boot,stub: explicitly measure select SMBIOS objects (#42233)

This is supposed to protect our SMBIOS type 11 importing for
credentials. Note that firmwares are supposed to measure SMBIOS anyway
to PCR 1. Alas firmware doesn't really do that in various cases. Hence
let's do so again, for select objects.

This closes a gap where some of the input for OS (i.e. system
credentials places in smbios11) isn't measured properly.

(I really want this to get into v261, because this will fuck up the PCRs
a bit more, and we already have the new separator measurement in v261,
hence there's value in getting this merged at the same time, so that we
don't break the measurements a 2nd time)

Author: bluca

TODO.md

@@ -1212,12 +1212,6 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 - in pid1: include ExecStart= cmdlines (and other Exec*= cmdlines) in polkit
   request, so that policies can match against command lines.
 
-- in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at
-  least some subset of them that look like systemd stuff), because apparently
-  some firmware does not, but systemd honours it. avoid duplicate measurement
-  by sd-boot and sd-stub by adding LoaderFeatures/StubFeatures flag for this,
-  so that sd-stub can avoid it if sd-boot already did it.
-
 - in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
 
 - in sd-stub: optionally add support for a new PE section .keyring or so that
@@ -1745,8 +1739,6 @@ SPDX-License-Identifier: LGPL-2.1-or-later
 
 - measure all log-in attempts into a new nvpcr
 
-- measure credentials picked up from SMBIOS to some suitable PCR
-
 - measure GPT and LUKS headers somewhere when we use them (i.e. in
   systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?)
 

docs/BOOT_LOADER_INTERFACE.md

@@ -145,6 +145,8 @@ Variables will be listed below using the Linux efivarfs naming,
   * `1 << 19` → The boot loader supports the `LoaderEntryPreferred` variable when set.
   * `1 << 20` → The boot loader reports the firmware-configured keyboard layout in the
                 EFI variable `LoaderKeyboardLayout-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`.
+  * `1 << 21` → The boot loader measures SMBIOS information into a TPM2 PCR and reports the PCR index in the
+                EFI variable `LoaderPcrSMBIOS-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`.
 
 * The EFI variable `LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
   contains binary random data,
@@ -184,6 +186,17 @@ Variables will be listed below using the Linux efivarfs naming,
   uses this as a lowest-priority fallback keyboard layout
   when no explicit configuration is provided.
 
+* The EFI variable `LoaderPcrSMBIOS-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f`
+  contains the index of the TPM2 PCR (as a decimal ASCII string formatted as a
+  NUL-terminated UTF-16 string, e.g. `1`) into which the boot loader measured
+  select SMBIOS structures: type 1 (system information, with the volatile
+  "Wake-up Type" field zeroed out), type 2 (baseboard information) and type 11
+  (OEM strings). This is a volatile (non-persistent) variable, set only if a
+  measurement was successfully completed, and remains unset otherwise. Both
+  `systemd-boot` and `systemd-stub` perform this measurement; whichever runs
+  first sets the variable, and its presence suppresses a second measurement of
+  the same data into the same PCR during the same boot.
+
 If `LoaderTimeInitUSec` and `LoaderTimeExecUSec` are set, `systemd-analyze`
 will include them in its boot-time analysis.  If `LoaderDevicePartUUID` is set,
 systemd will mount the ESP that was used for the boot to `/boot`, but only if

docs/TPM2_PCR_MEASUREMENTS.md

@@ -91,6 +91,45 @@ must be employed when designing a system that uses this feature.
 
 ## PCR Measurements Made by `systemd-boot` (UEFI)
 
+### PCR 1, `EV_EVENT_TAG`, SMBIOS information
+
+Select SMBIOS structures provided by the firmware are measured into PCR 1 (the
+TCG-defined register for platform configuration data), one tagged event per
+structure:
+
+* SMBIOS type 1 (system information). The volatile "Wake-up Type" field is
+  zeroed before measuring, since it varies depending on how the machine was
+  powered on (cold boot, resume from sleep, AC restore, …) and would otherwise
+  make the measurement non-reproducible.
+* SMBIOS type 2 (baseboard information).
+* SMBIOS type 11 (OEM strings). There may be more than one such structure; all
+  are measured.
+
+Note that these measurements are – strictly speaking – redundant, since
+firmwares are supposed to measure SMBIOS data anyway on their own. However, it
+has been found this is not the case on many real-life implementations. Since in
+particular SMBIOS type 11 may carry highly relevant input for the OS
+(e.g. system credentials), an explicit measurement is made here to ensure all
+parameters for the OS are comprehensively measured even on flaky firmwares.
+
+→ **Event Tag** `0xd5cb7cbc` for type 1, `0xe0d47bc8` for type 2, `0xc0b3bd23`
+for type 11.
+
+→ **Description** in the event log record is `smbios:type1`, `smbios:type2` or
+`smbios:type11` respectively, in UTF-16.
+
+→ **Measured hash** covers the raw bytes of the SMBIOS structure (formatted area
+plus trailing string set), with the type 1 "Wake-up Type" field zeroed out as
+described above.
+
+This measurement is also performed by `systemd-stub` (see below), so that systems
+that boot a UKI directly, bypassing `systemd-boot`, still get it. Whichever
+component runs first performs the measurement and sets the volatile
+`LoaderPcrSMBIOS` EFI variable to the PCR index used; its presence suppresses a
+second measurement of the same data into the same PCR during the same boot. Note
+that the firmware itself typically also extends PCR 1, so its final value is not
+solely determined by this measurement.
+
 ### PCR 5, `EV_EVENT_TAG`, `loader.conf`
 
 The content of `systemd-boot`'s configuration file, `loader/loader.conf`, is
@@ -120,6 +159,14 @@ trailing NUL bytes).
 
 ## PCR Measurements Made by `systemd-stub` (UEFI)
 
+### PCR 1, `EV_EVENT_TAG`, SMBIOS information
+
+Identical to the SMBIOS measurement described above for `systemd-boot`. When
+`systemd-stub` is invoked by `systemd-boot`, the measurement has typically already
+been made (tracked via the `LoaderPcrSMBIOS` EFI variable) and is not repeated;
+when the UKI is booted directly by the firmware, `systemd-stub` performs it
+itself.
+
 ### PCR 11, `EV_IPL`, PE section name
 
 A measurement is made for each PE section of the UKI that is defined by the

man/systemd-boot.xml

@@ -622,6 +622,19 @@ extra       /6a9857a393724b7a981ebb5b8495b9ea/1.2.3/baz.confext.raw</programlist
         <xi:include href="version-info.xml" xpointer="v258"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>LoaderPcrSMBIOS</varname></term>
+
+        <listitem><para>The PCR register index select SMBIOS structures are measured into — type 1
+        (system information, with the volatile "Wake-up Type" field zeroed out), type 2 (baseboard
+        information) and type 11 (OEM strings). Formatted as decimal ASCII string (e.g.
+        <literal>1</literal>). Set by the boot loader if a measurement was successfully completed, and remains
+        unset otherwise. (Note that <command>systemd-stub</command> performs the same measurement when booted
+        directly, bypassing the boot loader.)</para>
+
+        <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>LoaderImageIdentifier</varname></term>
 

man/systemd-stub.xml

@@ -664,6 +664,20 @@
         <xi:include href="version-info.xml" xpointer="v257"/></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>LoaderPcrSMBIOS</varname></term>
+
+        <listitem><para>The PCR register index select SMBIOS structures are measured into — type 1
+        (system information, with the volatile "Wake-up Type" field zeroed out), type 2 (baseboard
+        information) and type 11 (OEM strings). Formatted as decimal ASCII string (e.g.
+        <literal>1</literal>). This variable is set if a measurement was successfully completed, and remains
+        unset otherwise. <command>systemd-stub</command> performs this measurement only if it has not already
+        been done in the same boot (e.g. by the boot loader), as indicated by this variable being set
+        already.</para>
+
+        <xi:include href="version-info.xml" xpointer="v261"/></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>LoaderBootSecret</varname></term>
 

src/boot/boot.c

@@ -17,6 +17,7 @@
 #include "iovec-util.h"
 #include "line-edit.h"
 #include "measure.h"
+#include "measure-smbios.h"
 #include "memory-util.h"
 #include "part-discovery.h"
 #include "pe.h"
@@ -3267,6 +3268,7 @@ static void export_loader_variables(
                 EFI_LOADER_FEATURE_TYPE1_UKI_URL |
                 EFI_LOADER_FEATURE_TPM2_ACTIVE_PCR_BANKS |
                 EFI_LOADER_FEATURE_KEYBOARD_LAYOUT |
+                EFI_LOADER_FEATURE_SMBIOS_MEASURED |
                 0;
 
         assert(loaded_image);
@@ -3434,6 +3436,10 @@ static EFI_STATUS run(EFI_HANDLE image) {
         export_common_variables(loaded_image);
         export_loader_variables(loaded_image, init_usec);
 
+        /* Measure SMBIOS data into PCR 1. This is done early, and suppressed if sd-stub later runs in
+         * the same boot (and vice versa), via the LoaderPcrSMBIOS EFI variable. */
+        measure_smbios();
+
         (void) load_drivers(image, loaded_image, root_dir);
 
