[Skiboot] [PATCH 2/3] libstb/stb.c: measure the IMA_CATALOG partition
Claudio Carvalho
cclaudio at linux.vnet.ibm.com
Thu Sep 28 08:21:30 AEST 2017
On 20/09/2017 03:19, Stewart Smith wrote:
> Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
>> This maps a PCR number for the IMA_CATALOG partition so that it can be
>> measured (extended to the mapped PCR).
>>
>> Signed-off-by: Claudio Carvalho <cclaudio at linux.vnet.ibm.com>
>> ---
>> libstb/stb.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/libstb/stb.c b/libstb/stb.c
>> index eab04eb..15aa682 100644
>> --- a/libstb/stb.c
>> +++ b/libstb/stb.c
>> @@ -58,6 +58,7 @@ static struct {
>> enum resource_id id;
>> TPM_Pcr pcr;
>> } resources[] = {
>> + { RESOURCE_ID_IMA_CATALOG, PCR_4 },
>> { RESOURCE_ID_KERNEL, PCR_4 },
>> { RESOURCE_ID_CAPP, PCR_2 },
>> };
> Our current async resource loading *currently* does so serially,
> although there's no real requirement that this would be the
> case in the future. Thus, we probably want something here to enforce
> order if we're extending the same PCR?
Good catch. Ideally, we should measure the resource just before it is
consumed.
Perhaps we could verify and measure the resource in the
flash_resource_loaded() function. If so, we may need to find the
sub-partition from there, in case the request is for a sub-partition.
What do you think?
> Otherwise I forsee accepting an amazing patch that subtley makes the
> order non-deterministic and we only find out ages later when somebody is
> looking at PCR values and wondering why they're only consistent 99/100
> boots.
>
More information about the Skiboot
mailing list