From c2453df75ecdbc547e4637268dccde5cdc012881 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Tue, 20 Feb 2024 19:12:08 +0100
Subject: [PATCH] Measure systemd-boot loader.conf

Since systemd-boot v255 the /loader/loader.conf file can be measured
under a EV_EVENT_TAG event in PCR#5.

This commit measure the file in the ESP.

Fix #49

Signed-off-by: Alberto Planas <aplanas@suse.com>
---
 src/eventlog.c | 18 ++++++++++++++++++
 src/eventlog.h |  7 +++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/eventlog.c b/src/eventlog.c
index 4277d42..2e29b0e 100644
--- a/src/eventlog.c
+++ b/src/eventlog.c
@@ -842,6 +842,19 @@ __tpm_event_tag_destroy(tpm_parsed_event_t *parsed)
 {
 }
 
+static const char *
+__tpm_event_tag_loader_conf_describe(const tpm_parsed_event_t *parsed)
+{
+	return "/loader/loader.conf (measured by systemd-boot)";
+}
+
+static const tpm_evdigest_t *
+__tpm_event_tag_loader_conf_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *parsed, tpm_event_log_rehash_ctx_t *ctx)
+{
+	debug("  re-hashing /loader/loader.conf");
+	return runtime_digest_efi_file(ctx->algo, "/loader/loader.conf");
+}
+
 static const char *
 __tpm_event_tag_options_describe(const tpm_parsed_event_t *parsed)
 {
@@ -880,6 +893,7 @@ __tpm_event_tag_initrd_rehash(const tpm_event_t *ev, const tpm_parsed_event_t *p
 }
 
 /*
+ * Generated by systemd-boot (PCR#5), to measure loader.conf
  * Generated by the kernel (PCR#9), to measure the cmdline and initrd
  */
 static bool
@@ -900,6 +914,10 @@ __tpm_event_parse_tag(tpm_event_t *ev, tpm_parsed_event_t *parsed, buffer_t *bp)
 		return false;
 
 	parsed->destroy = __tpm_event_tag_destroy;
+	if (evspec->event_id == LOADER_CONF_EVENT_TAG_ID) {
+		parsed->rehash = __tpm_event_tag_loader_conf_rehash;
+		parsed->describe = __tpm_event_tag_loader_conf_describe;
+	} else
 	if (evspec->event_id == LOAD_OPTIONS_EVENT_TAG_ID) {
 		parsed->rehash = __tpm_event_tag_options_rehash;
 		parsed->describe = __tpm_event_tag_options_describe;
diff --git a/src/eventlog.h b/src/eventlog.h
index 3741b58..d78e3da 100644
--- a/src/eventlog.h
+++ b/src/eventlog.h
@@ -96,8 +96,11 @@ enum {
 };
 
 enum {
-	LOAD_OPTIONS_EVENT_TAG_ID	     = 0x8F3B22EDU,
-	INITRD_EVENT_TAG_ID		     = 0x8F3B22ECU,
+	/* systemd-boot */
+	LOADER_CONF_EVENT_TAG_ID             = 0xF5BC582A,
+	/* kernel */
+	LOAD_OPTIONS_EVENT_TAG_ID	     = 0x8F3B22ED,
+	INITRD_EVENT_TAG_ID		     = 0x8F3B22EC,
 };
 
 #define EFI_DEVICE_PATH_MAX		16