         _cleanup_free_ char16_t *loaded_image_path = NULL;

src/boot/measure-smbios.c

@@ -0,0 +1,96 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "efi-efivars.h"
+#include "efi-log.h"
+#include "measure.h"
+#include "measure-smbios.h"
+#include "smbios.h"
+#include "tpm2-pcr.h"
+#include "util.h"
+
+static void measure_smbios_raw(
+                const void *p,
+                size_t size,
+                uint32_t event_id,
+                const char16_t *description,
+                bool *measured) {
+
+        EFI_STATUS err;
+        bool m = false;
+
+        assert(p);
+        assert(description);
+        assert(measured);
+
+        err = tpm_log_tagged_event(
+                        TPM2_PCR_PLATFORM_CONFIG,
+                        POINTER_TO_PHYSICAL_ADDRESS(p),
+                        size,
+                        event_id,
+                        description,
+                        &m);
+        if (err != EFI_SUCCESS)
+                log_error_status(err, "Unable to measure SMBIOS structure (%ls), ignoring: %m", description);
+
+        *measured = *measured || m;
+}
+
+static void measure_smbios_type1(const SmbiosHeader *header, size_t size, bool *measured) {
+        assert(header);
+        assert(measured);
+
+        /* The wake-up type field varies depending on how the machine was powered on (cold boot, resume
+         * from sleep, AC restore, …), which would make the measurement non-reproducible. Hence measure a
+         * copy with that field zeroed out. */
+
+        assert(size >= sizeof(SmbiosTableType1));
+
+        _cleanup_free_ SmbiosTableType1 *copy = xmemdup(header, size);
+        copy->wake_up_type = 0;
+
+        measure_smbios_raw(copy, size, SMBIOS_TYPE1_EVENT_TAG_ID, u"smbios:type1", measured);
+}
+
+static bool measure_smbios_object(const SmbiosHeader *header, size_t size, void *userdata) {
+        bool *measured = ASSERT_PTR(userdata);
+
+        switch (header->type) {
+
+        case 1: /* System Information */
+                measure_smbios_type1(header, size, measured);
+                break;
+
+        case 2: /* Baseboard Information */
+                measure_smbios_raw(header, size, SMBIOS_TYPE2_EVENT_TAG_ID, u"smbios:type2", measured);
+                break;
+
+        case 11: /* OEM Strings */
+                measure_smbios_raw(header, size, SMBIOS_TYPE11_EVENT_TAG_ID, u"smbios:type11", measured);
+                break;
+
+        default:
+                break;
+        }
+
+        return true; /* Keep iterating: there may be more than one matching structure (e.g. type 11). */
+}
+
+void measure_smbios(void) {
+        bool measured = false;
+
+        if (!tpm_present())
+                return;
+
+        /* If the measurement was already done this boot (e.g. by sd-boot before it chainloaded us), don't
+         * do it again — re-extending PCR 1 would invalidate the value. */
+        if (efivar_get_raw(MAKE_GUID_PTR(LOADER), u"LoaderPcrSMBIOS", /* ret_data= */ NULL, /* ret_size= */ NULL) == EFI_SUCCESS)
+                return;
+
+        /* Measure SMBIOS type 1 (system information), type 2 (baseboard information) and type 11 (OEM
+         * strings) into PCR 1, in a single pass over the SMBIOS table. */
+        smbios_foreach(measure_smbios_object, &measured);
+
+        /* If we measured something, tell the OS which PCR we used (and suppress a second pass). */
+        if (measured)
+                (void) efivar_set_uint64_str16(MAKE_GUID_PTR(LOADER), u"LoaderPcrSMBIOS", TPM2_PCR_PLATFORM_CONFIG, /* flags= */ 0);
+}

src/boot/measure-smbios.h

@@ -0,0 +1,8 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+/* Measures SMBIOS type 1 (system information, with the volatile "Wake-up Type" field masked) and all
+ * type 11 (OEM strings) structures into PCR 1, and records the PCR index in the transient
+ * LoaderPcrSMBIOS EFI variable. Called by both sd-boot and sd-stub; the presence of LoaderPcrSMBIOS
+ * suppresses a redundant second measurement when both run during the same boot. */
+void measure_smbios(void);

src/boot/meson.build

@@ -323,6 +323,7 @@ libefi_sources = files(
         'hii.c',
         'initrd.c',
         'measure.c',
+        'measure-smbios.c',
         'part-discovery.c',
         'pe.c',
         'random-seed.c',