diff --git a/docs/grub.texi b/docs/grub.texi index 289af709c..37c1d1963 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -3342,6 +3342,7 @@ These variables have special meaning to GRUB. * theme:: * timeout:: * timeout_style:: +* tpm_fail_fatal:: @end menu @@ -3849,6 +3850,15 @@ displaying the menu. See the documentation of @samp{GRUB_TIMEOUT_STYLE} (@pxref{Simple configuration}) for details. +@node tpm_fail_fatal +@subsection tpm_fail_fatal + +If this variable is set and true (i.e., not set to ``0'', ``false'', +``disable'', or ``no''), TPM measurements that fail will be treated as +fatal. Otherwise, they will merely be debug-logged and boot will +continue. + + @node Environment block @section The GRUB environment block diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c index 2052c36ea..3437e8e03 100644 --- a/grub-core/commands/tpm.c +++ b/grub-core/commands/tpm.c @@ -18,6 +18,7 @@ * Core TPM support code. */ +#include #include #include #include @@ -39,10 +40,22 @@ grub_tpm_verify_init (grub_file_t io, return GRUB_ERR_NONE; } +static inline bool +is_tpm_fail_fatal (void) +{ + return grub_env_get_bool ("tpm_fail_fatal", false); +} + static grub_err_t grub_tpm_verify_write (void *context, void *buf, grub_size_t size) { - return grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context); + grub_err_t status = grub_tpm_measure (buf, size, GRUB_BINARY_PCR, context); + + if (status == GRUB_ERR_NONE) + return GRUB_ERR_NONE; + + grub_dprintf ("tpm", "Measuring buffer failed: %d\n", status); + return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE; } static grub_err_t @@ -74,7 +87,11 @@ grub_tpm_verify_string (char *str, enum grub_verify_string_type type) grub_tpm_measure ((unsigned char *) str, grub_strlen (str), GRUB_STRING_PCR, description); grub_free (description); - return status; + if (status == GRUB_ERR_NONE) + return GRUB_ERR_NONE; + + grub_dprintf ("tpm", "Measuring string %s failed: %d\n", str, status); + return is_tpm_fail_fatal () ? status : GRUB_ERR_NONE; } struct grub_file_verifier grub_tpm_verifier = {