#!/bin/bash
# Measure all of the LUKS Disk Encryption headers into
# a PCR so that we can detect disk swap attacks.
. /etc/functions

TRACE_FUNC
DEBUG "Arguments passed to qubes-measure-luks: $@"

# Measure the LUKS headers into PCR 6
for dev in "$@"; do
	DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')"
	cryptsetup luksHeaderBackup $dev \
		--header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') ||
		die "$dev: Unable to read LUKS header"
done

DEBUG "Hashing LUKS headers into /tmp/luksDump.txt"
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-*

TRACE_FUNC
echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
	die "Unable to extend PCR"