initrd/bin/seal-totp: PCR0-4 cannot be expected to be 0 on PPC64.

Seal with extended PCR values, expected to be the same at unseal-totp operation
2024-12-19 21:17:55 +00:00 · 2023-05-25 14:05:40 -04:00 · 2023-05-25 14:05:40 -04:00 · 7b949a1a44
commit 7b949a1a44
parent 92cddb315f
1 changed files with 7 additions and 2 deletions
--- a/initrd/bin/seal-totp
+++ b/initrd/bin/seal-totp
@ -30,12 +30,17 @@ dd \

 secret="`base32 < $TOTP_SECRET`"
 pcrf="/tmp/secret/pcrf.bin"
+DEBUG "Sealing TOTP with actual state of PCR0-4)"
 tpmr pcrread 0 "$pcrf"
 tpmr pcrread -a 1 "$pcrf"
 tpmr pcrread -a 2 "$pcrf"
 tpmr pcrread -a 3 "$pcrf"
-# pcr 4 is expected to be zero (boot mode: init)
-dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
+DEBUG "Sealing TOTP with actual state of PCR4 (Going to recovery shell extends PCR4)"
+# pcr 4 is expected to either: 
+#  zero on bare coreboot+linuxboot on x86 (boot mode: init)
+#  already extended on ppc64 per BOOTKERNEL (skiboot) which boots heads.
+#We expect the PCR4 to be in the right state at unattended unseal operation
+tpmr pcrread -a 4 "$pcrf"
 # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
 DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
 # pcr 6 (drive luks header) is not measured at sealing/unsealing of totp