mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
52992664ea
cbfs-init: remove temp files, measure direct cbfs output, extend PCR with proper introspection tracing flash.sh: do not die but go to recovery if flashrom fails, cosmetic fix for warning given to user kexec-insert-key: extend PCR with proper introspection tracing kexec-select-boot: extend PCR with proper introspection tracing kexec-measure-luks: extend PCR with proper introspection tracing tpmr: Add missing TRACE_FUNC, fix comments, extend give hash that was extended to tpm call in DEBUG, fix TPM startsession unsuppressed output still present ash_functions: extend PCR with proper introspection tracing insmod: DEBUG info more pertinent, extend PCR with proper introspection tracing Signed-off-by: Thierry Laurion <insurgo@riseup.net>
25 lines
830 B
Bash
Executable File
25 lines
830 B
Bash
Executable File
#!/bin/bash
|
|
# Measure all of the LUKS Disk Encryption headers into
|
|
# a PCR so that we can detect disk swap attacks.
|
|
. /etc/functions
|
|
|
|
TRACE_FUNC
|
|
DEBUG "Arguments passed to qubes-measure-luks: $@"
|
|
|
|
# Measure the LUKS headers into PCR 6
|
|
for dev in "$@"; do
|
|
DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')"
|
|
cryptsetup luksHeaderBackup $dev \
|
|
--header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') ||
|
|
die "$dev: Unable to read LUKS header"
|
|
done
|
|
|
|
DEBUG "Hashing LUKS headers into /tmp/luksDump.txt"
|
|
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
|
|
DEBUG "Removing /tmp/lukshdr-*"
|
|
rm /tmp/lukshdr-*
|
|
|
|
echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
|
|
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
|
|
die "Unable to extend PCR"
|