mirror of
https://github.com/linuxboot/heads.git
synced 2025-02-11 21:25:17 +00:00
930d3e6114
Quiet mode introduced output reduction to console to limit technical info provided to end users. Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
26 lines
841 B
Bash
Executable File
26 lines
841 B
Bash
Executable File
#!/bin/bash
|
|
# Measure all of the LUKS Disk Encryption headers into
|
|
# a PCR so that we can detect disk swap attacks.
|
|
. /etc/functions
|
|
|
|
TRACE_FUNC
|
|
DEBUG "Arguments passed to qubes-measure-luks: $@"
|
|
|
|
# Measure the LUKS headers into PCR 6
|
|
for dev in "$@"; do
|
|
DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')"
|
|
cryptsetup luksHeaderBackup $dev \
|
|
--header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') ||
|
|
die "$dev: Unable to read LUKS header"
|
|
done
|
|
|
|
DEBUG "Hashing LUKS headers into /tmp/luksDump.txt"
|
|
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
|
|
DEBUG "Removing /tmp/lukshdr-*"
|
|
rm /tmp/lukshdr-*
|
|
|
|
TRACE_FUNC
|
|
INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
|
|
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
|
|
die "Unable to extend PCR"
|