-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
14a3658
commit bfb6e52
Showing
3 changed files
with
249 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,233 @@ | ||
| - commits: | ||
| - subject: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 | ||
| hash: cb5893c39fda146bcd25927c8d6511609813bdcc | ||
| body: Update layers/meta-balena | ||
| footer: | ||
| Changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 | ||
| changelog-entry: Update layers/meta-balena to 8352e3480e96f4503361752cfe72aca9622250a3 | ||
| author: Self-hosted Renovate Bot | ||
| nested: | ||
| - commits: | ||
| - subject: "os-helpers-tpm2: fix empty efivar reads" | ||
| hash: 3f9d048f964f922c9bfaeee4939197cb31c8eef6 | ||
| body: > | ||
| When reading from efi variables in hostapp-update hooks during | ||
| rollback, | ||
|
|
||
| tcgtool will improperly read zero bytes from efivar files. This | ||
| results | ||
|
|
||
| in an improper calculation of the PCR 7 digest, and an | ||
| unbootable | ||
|
|
||
| system. | ||
|
|
||
|
|
||
| Read the file contents, skipping the first four bytes that are | ||
|
|
||
| attributes, and pipe the data directly to tcgtool to work around | ||
| this. | ||
| footer: | ||
| Change-type: patch | ||
| change-type: patch | ||
| Signed-off-by: Joseph Kogut <[email protected]> | ||
| signed-off-by: Joseph Kogut <[email protected]> | ||
| author: Joseph Kogut | ||
| nested: [] | ||
| - subject: "rollback-health: bind mount EFI partition in old_rootfs" | ||
| hash: 8761c1d6536d86249757f37925ae40d905716cc3 | ||
| body: > | ||
| Some hooks, such as 0-signed-update, will attempt to read files | ||
| from the | ||
|
|
||
| EFI system partition, such as combined policy binaries. | ||
|
|
||
|
|
||
| Bind mount the EFI partition into old_rootfs before running | ||
| hooks to | ||
|
|
||
| ensure this is available. | ||
| footer: | ||
| Change-type: patch | ||
| change-type: patch | ||
| Signed-off-by: Joseph Kogut <[email protected]> | ||
| signed-off-by: Joseph Kogut <[email protected]> | ||
| author: Joseph Kogut | ||
| nested: [] | ||
| - subject: "rollback-health: mount securityfs in old_rootfs" | ||
| hash: e87838103af3c5ee05c60b7105353f987af47e61 | ||
| body: > | ||
| When rollback-health runs, a failing healthcheck causes the | ||
|
|
||
| hostapp-update hooks to be run from the inactive partition, to | ||
| make the | ||
|
|
||
| inactive system bootable again. | ||
|
|
||
|
|
||
| The 0-signed-update hook, which updates the sealing policy for | ||
| secure | ||
|
|
||
| boot enabled systems, reads from the securityfs mounted at | ||
|
|
||
| /sys/kernel/security in order to parse the TPM event log. | ||
|
|
||
|
|
||
| If this filesystem isn't mounted, the hook will improperly | ||
| detect that | ||
|
|
||
| the TPM event log isn't available, and unneccessarily create a | ||
| combined | ||
|
|
||
| policy when a single PCR policy would suffice. | ||
|
|
||
|
|
||
| Mount this filesystem in old_rootfs before chrooting to fix | ||
| this. | ||
| footer: | ||
| Change-type: patch | ||
| change-type: patch | ||
| Signed-off-by: Joseph Kogut <[email protected]> | ||
| signed-off-by: Joseph Kogut <[email protected]> | ||
| author: Joseph Kogut | ||
| nested: [] | ||
| - subject: "os-helpers-tpm2: compute_pcr7 w/ events post separator" | ||
| hash: e4f8f6f9c79f994f873bc930bfa028f2161a29d9 | ||
| body: > | ||
| In commit 1c19ebb, we append digests from the TPM event log | ||
|
|
||
| corresponding to events that are logged before EV_SEPARATOR. For | ||
|
|
||
| instance, parsing the event log on a typical system for event | ||
| types, the | ||
|
|
||
| output looks like this: | ||
|
|
||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (PK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (db) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) | ||
|
|
||
| EV_SEPARATOR | ||
|
|
||
|
|
||
| This system requires no merging of event log digests. | ||
|
|
||
|
|
||
| On systems that measure EFI binaries (mostly only QEMU w/ edk2), | ||
| we also | ||
|
|
||
| get this: | ||
|
|
||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (PK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (db) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) | ||
|
|
||
| EV_SEPARATOR | ||
|
|
||
| EV_EFI_VARIABLE_AUTHORITY (bootx64.efi) | ||
|
|
||
| EV_EFI_VARIABLE_AUTHORITY (bzImage) | ||
|
|
||
|
|
||
| Again, this requires no merging. We compute the signature of the | ||
|
|
||
| relevant EFI binaries ourselves, as they're subject to change | ||
| during | ||
|
|
||
| hostapp-update. | ||
|
|
||
|
|
||
| However, we've also seen event logs like this: | ||
|
|
||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (PK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (db) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) | ||
|
|
||
| EV_EFI_ACTION (DMA Protection Disabled) | ||
|
|
||
| EV_SEPARATOR | ||
|
|
||
|
|
||
| This case is the one we've handled previously, by reading from | ||
| the event | ||
|
|
||
| log and appending event digests before EV_SEPARATOR. We stopped | ||
| at | ||
|
|
||
| EV_SEPARATOR because we weren't parsing event types previously, | ||
| and this | ||
|
|
||
| digest is a constant that's easily recognized. However, we've | ||
| since | ||
|
|
||
| encountered systems that have unexpected events *after* | ||
| EV_SEPARATOR, as | ||
|
|
||
| shown below. | ||
|
|
||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (SecureBoot) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (PK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (KEK) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (db) | ||
|
|
||
| EV_EFI_VARIABLE_DRIVER_CONFIG (dbx) | ||
|
|
||
| EV_SEPARATOR | ||
|
|
||
| Unknown event type (?!) | ||
|
|
||
|
|
||
| In order to handle this, parse digests and event types into | ||
| temporary | ||
|
|
||
| files and iterate through them together. We only stop appending | ||
| digests | ||
|
|
||
| from the event log when the next event type is | ||
| EV_EFI_VARIABLE_AUTHORITY | ||
|
|
||
| (EFI binary signature) or we hit the end of the list. This | ||
| should | ||
|
|
||
| account for all possible variations. | ||
| footer: | ||
| Change-type: patch | ||
| change-type: patch | ||
| Signed-off-by: Joseph Kogut <[email protected]> | ||
| signed-off-by: Joseph Kogut <[email protected]> | ||
| author: Joseph Kogut | ||
| nested: [] | ||
| version: meta-balena-5.3.15 | ||
| title: "" | ||
| date: 2024-06-05T00:15:59.506Z | ||
| version: 5.3.15 | ||
| title: "" | ||
| date: 2024-06-05T06:24:39.605Z | ||
| - commits: | ||
| - subject: Update layers/meta-balena to 9e95be489587395fec796dc6969fc7d78cf81f77 | ||
| hash: 9b69d4aa288e3bd345c05768d88bb417ead4896a | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 5.3.14 | ||
| 5.3.15 |