Skip to content

Commit a271eb1

Browse files
tylerfanellitylerfanelli
committed
init/nitro: Extend NSM PCRs for rootfs, exec path
As the nitro variant writes the rootfs and execution environment, extend NSM PCRs to account for these two measurements. With this, NSM PCR 16 will represent a hash of the rootfs archive, and NSM PCR 17 will represent a hash of the execution path, argv, and envp. Signed-off-by: Tyler Fanelli <[email protected]>
1 parent 3f473b1 commit a271eb1

File tree

2 files changed

+62
-0
lines changed

2 files changed

+62
-0
lines changed

init/nitro/main.c

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@
1919
#include <sys/wait.h>
2020
#include <linux/vm_sockets.h>
2121

22+
#include <nsm.h>
23+
2224
#include "include/archive.h"
2325
#include "include/fs_init.h"
2426
#include "include/cgroups_init.h"
@@ -30,6 +32,11 @@
3032
#define VSOCK_CID 3
3133
#define VSOCK_PORT 9000
3234

35+
#define NSM_PCR_ROOTFS 16
36+
#define NSM_PCR_EXEC_ENV 17
37+
38+
#define NSM_PCR_DATA_SIZE 256
39+
3340
/*
3441
* Block or unblock signals.
3542
*
@@ -276,6 +283,56 @@ launch(char **argv, char **envp)
276283
return 0;
277284
}
278285

286+
static int
287+
nsm_pcr_extend_rootfs_exec(void *rootfs, uint32_t rootfs_size, char *exec_path,
288+
char **exec_argv, char **exec_envp)
289+
{
290+
uint8_t pcr_data[NSM_PCR_DATA_SIZE];
291+
uint32_t pcr_data_size;
292+
int ret, nsm_fd;
293+
char *c;
294+
295+
nsm_fd = nsm_lib_init();
296+
if (nsm_fd < 0)
297+
return -1;
298+
299+
ret = nsm_extend_pcr(nsm_fd, NSM_PCR_ROOTFS, (uint8_t *) rootfs,
300+
rootfs_size, pcr_data, &pcr_data_size);
301+
if (ret != ERROR_CODE_SUCCESS)
302+
return -ret;
303+
304+
ret = nsm_lock_pcr(nsm_fd, NSM_PCR_ROOTFS);
305+
if (ret != ERROR_CODE_SUCCESS)
306+
return -ret;
307+
308+
ret = nsm_extend_pcr(nsm_fd, NSM_PCR_EXEC_ENV, (uint8_t *) exec_path,
309+
strlen(exec_path), pcr_data, &pcr_data_size);
310+
if (ret != ERROR_CODE_SUCCESS)
311+
return -ret;
312+
313+
for (int i = 0; (c = exec_argv[i]) != NULL; ++i) {
314+
ret = nsm_extend_pcr(nsm_fd, NSM_PCR_EXEC_ENV, (uint8_t *) c, strlen(c),
315+
pcr_data, &pcr_data_size);
316+
if (ret != ERROR_CODE_SUCCESS)
317+
return -ret;
318+
}
319+
320+
for (int i = 0; (c = exec_envp[i]) != NULL; ++i) {
321+
ret = nsm_extend_pcr(nsm_fd, NSM_PCR_EXEC_ENV, (uint8_t *) c, strlen(c),
322+
pcr_data, &pcr_data_size);
323+
if (ret != ERROR_CODE_SUCCESS)
324+
return -ret;
325+
}
326+
327+
ret = nsm_lock_pcr(nsm_fd, NSM_PCR_EXEC_ENV);
328+
if (ret != ERROR_CODE_SUCCESS)
329+
return -ret;
330+
331+
nsm_lib_exit(nsm_fd);
332+
333+
return 0;
334+
}
335+
279336
int
280337
main(int argc, char *argv[])
281338
{
@@ -323,6 +380,11 @@ main(int argc, char *argv[])
323380
if (ret < 0)
324381
exit(ret);
325382

383+
ret = nsm_pcr_extend_rootfs_exec(rootfs_archive, archive_size, exec_path,
384+
exec_argv, exec_envp);
385+
if (ret < 0)
386+
exit(ret);
387+
326388
ret = rootfs_mount();
327389
if (ret < 0)
328390
exit(ret);

src/nitro/src/runtime-data/eif.tar.gz

2.13 MB
Binary file not shown.

0 commit comments

Comments
 (0)