@@ -42,79 +42,25 @@ umountEfiVars() {
4242}
4343
4444updateKeys () {
45- PCRS=" 0,2,3,7"
46- PCR_VAL_BIN_CURRENT=" $( mktemp -t) "
47- PCR_VAL_BIN_UPDATED=" $( mktemp -t) "
48- PCR_VAL_BIN_EFIBIN=" $( mktemp -t) "
49- GRUB_BIN=" $( find /mnt/sysroot/inactive -name bootx64.efi.secureboot -print -quit) "
50- KERNEL_BIN=" $( find /mnt/sysroot/inactive -name bzImage -print -quit) "
45+ INACTIVE_SYSROOT=/mnt/sysroot/inactive
46+ GRUB_BIN=" $( find " ${INACTIVE_SYSROOT} " ) "
47+ KERNEL_BIN=" $( find " ${INACTIVE_SYSROOT} " ) "
5148 if [ -z " ${GRUB_BIN} " || [ -z " ${KERNEL_BIN} " ; then
5249 fail " Unable to add kernel and bootloader hashes to PCR7 digest"
5350 fi
5451
5552 EFI_BINARIES=" ${GRUB_BIN} ${KERNEL_BIN} "
5653
57- for pcr in $( echo ${PCRS} | sed ' s/,/ /g' ) ; do
58- case $pcr in
59- 7)
60- # the signatures from the updated database are appended to the
61- # existing variable, removing duplicates
62- SIGNATURE_LENGTH=76 # sizeof(EFI_SIGNATURE_LIST) + SHA256_DIGEST_SIZE + EFI_GUID_SIZE
63- db_override=" $( \
64- { dd if=/sys/firmware/efi/efivars/" db-${EFI_IMAGE_SECURITY_DATABASE_GUID} "
65- status=none \
66- bs=1 \
67- skip=4 | xxd -p -c ${SIGNATURE_LENGTH} ; \
68- dd if=/resin-boot/balena-keys/db.esl \
69- status=none | xxd -p -c ${SIGNATURE_LENGTH} ; \
70- } | awk ' !seen[$0]++' ) "
71- current_digest=" $( tpm2_pcrread --quiet " sha256:$pcr " | _hexencode) "
72- # shellcheck disable=SC2154
73- updated_digest=" $( compute_pcr7 " ${secureboot_override} "
74- " ${pk_override} "
75- " ${kek_override} "
76- " ${db_override} "
77- " ${dbx_override} " ) "
78-
79- cp " ${PCR_VAL_BIN_CURRENT} " " ${PCR_VAL_BIN_UPDATED} "
80- printf " %s" " $updated_digest " | _hexdecode \
81- | dd of=" ${PCR_VAL_BIN_UPDATED} "
82- status=none \
83- bs=1 \
84- seek=" $( du -b " ${PCR_VAL_BIN_UPDATED} " | cut -f1) "
85-
86- # This OS release may not have the bootloader version required
87- # to read the TPM event log, which means we can't assess if the
88- # firmware measures EFI binary signatures into PCR7.
89- #
90- # Create a combined policy that authenticates with PCR7 values
91- # calculated with and without the EFI binary hashes.
92- cp " ${PCR_VAL_BIN_CURRENT} " " ${PCR_VAL_BIN_EFIBIN} "
93- for bin in ${EFI_BINARIES} ; do
94- extend=" $( tcgtool -s " $bin "
95- | tcgtool -e " db-${EFI_IMAGE_SECURITY_DATABASE_GUID} "
96- | _sha256 ) "
97- updated_digest=$( printf ' %s%s' " $updated_digest " " $extend " | _hexdecode | _sha256)
98- done
99-
100- printf " %s" " $updated_digest " | _hexdecode \
101- | dd of=" ${PCR_VAL_BIN_EFIBIN} "
102- status=none \
103- bs=1 \
104- seek=" $( du -b " ${PCR_VAL_BIN_EFIBIN} " | cut -f1) "
105- digest=" $current_digest "
106- ;;
107- * )
108- digest=" $( tpm2_pcrread --quiet " sha256:$pcr " | _hexencode) "
109- ;;
110- esac
111-
112- printf " %s" " $digest " | _hexdecode \
113- | dd of=" ${PCR_VAL_BIN_CURRENT} "
114- status=none \
115- bs=1 \
116- seek=" $( du -b " ${PCR_VAL_BIN_CURRENT} " | cut -f1) "
117- done
54+ PCRS=" 0,2,3,7"
55+ PCR_VAL_BIN_UPDATED=" $( mktemp -t) "
56+ PCR_VAL_BIN_EFIBIN=" $( mktemp -t) "
57+ generate_pcr_digests \
58+ " ${PCRS} "
59+ " ${PCR_VAL_BIN_UPDATED} "
60+ generate_pcr_digests \
61+ " ${PCRS} "
62+ " ${PCR_VAL_BIN_EFIBIN} "
63+ " ${EFI_BINARIES} "
11864
11965 SESSION_CTX=$( mktemp -t)
12066 EFI_MOUNT_DIR=" /mnt/efi"
@@ -142,6 +88,12 @@ updateKeys() {
14288
14389 tpm2_flushcontext " ${SESSION_CTX} " > /dev/null 2>&1
14490
91+ # This OS release may not have the bootloader version required
92+ # to read the TPM event log, which means we can't assess if the
93+ # firmware measures EFI binary signatures into PCR7.
94+ #
95+ # Create a combined policy that authenticates with PCR7 values
96+ # calculated with and without the EFI binary hashes.
14597 POLICY_UPDATED=" ${POLICY_PATH} /policy.updated"
14698 POLICY_EFIBIN=" ${POLICY_PATH} /policy.efibin"
14799 POLICY_COMBINED=" $( mktemp -t) "
0 commit comments