ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-03-14 08:16:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

WiP: staging changes, no more tpm output. Next warn /boot changed because htop counter and primary handle until removed outside of this PR

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-12-13 14:50:24 -05:00
parent c7ab861325
commit d768e80de6
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/gui-init
View File

@ -580,7 +580,7 @@ reset_tpm()
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
increment_tpm_counter $counter > /dev/null 2>&1 \
|| die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \

2
initrd/bin/kexec-select-boot
View File

@ -119,7 +119,7 @@ verify_rollback_counter() {
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
fi
read_tpm_counter $TPM_COUNTER ||
read_tpm_counter $TPM_COUNTER > /dev/null 2>&1 ||
die "Failed to read TPM counter"
sha256sum -c $TMP_ROLLBACK_FILE ||

8
initrd/etc/functions
View File

@ -382,12 +382,14 @@ check_tpm_counter() {
fi
}
# Read the TPM counter value from the TPM.
read_tpm_counter() {
TRACE_FUNC
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" > /dev/null 2>&1 ||
die "Counter read failed"
}
# Increment the TPM counter value in the TPM.
increment_tpm_counter() {
TRACE_FUNC
tpmr counter_increment -ix "$1" -pwdc '' |
@ -395,6 +397,7 @@ increment_tpm_counter() {
die "TPM counter increment failed for rollback prevention. Please reset the TPM"
}
# Check detached signature on kexec boot params
check_config() {
TRACE_FUNC
if [ ! -d /tmp/kexec ]; then
@ -414,6 +417,7 @@ check_config() {
fi
if [ "$2" != "force" ]; then
# Note that kexec.sig detached signature is solely verifying kexec*.txt files here!
if ! sha256sum $(find $1/kexec*.txt) | gpgv $1/kexec.sig -; then
die 'Invalid signature on kexec boot params'
fi
@ -436,6 +440,7 @@ replace_rom_file() {
cbfs.sh -o "$ROM" -a "$ROM_FILE" -f "$NEW_FILE"
}
# Replace the config file by the changed one
replace_config() {
TRACE_FUNC
CONFIG_FILE=$1
@ -469,6 +474,7 @@ secret_from_rom_hash() {
sha256sum "${ROM_IMAGE}" | cut -f1 -d ' ' | fromhex_plain
}
# Update the checksums of the files in /boot and sign them
update_checksums() {
TRACE_FUNC
# ensure /boot mounted
@ -499,6 +505,7 @@ update_checksums() {
return $rv
}
# Print the file and directory structure of /boot to caller's stdout
print_tree() {
TRACE_FUNC
find ./ ! -path './kexec*' -print0 | sort -z
@ -584,6 +591,7 @@ assert_signable() {
rm -f /tmp/signable.*
}
# Verify the checksums of the files in /boot
verify_checksums() {
TRACE_FUNC
local boot_dir="$1"