_init (grub_file_t io,
   return GRUB_ERR_NONE;
 }
 
+static inline bool
+is_tpm_fail_fatal (void)
+{
+  return grub_env_get_bool ("tpm_fail_fatal", false);
+}
+
 static grub_err_t
 grub_tpm_verify_write (void *context, void *buf, grub_size_t size)
 {
-  return grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+  grub_err_t status = grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context);
+
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring buffer failed: %d\n", status);
+  return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }
 
 static grub_err_t
@@ -74,7 +87,11 @@ grub_tpm_verify_string (char *str, enum 
grub_verify_string_type type)
     grub_tpm_measure ((unsigned char *) str, grub_strlen (str),
                      GRUB_STRING_PCR, description);
   grub_free (description);
-  return status;
+  if (status == GRUB_ERR_NONE)
+    return GRUB_ERR_NONE;
+
+  grub_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status);
+  return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE;
 }
 
 struct grub_file_verifier grub_tpm_verifier = {
-- 
2.35.1




reply via email to

[Prev in Thread] Current Thread [Next in Thread]