2023-02-08 21:01:48 +00:00
|
|
|
#!/bin/bash
|
2023-09-01 19:18:36 +00:00
|
|
|
# Measure all of the LUKS Disk Encryption headers into
|
2017-04-02 03:02:00 +00:00
|
|
|
# a PCR so that we can detect disk swap attacks.
|
2023-02-18 17:58:43 +00:00
|
|
|
. /etc/functions
|
|
|
|
|
|
2024-02-01 19:30:31 +00:00
|
|
|
TRACE_FUNC
|
2023-09-01 19:18:36 +00:00
|
|
|
DEBUG "Arguments passed to qubes-measure-luks: $@"
|
2017-04-02 03:02:00 +00:00
|
|
|
|
2023-09-01 19:18:36 +00:00
|
|
|
# Measure the LUKS headers into PCR 6
|
2017-04-02 03:02:00 +00:00
|
|
|
for dev in "$@"; do
|
2023-09-01 19:18:36 +00:00
|
|
|
DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')"
|
2022-01-19 05:07:03 +00:00
|
|
|
cryptsetup luksHeaderBackup $dev \
|
2023-09-01 19:18:36 +00:00
|
|
|
--header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') ||
|
|
|
|
|
die "$dev: Unable to read LUKS header"
|
2022-01-19 05:07:03 +00:00
|
|
|
done
|
|
|
|
|
|
2023-10-23 15:52:44 +00:00
|
|
|
DEBUG "Hashing LUKS headers into /tmp/luksDump.txt"
|
|
|
|
|
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
|
2023-09-01 19:18:36 +00:00
|
|
|
DEBUG "Removing /tmp/lukshdr-*"
|
2022-01-19 05:07:03 +00:00
|
|
|
rm /tmp/lukshdr-*
|
2017-04-02 03:02:00 +00:00
|
|
|
|
2023-11-06 20:53:17 +00:00
|
|
|
DEBUG "Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt"
|
2023-09-01 19:18:36 +00:00
|
|
|
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
|
|
|
|
|
die "Unable to extend PCR"
|
