pkg: grub: add measurefs command patch for grub 2.06

[Insei]

I Adapted the patch that @mikem-zed added for the 2.02 version of grub and added measurefs cmd for arm64.

Signed-off-by: Aleksandrov Dmitriy goodmobiledevices@gmail.com

[Insei]

Only this part has been changed, because grub 2.06 has its own grub_tpm_measure func.
I've concatenated the fs->name and result_str strings into desc, as is done in our patch with adding grub_tpm_measure func.

in grub 2.06:
https://github.com/rhboot/grub2/blob/ae94b97be2b81b625d6af6654d3ed79078b50ff6/grub-core/commands/efi/tpm.c#L224-L241

in our grub:

eve/pkg/grub/patches/0000-core-os-merge.patch

Lines 2761 to 2771 in aa23518

	+grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr,
	+ const char *kind, const char *description)
	+{
	+ grub_err_t ret;
	+ char *desc = grub_xasprintf("%s %s", kind, description);
	+ if (!desc)
	+ return GRUB_ERR_OUT_OF_MEMORY;
	+ ret = grub_tpm_log_event(buf, size, pcr, desc);
	+ grub_free(desc);
	+ return ret;
	+}

@mikem-zed is everything okay?

[Insei]

kernel hangs at:

................   ..............   ................
 ................   ............   ................
              ....    .........   ....
    ................   .......   ................
     ................   .....   ................
                    ...   .   ....
        ................     ................
          ...............   ................

              Edge Virtualization Engine

................   ..............   ................
 ................   ............   ................
              ....    .........   ....
    .[    8.434559] random: crng init done
............... [    8.439682] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43455-sdio for chip BCM4345/6
  .......   ................
     ................   .....   ................
                    ...   .   ....
        ................    [    8.460764] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID 01-996384e2
 ................
          ...............   ................

              Edge Virtualization Engine
linuxkit-dca632b1cd3d login: root (automatic login)

EVE is Edge Virtualization Engine

Take a look around and don't forget to use eve(1).
linuxkit-dca632b1cd3d:~# [   10.916141] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[   11.962629] usbcore: registered new interface driver smsc75xx
[   11.980938] usbcore: registered new interface driver cp210x
[   11.986711] usbserial: USB Serial support registered for cp210x
[   12.001519] nicvf, ver 1.0
[   13.769362] EXT4-fs (mmcblk1p9): mounted filesystem with ordered data mode. Opts: (null)
[   22.815406] usbcore: registered new interface driver cdc_wdm
[   22.853303] usbcore: registered new interface driver cdc_acm
[   22.859057] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters

And no debug messages from grub after measurefs command:

U-Boot 2022.10-00001-g5a6603ad90-dirty (Nov 27 2022 - 22:58:35 -0100)

DRAM:  7.9 GiB
RPI 4 Model B (0xd03114)
Core:  177 devices, 18 uclasses, devicetree: board
MMC:   mmc@7e300000: 0, mmc@7e340000: 1
Loading Environment from FAT... Card did not respond to voltage select! : -110
** Bad device specification mmc 0 **
In:    serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@7d580000
PCIe BRCM: link up, 5.0 Gbps x1 (SSC)
starting USB...
Bus xhci_pci: Register 5000420 NbrPorts 5
Starting the controller
USB XHCI 1.00
scanning bus xhci_pci for devices... 2 USB Device(s) found
       scanning usb for storage devices... 0 Storage Device(s) found
Hit any key to stop autoboot:  0
Card did not respond to voltage select! : -110
switch to partitions #0, OK
mmc1 is current device
Scanning mmc 1:1...
Card did not respond to voltage select! : -110
** Unable to read file ubootefi.var **
Failed to load EFI variables
BootOrder not defined
EFI boot manager: Cannot load any image
Found EFI removable media binary efi/boot/bootaa64.efi
1040384 bytes read in 64 ms (15.5 MiB/s)
Booting /efi\boot\bootaa64.efi
Welcome to GRUB!

