Ignore PCR5 when sealing key when Librem Key is enabled

When the Librem Key is enabled, the kernel loads USB modules at boot, this causes PCR5 to change and breaks unsealing the LUKS key (if set). This change retains the protection of the PCR5 check unless Librem Key is enabled.
2025-01-29 15:44:07 +00:00 · 2018-11-07 13:27:52 -08:00 · 2018-11-07 13:27:52 -08:00 · 79a09e7424
commit 79a09e7424
parent fd99d160e8
1 changed files with 9 additions and 1 deletions
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -84,6 +84,14 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`

+# Librem Key loads USB modules which changes PCR5.
+# In the event Librem Key is enabled, skip verification of PCR5
+if [ -x /bin/libremkey_hotp_verification ]; then
+  pcr_5="X"
+else
+  pcr_5="0000000000000000000000000000000000000000"
+fi
+
 # Note that PCR 4 needs to be set with the "normal-boot"
 # path value, which we do not have right now since we are
 # in a recovery shell.
@ -104,7 +112,7 @@ tpm sealfile2 \
 	-ix 2 X \
 	-ix 3 X \
 	-ix 4 0000000000000000000000000000000000000000 \
-	-ix 5 0000000000000000000000000000000000000000 \
+	-ix 5 $pcr_5 \
 	-ix 6 $luks_pcr \
 	-ix 7 X \
 || die "Unable to seal secret"