From 7b949a1a44eced0e90199eb6bd4e01513234f081 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 25 May 2023 14:05:40 -0400 Subject: [PATCH] initrd/bin/seal-totp: PCR0-4 cannot be expected to be 0 on PPC64. Seal with extended PCR values, expected to be the same at unseal-totp operation --- initrd/bin/seal-totp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index d9608890..c67a574d 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -30,12 +30,17 @@ dd \ secret="`base32 < $TOTP_SECRET`" pcrf="/tmp/secret/pcrf.bin" +DEBUG "Sealing TOTP with actual state of PCR0-4)" tpmr pcrread 0 "$pcrf" tpmr pcrread -a 1 "$pcrf" tpmr pcrread -a 2 "$pcrf" tpmr pcrread -a 3 "$pcrf" -# pcr 4 is expected to be zero (boot mode: init) -dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf" +DEBUG "Sealing TOTP with actual state of PCR4 (Going to recovery shell extends PCR4)" +# pcr 4 is expected to either: +# zero on bare coreboot+linuxboot on x86 (boot mode: init) +# already extended on ppc64 per BOOTKERNEL (skiboot) which boots heads. +#We expect the PCR4 to be in the right state at unattended unseal operation +tpmr pcrread -a 4 "$pcrf" # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)" # pcr 6 (drive luks header) is not measured at sealing/unsealing of totp