script/script.c:65: free 0x3c8edec0
script/script.c:65: free 0x3c8edf00
script/script.c:65: free 0x3c8edf40
script/script.c:65: free 0x3c8eda00
script/script.c:65: free 0x3c8eda60
script/script.c:65: free 0x3c8edb00
script/script.c:65: free 0x3c8edb60
script/script.c:65: free 0x3c8edbc0
script/script.c:65: free 0x3c8edca0
script/script.c:65: free 0x3c8edd80
script/script.c:65: free 0x3c8edde0
script/script.c:65: free 0x3c8ede20
script/lexer.c:336: token 288 text [set]
script/script.c:50: malloc 0x3c8edce0
script/script.c:50: malloc 0x3c8edca0
script/script.c:163: arglist
script/script.c:50: malloc 0x3c8edc40
script/lexer.c:336: token 289 text [root=]
script/script.c:50: malloc 0x3c8ed9a0
script/script.c:50: malloc 0x3c8ed960
script/lexer.c:336: token 289 text [dev]
script/script.c:50: malloc 0x3c8ed900
script/script.c:50: malloc 0x3c8ed8c0
script/lexer.c:336: token 289 text []
script/script.c:50: malloc 0x3c8edb60
script/script.c:50: malloc 0x3c8ed880
script/script.c:163: arglist
script/script.c:50: malloc 0x3c8ed820
script/lexer.c:336: token 259 text [
]
script/script.c:50: malloc 0x3c8ed7c0
script/script.c:50: malloc 0x3c8ed780
script/script.c:198: cmdline
script/script.c:50: malloc 0x3c8ed720
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x3c8ede00
script/script.c:50: malloc 0x3c8eddc0
script/script.c:294: append command
script/script.c:50: malloc 0x3c8edd80
kern/verifiers.c:212: string: set root=hd0,gpt2, type: 2
script/script.c:65: free 0x3c8edd80
script/script.c:65: free 0x3c8eddc0
script/script.c:65: free 0x3c8ede00
script/script.c:65: free 0x3c8ed720
script/script.c:65: free 0x3c8ed780
script/script.c:65: free 0x3c8ed7c0
script/script.c:65: free 0x3c8ed820
script/script.c:65: free 0x3c8ed880
script/script.c:65: free 0x3c8edb60
script/script.c:65: free 0x3c8ed8c0
script/script.c:65: free 0x3c8ed900
script/script.c:65: free 0x3c8ed960
script/script.c:65: free 0x3c8ed9a0
script/script.c:65: free 0x3c8edc40
script/script.c:65: free 0x3c8edca0
script/script.c:65: free 0x3c8edce0
script/lexer.c:336: token 288 text [configfile]
script/script.c:50: malloc 0x3c8edc20
script/script.c:50: malloc 0x3c8edbe0
script/script.c:163: arglist
script/script.c:50: malloc 0x3c8edb80
script/lexer.c:336: token 289 text [(]
script/script.c:50: malloc 0x3c8ed940
script/script.c:50: malloc 0x3c8ed900
script/lexer.c:336: token 289 text [dev]
script/script.c:50: malloc 0x3c8ed8a0
script/script.c:50: malloc 0x3c8ed860
script/lexer.c:336: token 289 text [)/EFI/BOOT/grub.cfg]
script/script.c:50: malloc 0x3c8ed800
script/script.c:50: malloc 0x3c8ed7a0
script/script.c:163: arglist
script/script.c:50: malloc 0x3c8ed740
script/lexer.c:336: token 259 text [
]
script/script.c:50: malloc 0x3c8ed6e0
script/script.c:50: malloc 0x3c8ed6a0
script/script.c:198: cmdline
script/script.c:50: malloc 0x3c8ed640
script/lexer.c:336: token 0 text []
script/script.c:50: malloc 0x3c8edd80
script/script.c:50: malloc 0x3c8edd40
script/script.c:294: append command
script/script.c:50: malloc 0x3c8edd00
commands/wildcard.c:535: no expansion needed
commands/wildcard.c:594: paths[0] = `(hd0,gpt2)/EFI/BOOT/grub.cfg'
kern/verifiers.c:212: string: configfile (hd0,gpt2)/EFI/BOOT/grub.cfg, type: 2

measurefs: Measuring hd0,gpt2 into PCR-13
                             GNU GRUB  version 2.06

