efi/libstub: measure EFI LoadOptions

The EFI TCG spec, in §10.2.6 "Measuring UEFI Variables and UEFI GPT
Data", only reasons about the load options passed to a loaded image in
the context of boot options booted directly from the BDS, which are
measured into PCR #5 along with the rest of the Boot#### EFI variable.

However, the UEFI spec mentions the following in the documentation of
the LoadImage() boot service and the EFI_LOADED_IMAGE protocol:

  The caller may fill in the image’s "load options" data, or add
  additional protocol support to the handle before passing control to
  the newly loaded image by calling EFI_BOOT_SERVICES.StartImage().

The typical boot sequence for Linux EFI systems is to load GRUB via a
boot option from the BDS, which [hopefully] calls LoadImage to load the
kernel image, passing the kernel command line via the mechanism
described above. This means that we cannot rely on the firmware
implementing TCG measured boot to ensure that the kernel command line
gets measured before the image is started, so the EFI stub will have to
take care of this itself.

Given that PCR #5 has an official use in the TCG measured boot spec,
let's avoid it in this case. Instead, add a measurement in PCR #9 (which
we already use for our initrd) and extend it with the LoadOptions
measurements

Co-developed-by: Ilias Apalodimas <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
Signed-off-by: Ard Biesheuvel <[email protected]>

Author: apalos

drivers/firmware/efi/libstub/efi-stub-helper.c

@@ -336,6 +336,7 @@ void efi_apply_loadoptions_quirk(const void **load_options, u32 *load_options_si
 
 enum efistub_event {
 	EFISTUB_EVT_INITRD,
+	EFISTUB_EVT_LOAD_OPTIONS,
 	EFISTUB_EVT_COUNT,
 };
 
@@ -352,6 +353,11 @@ static const struct {
 		INITRD_EVENT_TAG_ID,
 		STR_WITH_SIZE("Linux initrd")
 	},
+	[EFISTUB_EVT_LOAD_OPTIONS] = {
+		9,
+		LOAD_OPTIONS_EVENT_TAG_ID,
+		STR_WITH_SIZE("LOADED_IMAGE::LoadOptions")
+	},
 };
 
 static efi_status_t efi_measure_tagged_event(unsigned long load_addr,
@@ -423,6 +429,10 @@ char *efi_convert_cmdline(efi_loaded_image_t *image, int *cmd_line_len)
 	efi_status_t status;
 	u32 options_chars;
 
+	if (options_size > 0)
+		efi_measure_tagged_event((unsigned long)options, options_size,
+					 EFISTUB_EVT_LOAD_OPTIONS);
+
 	efi_apply_loadoptions_quirk((const void **)&options, &options_size);
 	options_chars = options_size / sizeof(efi_char16_t);
 

drivers/firmware/efi/libstub/efistub.h

@@ -753,6 +753,7 @@ union apple_properties_protocol {
 typedef u32 efi_tcg2_event_log_format;
 
 #define INITRD_EVENT_TAG_ID 0x8F3B22ECU
+#define LOAD_OPTIONS_EVENT_TAG_ID 0x8F3B22EDU
 #define EV_EVENT_TAG 0x00000006U
 #define EFI_TCG2_EVENT_HEADER_VERSION	0x1