init/nitro: Extend NSM PCRs for rootfs, exec path

As the nitro variant writes the rootfs and execution environment, extend
NSM PCRs to account for these two measurements. With this, NSM PCR 16
will represent a hash of the rootfs archive, and NSM PCR 17 will
represent a hash of the execution path, argv, and envp.

Signed-off-by: Tyler Fanelli <[email protected]>

Author: tylerfanelli

init/nitro/init

@@ -19,6 +19,8 @@
 #include <sys/wait.h>
 #include <linux/vm_sockets.h>
 
+#include <nsm.h>
+
 #include "include/archive.h"
 #include "include/fs_init.h"
 #include "include/cgroups_init.h"
@@ -30,6 +32,11 @@
 #define VSOCK_CID 3
 #define VSOCK_PORT 9000
 
+#define NSM_PCR_ROOTFS      16
+#define NSM_PCR_EXEC_ENV    17
+
+#define NSM_PCR_DATA_SIZE   256
+
 /*
  * Block or unblock signals.
  *
@@ -285,6 +292,71 @@ launch(char **argv, char **envp)
     return 0;
 }
 
+static int
+nsm_pcr_extend(int nsm_fd, int pcr, void *data, uint32_t size)
+{
+    uint32_t pcr_data_size;
+    uint8_t pcr_data[NSM_PCR_DATA_SIZE];
+    bool locked;
+    int ret;
+
+    pcr_data_size = NSM_PCR_DATA_SIZE;
+
+    ret = nsm_describe_pcr(nsm_fd, pcr, &locked, pcr_data, &pcr_data_size);
+    if (ret != ERROR_CODE_SUCCESS)
+        return -ret;
+
+    ret = nsm_extend_pcr(nsm_fd, pcr, (uint8_t *) data, size, pcr_data,
+        &pcr_data_size);
+    if (ret != ERROR_CODE_SUCCESS)
+        return -ret;
+
+    return 0;
+}
+
+static int
+nsm_pcr_extend_rootfs_exec(void *rootfs, uint32_t rootfs_size, char *exec_path,
+    char **exec_argv, char **exec_envp)
+{
+    char *c;
+    int ret, nsm_fd;
+
+    nsm_fd = nsm_lib_init();
+    if (nsm_fd < 0)
+        return -1;
+
+    ret = nsm_pcr_extend(nsm_fd, NSM_PCR_ROOTFS, rootfs, rootfs_size);
+    if (ret < 0)
+        return ret;
+
+    ret = nsm_lock_pcr(nsm_fd, NSM_PCR_ROOTFS);
+    if (ret != ERROR_CODE_SUCCESS)
+        return -ret;
+
+    ret = nsm_pcr_extend(nsm_fd, NSM_PCR_EXEC_ENV, exec_path,
+        strlen(exec_path));
+    if (ret < 0)
+        return ret;
+
+    for (int i = 0; (c = exec_argv[i]) != NULL; ++i) {
+        ret = nsm_pcr_extend(nsm_fd, NSM_PCR_EXEC_ENV, c, strlen(c));
+        if (ret < 0)
+            return ret;
+    }
+
+    for (int i = 0; (c = exec_envp[i]) != NULL; ++i) {
+        ret = nsm_pcr_extend(nsm_fd, NSM_PCR_EXEC_ENV, c, strlen(c));
+        if (ret < 0)
+            return ret;
+    }
+
+    ret = nsm_lock_pcr(nsm_fd, NSM_PCR_EXEC_ENV);
+    if (ret != ERROR_CODE_SUCCESS)
+        return -ret;
+
+    return 0;
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -332,6 +404,11 @@ main(int argc, char *argv[])
     if (ret < 0)
         exit(ret);
 
+    ret = nsm_pcr_extend_rootfs_exec(rootfs_archive, archive_size, exec_path,
+        exec_argv, exec_envp);
+    if (ret < 0)
+        exit(ret);
+
     ret = rootfs_mount();
     if (ret < 0)
         exit(ret);