 ┌────────────────────────────────────────────────────────────────────────────┐
 │*Boot 0.0.0-pr2946-3fc6e355-kvm-arm64                                       │
 │ Set Boot Options                                                           │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 │                                                                            │
 └────────────────────────────────────────────────────────────────────────────┘

      Use the ▲ and ▼ keys to select which entry is highlighted.
      Press enter to boot the selected OS, `e' to edit the commands
      before booting or `c' for a command-line. ESC to return previous
      menu.
   The highlighted entry will be executed automatically in 0s.

I need to study the problem.

[eriknordmark]

Did you test this already to make sure we produce PCR 13 with the rootfs measurement?

[Insei]

Yes, I just tested everything, the problem with kernel hangs was due to an image write error, after rewriting EVE to sdcard everything worked.

I get this values from eve exec vtpm tpm2_pcrread command. PCR 13 is exist.

sha1:
  0 : 0xF40C4B5B8EC48D5812A47B9117BE084CB446799D
  1 : 0x629391551BD72410650B39D3ABECF488883D66A8
  2 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  4 : 0x171E8800AA35DCA62E25987E72EEBF844BCAE8A8
  5 : 0x731C0516F71254D7F6A0C6EB8B8C1FB8D940658E
  6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236
  7 : 0x1F5A197D36B62E30E5BC22C88B6E4A4556BB9539
  8 : 0x06A206B240175C6F39DCE90DC5312AE3315E296F
  9 : 0xF2747308E8D208C6687C75440582C06180F013C2
  10: 0x0000000000000000000000000000000000000000
  11: 0x0000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000
  13: 0x0B90DB4347B5F6115693AB0160454555D0229930
  14: 0x0000000000000000000000000000000000000000
  15: 0x0000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000
  17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  23: 0x0000000000000000000000000000000000000000
sha256:
  0 : 0x046F1225A3A2FEDD476930D68C5FDC7C9F355F206F0555A0FBC966231447613D
  1 : 0xD88B8D993E6AEE365B9BA3384E1FE7AD6D04F33AF2AF7F681B2453C65875D102
  2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  4 : 0x68A816FD57A9F35EE31E31DA45C27853F7DA9B55CA34A127E849B027A197D9D0
  5 : 0x86A20D6013CC1DC8F8FDE77389F88964AE693AF97FC7B26074F7709C2E9F6D38
  6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  7 : 0x9674AECD3F40B4A936AE19C8848AB95A8799D8897FFC40480599652E55D49332
  8 : 0x6301D31A77000315E575B4C8B37DEA49A26031BAA9065E7C90404E91B4263913
  9 : 0x8C0DA3C568A1CCF7443E737C0E30B1433F6360588F12D257C428DC07104CA55F
  10: 0x0000000000000000000000000000000000000000000000000000000000000000
  11: 0x0000000000000000000000000000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000000000000000000000000000
  13: 0x3EB6713D587021F8F57EE432C93CFACF1D16A6692D9F511DDED4F47721C99F95
  14: 0xECF7D7F8449D0F783A28715D2A2EDA576069FEEFE8FAC17B9D0D47527DA0DE60
  15: 0x0000000000000000000000000000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000000000000000000000000000
  17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  23: 0x0000000000000000000000000000000000000000000000000000000000000000

[Insei]

I think we can merge this because it looks like a working solution.

[mikem-zed]

LGTM

there is a patch that check whether we are running EVE on a device without TPM. I thnk we should merge this one too

[eriknordmark]

LGTM

[mikem-zed]

LGTM

[rouming]

@mikem-zed any chances you upstream the patch?

[rouming]

or if @Insei have connections in the grub community can help with that?

[mikem-zed]

we need to move to the latest LTS GRUB which is going to be 2.12 soon. Then we can think about up streaming. This is not a very easy task, vanilla grub is not suitable for us because it is missing some important functionality like efilinux. this is why we have an initiative to use Ubuntu's 2.06 grub but the whole process is not decided yet