efi: AddPCRProfile support for PCRs 4 and 7 profiles #249
Conversation
chrisccoulson
force-pushed
the
efi-add-pcr-4-and-7-profile-generation
branch
5 times, most recently
from
d0335f8
to
fdb5796
Compare
chrisccoulson
force-pushed
the
efi-add-pcr-4-and-7-profile-generation
branch
from
fdb5796
to
1ba7336
Compare
chrisccoulson
force-pushed
the
efi-add-pcr-4-and-7-profile-generation
branch
from
1ba7336
to
e4c2c15
Compare
This adds the remaining missing pieces so that AddPCRProfile can generate boot manager code and secure boot policy profiles. This will replace the existing AddBootManagerProfile and AddSecureBootPolicyProfile APIs.
chrisccoulson
force-pushed
the
efi-add-pcr-4-and-7-profile-generation
branch
from
e4c2c15
to
94bdca6
Compare
| signatureDBUpdateNoFirmwareQuirk, | ||
| signatureDBUpdateFirmwareDedupIgnoresOwner} { | ||
| // create branch by copying the root varBranch | ||
| branch := *root |
There was a problem hiding this comment.
I'm probably missing something, how does the change propagate out of this function if below we operate on a copy?
There was a problem hiding this comment.
The copy maintains a copy of updates, and then each call to WriteVar propagates those updates to rootVarsCollector via its registerUpdates callback.
There was a problem hiding this comment.
I see maybe the comment should be:
// create a branch per quirk by copying the root varBranch
There was a problem hiding this comment.
for a moment I was confused and thought that root.updates was a slice, that is not case, otherwise the shallow copy would not be safe, as append to the same slice again can produce confusing results depending on the allocation history of the slice. I don't think we have code here that shallow copy structs with slices in them?
| } | ||
|
|
||
| func (h *ubuntuCoreUKILoadHandler) MeasureImageStart(_ pcrBranchContext) error { | ||
| // TODO: Add stuff that the kernel measures here |
There was a problem hiding this comment.
do we need to fix this before things can be used?
There was a problem hiding this comment.
It doesn't - snapd can continue to use the AddSystemdStubProfile API in addition to this one, although that will be moved here in a follow up. That will be a fairly minor change though.
There was a problem hiding this comment.
maybe it's a good idea to leave a comment also about that:
// for now clients can continue using AddSystemdStubProfile
| signatureDBUpdateNoFirmwareQuirk, | ||
| signatureDBUpdateFirmwareDedupIgnoresOwner} { | ||
| // create branch by copying the root varBranch | ||
| branch := *root |
There was a problem hiding this comment.
I see maybe the comment should be:
// create a branch per quirk by copying the root varBranch
| } | ||
|
|
||
| func (h *ubuntuCoreUKILoadHandler) MeasureImageStart(_ pcrBranchContext) error { | ||
| // TODO: Add stuff that the kernel measures here |
There was a problem hiding this comment.
maybe it's a good idea to leave a comment also about that:
// for now clients can continue using AddSystemdStubProfile
| signatureDBUpdateNoFirmwareQuirk, | ||
| signatureDBUpdateFirmwareDedupIgnoresOwner} { | ||
| // create branch by copying the root varBranch | ||
| branch := *root |
There was a problem hiding this comment.
for a moment I was confused and thought that root.updates was a slice, that is not case, otherwise the shallow copy would not be safe, as append to the same slice again can produce confusing results depending on the allocation history of the slice. I don't think we have code here that shallow copy structs with slices in them?
This adds the remaining missing pieces so that AddPCRProfile can
generate boot manager code and secure boot policy profiles. This will
replace the existing AddBootManagerProfile and AddSecureBootPolicyProfile
APIs.