extend PCR7 after using it to unlock the LUKS

2018-09-05 15:23:03 +02:00 · 2018-09-05 15:23:03 +02:00 · 6910172911
commit 6910172911
parent 52e5a2c9fa
2 changed files with 23 additions and 18 deletions
--- a/pre-pivot.sh
+++ b/pre-pivot.sh
@ -52,22 +52,26 @@ if cryptsetup isLuks --type luks2 "$datadev"; then
    luksdev=/dev/mapper/$luksname

    if ! [[ -b $luksdev ]]; then
-	if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
-	    udevadm settle --exit-if-exists=/dev/tpmrm0
-	    export TPM2TOOLS_TCTI_NAME=device
-	    export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
-	    
-	    if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
-		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	    elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
-		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	    else
-		warn "Failed to bind disk to TPM2"
-		echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin		
-	    fi
-	else
-	    clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	fi
+        if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
+            udevadm settle --exit-if-exists=/dev/tpmrm0
+            export TPM2TOOLS_TCTI_NAME=device
+            export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
+
+            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
+                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
+                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+            else
+                warn "Failed to bind disk to TPM2"
+                echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
+            fi
+        else
+            clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+        fi
+        tpm2_pcrextend \
+            -T device:/dev/tpmrm0 \
+            7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \
+            || die "Failed to extend PCR7"
    fi
    datadev="$luksdev"
 fi
@ -89,4 +93,4 @@ for i in passwd shadow group gshadow subuid subgid; do
    cp -a /sysroot/usr/share/factory/data/var/$i /sysroot/data/var/$i
 done

-chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo 
+chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo
--- a/prepare-root.sh
+++ b/prepare-root.sh
@ -207,7 +207,8 @@ chroot  "$sysroot" \
 	--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
 	--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2"  \
 	--install "cryptsetup tail sort pwmake mktemp " \
-	--install "tpm2_createprimary tpm2_pcrlist tpm2_createpolicy tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
+	--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
+	--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
 	--install "strace" \
 	--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \
 	--include /overlay / \