kexec-seal-key: Reset PCR 23 before precomputing with it

Precomputation relies on PCR 23 being 0 initially, so reset it in case it isn't. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-12-18 20:47:55 +00:00 · 2023-03-07 10:18:56 -05:00 · 2023-03-07 10:18:56 -05:00 · b5985fef03
commit b5985fef03
parent eda24d85bf
1 changed files with 1 additions and 0 deletions
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -182,6 +182,7 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 		dd if=/dev/zero bs=32 count=1 >> "$pcrf"
 	fi
 	# Use pcr 23 to precompute the value for pcr 6
+	tpm2 pcrreset 23
 	tpmr extend -ix 23 -if /tmp/luksDump.txt
 	tpm2 pcrread -o /dev/stderr sha256:23 2>&1 >/dev/console | cat >> "$pcrf"
 	# goal is to validate that what is in pcr 23 is at pcr 6 at unseal