Re: [PATCH V7 0/4] Add support for crypto agile logs

[Joe Richey]

On Mon, May 20, 2019 at 1:56 PM Matthew Garrett
<matthewgarrett@xxxxxxxxxx> wrote:
>
> Identical to previous version except without the KSAN workaround - Ard
> has a better solution for that.

I just tested this on x86_64 with the systemd-boot (previously gummiboot)
bootloader. For context, this bootloader is essentially just an EFI
chainloader. This bootloader measures the kernel cmdline into PCR 8.
However, it calls GetEventLog before calling HashLogExtendEvent, intending
to have the log entry written to the "EFI TCG 2.0 final events table". See:
    https://github.com/systemd/systemd/blob/75e40119a471454516ad0acc96f6f4094e7fb652/src/boot/efi/measure.c#L212-L227

With the current patchset, this log entry appears _twice_ in the sysfs file.
This is caused by the fact that the sysfs event log unconditionally appends
the entire final event log to the output of GetEventLog. However, the correct
behavior would be to append only the _new_ entries that appear in the final
event log to the output of GetEventLog.

This could be done by first calculating the length of the final events log
table, then recalculating the length of the final events log after the
kernel calls ExitBootServices. This would let us know for sure that we are
only appending new log entries.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature