harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

extend PCR7 after using it to unlock the LUKS

Browse source
This commit is contained in:
Harald Hoyer 2018-09-05 15:23:03 +02:00
parent 52e5a2c9fa
commit 6910172911
2 changed files with 23 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pre-pivot.sh
View file

@ -68,6 +68,10 @@ if cryptsetup isLuks --type luks2 "$datadev"; then
else
clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
fi
tpm2_pcrextend \
-T device:/dev/tpmrm0 \
7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \
|| die "Failed to extend PCR7"
fi
datadev="$luksdev"
fi

3
prepare-root.sh
View file

@ -207,7 +207,8 @@ chroot "$sysroot" \
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
--install "cryptsetup tail sort pwmake mktemp " \
--install "tpm2_createprimary tpm2_pcrlist tpm2_createpolicy tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
--install "strace" \
--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \
--include /overlay / \