From b4b0bc4a7afa357a9142145ca30fe8d4a4ab7f7b Mon Sep 17 00:00:00 2001 From: HardenedVault Date: Wed, 19 Jan 2022 07:07:03 +0200 Subject: [PATCH] Use luksHeaderBackup rather than luksDump to measure luks headers. --- initrd/bin/qubes-measure-luks | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks index a9acadf3..ddf39ef3 100755 --- a/initrd/bin/qubes-measure-luks +++ b/initrd/bin/qubes-measure-luks @@ -6,9 +6,13 @@ die() { echo >&2 "$@"; exit 1; } # Measure the luks headers into PCR 6 for dev in "$@"; do - cryptsetup luksDump $dev \ - || die "$dev: Unable to measure" -done > /tmp/luksDump.txt + cryptsetup luksHeaderBackup $dev \ + --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') \ + || die "$dev: Unable to read luks header" +done + +sha256sum /tmp/lukshdr-* > /tmp/luksDump.txt || die "Unable to hash luks headers" +rm /tmp/lukshdr-* tpm extend -ix 6 -if /tmp/luksDump.txt \ || die "Unable to extend PCR"