kexec-select-boot/kexec-insert-key: add info message explaining why PCR 4 is extended

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-19 21:17:55 +00:00 · 2023-11-06 10:03:14 -05:00 · 2023-11-06 10:03:14 -05:00 · bfc877c49c
commit bfc877c49c
parent 504f0336ac
2 changed files with 2 additions and 0 deletions
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -49,6 +49,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
 fi

 # Override PCR 4 so that user can't read the key
+echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'

--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -381,6 +381,7 @@ while true; do
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
+			echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
 			tpmr extend -ix 4 -ic generic ||
 				die "Failed to extend PCR 4"
 		fi