Log measurements in PCR4 for applications being verified through shim_lock

Currently the only measurement the shim logs in the TPM is that of the EFI application it directly loads. However, there are no measurements being taken of application that are being verified through the shim_lock protocol. In this patch we extend PCR4 for any binary for which Verify is being called through the shim_lock protocol. Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
author: Tamas K Lengyel <lengyelt@ainfosec.com> 2017-10-26 11:00:25 -0600
committer: Peter Jones <pjones@redhat.com> 2018-03-06 14:37:07 -0500
commit: 829d3c82652ff51cad8878c69956b78b5aabb86a (patch)
tree: 64d5ac8d92097c0878fecccc3cfd71e3d53dbbe3 /shim.c
parent: 3d932631980a29cf584afbf80bc6c278129ae2e2 (diff)
download: efi-boot-shim-829d3c82652ff51cad8878c69956b78b5aabb86a.tar.gz
efi-boot-shim-829d3c82652ff51cad8878c69956b78b5aabb86a.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/shim.c b/shim.c
index 2ab3dfe7..8fe70cb8 100644
--- a/shim.c
+++ b/shim.c
@@ -1820,7 +1820,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	if (status != EFI_SUCCESS)
 		goto done;
 
+	/* Measure the binary into the TPM */
+	tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
+
 	status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
+
 done:
 	in_protocol = 0;
 	return status;
author	Tamas K Lengyel <lengyelt@ainfosec.com>	2017-10-26 11:00:25 -0600
committer	Peter Jones <pjones@redhat.com>	2018-03-06 14:37:07 -0500
commit	829d3c82652ff51cad8878c69956b78b5aabb86a (patch)
tree	64d5ac8d92097c0878fecccc3cfd71e3d53dbbe3 /shim.c
parent	3d932631980a29cf584afbf80bc6c278129ae2e2 (diff)
download	efi-boot-shim-829d3c82652ff51cad8878c69956b78b5aabb86a.tar.gz efi-boot-shim-829d3c82652ff51cad8878c69956b78b5aabb86a.zip