Skip to content

efi/preinstall: Update PCRProfileOptionsFlags #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chrisccoulson wants to merge 1 commit into
base: master
Choose a base branch
from
Open

efi/preinstall: Update PCRProfileOptionsFlags #481

chrisccoulson wants to merge 1 commit into from

Conversation

@chrisccoulson
Copy link
Collaborator

@chrisccoulson chrisccoulson commented Dec 11, 2025
edited
Loading

This updates PCRProfileOptionsFlags, such that:

  • There are now individual options to include each PCR if not already
    included (PCRProfileOptionLockTo*).
  • PCRProfileOptionsMostSecure includes all of the new
    PCRProfileOptionLockTo* options.
  • PCRProfileOptionTrustCAsForAddonDrivers and
    PCRProfileOptionTrustCAsForBootCode have been renamed to
    PCRProfileOptionTrustSecureBootAuthoritiesForAddonDrivers and
    PCRProfileOptionTrustSecureBootAuthoritiesForBootCode. They can only
    be used if the active CAs are not recognized. They can't be used to
    omit PCRs 2 or 4 from the profile if the CA is recognized and explicitly
    distrusted, so that users can't use these options to create insecure
    profiles.
  • PCRProfileOptionDistrustVARSuppliedNonHostCode is gone because it is
    superceded by PCRProfileOptionLockToDriversAndApps.

Fixes: FR-12150

@chrisccoulson chrisccoulson force-pushed the preinstall-cleanup-pcr-profile-options branch from fb26b17 to bec8f72 Compare December 11, 2025 21:15
@chrisccoulson
Copy link
Collaborator Author

chrisccoulson commented Dec 11, 2025

Note that as with the other PRs that make some changes to PCRProfileOptionsFlags, there's no backwards compat here because PCRProfileOptionsDefault is the only value currently used by snapd, and that value remains unchanged.

@chrisccoulson chrisccoulson force-pushed the preinstall-cleanup-pcr-profile-options branch from bec8f72 to 68bfe14 Compare December 11, 2025 22:00
@chrisccoulson
efi/preinstall: Update PCRProfileOptionsFlags
321eeb1 
This updates PCRProfileOptionsFlags, such that:

- There are now individual options to include each PCR if not already
  included (PCRProfileOptionLockTo*).
- PCRProfileOptionsMostSecure includes all of the new
  PCRProfileOptionLockTo* options.
- PCRProfileOptionTrustCAsForAddonDrivers and
  PCRProfileOptionTrustCAsForBootCode have been renamed to
- PCRProfileOptionTrustSecureBootAuthoritiesForAddonDrivers and
  PCRProfileOptionTrustSecureBootAuthoritiesForBootCode. They can only
  be used if the active CAs are not recognized. They can't be used to
  omit PCRs 2 or 4 from the profile if the CA is recognized and explicitly
  distrusted, so that users can't use these options to create insecure
  profiles.
- PCRProfileOptionDistrustVARSuppliedNonHostCode is gone because it is
  superceded by PCRProfileOptionLockToDriversAndApps.

Fixes: FR-12150
@chrisccoulson chrisccoulson force-pushed the preinstall-cleanup-pcr-profile-options branch from 68bfe14 to 321eeb1 Compare December 11, 2025 22:37
pedronis
pedronis reviewed Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@pedronis pedronis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did a pass, some small comments

efi/preinstall/profile.go
if flags&auth.Trust != flags {
return authoritiesNotTrusted
}
certFound = true
Copy link
Collaborator

@pedronis pedronis Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't this more authFound than cert found?

efi/preinstall/profile.go
}
trust &= certTrust
if !certFound {
return authoritiesTrustUnknown
Copy link
Collaborator

@pedronis pedronis Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe this should have a comment that the authority of this cert is not in the data set

efi/preinstall/profile.go

var str string
switch flag {
case PCRProfileOptionMostSecure:
Copy link
Collaborator

@pedronis pedronis Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this value is now always exploded in the relevant flags?

efi/preinstall/profile.go
{pcr: internal_efi.BootManagerConfigPCR, unsupportedFlag: NoBootManagerConfigProfileSupport},
{pcr: internal_efi.SecureBootPolicyPCR, unsupportedFlag: NoSecureBootPolicyProfileSupport, opt: secboot_efi.WithSecureBootPolicyProfile},
} {
if _, exists := pcrs[data.pcr]; exists {
Copy link
Collaborator

@pedronis pedronis Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think here s/exists/required/ would be a bit clearer

ernestl
ernestl approved these changes Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@ernestl ernestl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedronis pedronis pedronis left review comments

@ernestl ernestl ernestl approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisccoulson @pedronis @ernestl