Skip to content

Commit

Permalink
feat: pre-calculate PCR11 values during build
Browse files Browse the repository at this point in the history
  • Loading branch information
@brdanin
brdanin committed Feb 13, 2024
1 parent 194d753 commit 0434dfb
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 2 deletions.
7 changes: 7 additions & 0 deletions builder/image.d/make_repart_disk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,10 @@ cat > "$target/etc/systemd/system/[email protected]/override.conf"
[Unit]
Before=systemd-repart.service
EOF

mkdir -p "$target/etc/systemd/system/systemd-pcrphase-initrd.service.d"
cat > "$target/etc/systemd/system/systemd-pcrphase-initrd.service.d/override.conf" << EOF
[Unit]
After=sys-devices-platform-MSFT0101:00-tpm-tpm0.device
Requires=sys-devices-platform-MSFT0101:00-tpm-tpm0.device
EOF
26 changes: 24 additions & 2 deletions builder/image.d/makesecureboot
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ chroot "$rootfs" env dracut \
--no-hostonly \
--force \
--kver "$kernel_version" \
--modules "bash dash systemd systemd-initrd systemd-veritysetup systemd-repart kernel-modules kernel-modules-extra terminfo udev-rules dracut-systemd base fs-lib shutdown crypt $tpm2" \
--modules "bash dash systemd systemd-initrd systemd-veritysetup systemd-repart kernel-modules kernel-modules-extra terminfo udev-rules dracut-systemd base fs-lib shutdown crypt systemd-pcrphase $tpm2" \
--install "/etc/veritytab cryptsetup head mkfs.ext4 systemd-escape lsblk" \
--include "$dracut_include" "/" \
--reproducible \
Expand All @@ -105,13 +105,35 @@ case "$BUILDER_ARCH" in
;;
esac

# pre-calculation PCR11 values
unified_image_tmp="$(mktemp)"
pcr_tmp="$(mktemp)"

/usr/lib/systemd/ukify build \
--stub "$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" \
--linux "$kernel_file" \
--initrd "$initrd" \
--cmdline "$cmdline" \
--output "$unified_image_tmp" \
--os-release "@$rootfs/etc/os-release" \
--pcr-banks "sha256" \
--measure > "$pcr_tmp"

read -r pcr_value < "$pcr_tmp"
pcr_value=$(echo $pcr_value | cut -d '=' -f2)

rm $unified_image_tmp
rm $pcr_tmp
# ***

# create unified image
/usr/lib/systemd/ukify build \
--stub "$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" \
--linux "$kernel_file" \
--initrd "$initrd" \
--cmdline "$cmdline" \
--output "$unified_image"
--output "$unified_image" \
--os-release "@$rootfs/etc/os-release"

efi_dir="$(mktemp -d)"
mkdir -p "$efi_dir/EFI/BOOT/"
Expand Down

0 comments on commit 0434dfb

Please sign in to comment.