Secure boot rollback fixes #3422
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jakogut
force-pushed
the
sb-rollback-fixes
branch
3 times, most recently
from
65df818
to
2e4b0ad
Compare
alexgg
reviewed
May 17, 2024
meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2
Outdated
Show resolved
Hide resolved
mtoman
reviewed
May 24, 2024
meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2
Outdated
Show resolved
Hide resolved
mtoman
reviewed
May 24, 2024
meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2
Show resolved
Hide resolved
mtoman
reviewed
May 24, 2024
meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2
Show resolved
Hide resolved
In commit 1c19ebb, we append digests from the TPM event log corresponding to events that are logged before EV_SEPARATOR. For instance, parsing the event log on a typical system for event types, the output looks like this: EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) EV_EFI_VARIABLE_DRIVER_CONFIG (PK) EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) EV_EFI_VARIABLE_DRIVER_CONFIG (db) EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) EV_SEPARATOR This system requires no merging of event log digests. On systems that measure EFI binaries (mostly only QEMU w/ edk2), we also get this: EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) EV_EFI_VARIABLE_DRIVER_CONFIG (PK) EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) EV_EFI_VARIABLE_DRIVER_CONFIG (db) EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) EV_SEPARATOR EV_EFI_VARIABLE_AUTHORITY (bootx64.efi) EV_EFI_VARIABLE_AUTHORITY (bzImage) Again, this requires no merging. We compute the signature of the relevant EFI binaries ourselves, as they're subject to change during hostapp-update. However, we've also seen event logs like this: EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) EV_EFI_VARIABLE_DRIVER_CONFIG (PK) EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) EV_EFI_VARIABLE_DRIVER_CONFIG (db) EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) EV_EFI_ACTION (DMA Protection Disabled) EV_SEPARATOR This case is the one we've handled previously, by reading from the event log and appending event digests before EV_SEPARATOR. We stopped at EV_SEPARATOR because we weren't parsing event types previously, and this digest is a constant that's easily recognized. However, we've since encountered systems that have unexpected events *after* EV_SEPARATOR, as shown below. EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) EV_EFI_VARIABLE_DRIVER_CONFIG (PK) EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) EV_EFI_VARIABLE_DRIVER_CONFIG (db) EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) EV_SEPARATOR Unknown event type (?!) In order to handle this, parse digests and event types into temporary files and iterate through them together. We only stop appending digests from the event log when the next event type is EV_EFI_VARIABLE_AUTHORITY (EFI binary signature) or we hit the end of the list. This should account for all possible variations. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
When rollback-health runs, a failing healthcheck causes the hostapp-update hooks to be run from the inactive partition, to make the inactive system bootable again. The 0-signed-update hook, which updates the sealing policy for secure boot enabled systems, reads from the securityfs mounted at /sys/kernel/security in order to parse the TPM event log. If this filesystem isn't mounted, the hook will improperly detect that the TPM event log isn't available, and unneccessarily create a combined policy when a single PCR policy would suffice. Mount this filesystem in old_rootfs before chrooting to fix this. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
Some hooks, such as 0-signed-update, will attempt to read files from the EFI system partition, such as combined policy binaries. Bind mount the EFI partition into old_rootfs before running hooks to ensure this is available. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
When reading from efi variables in hostapp-update hooks during rollback, tcgtool will improperly read zero bytes from efivar files. This results in an improper calculation of the PCR 7 digest, and an unbootable system. Read the file contents, skipping the first four bytes that are attributes, and pipe the data directly to tcgtool to work around this. Change-type: patch Signed-off-by: Joseph Kogut <joseph@balena.io>
jakogut
force-pushed
the
sb-rollback-fixes
branch
from
2e4b0ad
to
27da41a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Contributor checklist
Change-typepresent on at least one commitSigned-off-byis presentReviewer Guidelines