heads/initrd/bin/qubes-measure-luks

#!/bin/sh
# Measure all of the luks disk encryption headers into
# a PCR so that we can detect disk swap attacks.
. /etc/functions

TRACE "Under /bin/qubes-measure-luks"

die() { echo >&2 "$@"; exit 1; }

# Measure the luks headers into PCR 6
for dev in "$@"; do
	cryptsetup luksHeaderBackup $dev \
		   --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') \
		|| die "$dev: Unable to read luks header"
done

sha256sum /tmp/lukshdr-* > /tmp/luksDump.txt || die "Unable to hash luks headers"
rm /tmp/lukshdr-*

tpm extend -ix 6 -if /tmp/luksDump.txt \
|| die "Unable to extend PCR"