ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-01 18:56:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

kexec-select-boot/kexec-insert-key: add info message explaining why PCR 4 is extended

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2023-11-06 10:03:14 -05:00
parent 504f0336ac
commit bfc877c49c
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
initrd/bin/kexec-insert-key
View File

@ -49,6 +49,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
fi fi
# Override PCR 4 so that user can't read the key # Override PCR 4 so that user can't read the key
echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR' die 'Unable to scramble PCR'

1
initrd/bin/kexec-select-boot
View File

@ -381,6 +381,7 @@ while true; do
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
if [ ! -r "$TMP_KEY_DEVICES" ]; then if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die "Failed to extend PCR 4" die "Failed to extend PCR 4"
fi fi