From 0434dfb5268dc465ad7b0e03af34d3d224bbd221 Mon Sep 17 00:00:00 2001 From: I569190 Date: Tue, 13 Feb 2024 15:57:28 +0100 Subject: [PATCH] feat: pre-calculate PCR11 values during build --- builder/image.d/make_repart_disk | 7 +++++++ builder/image.d/makesecureboot | 26 ++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/builder/image.d/make_repart_disk b/builder/image.d/make_repart_disk index 93530d4..1404b2a 100755 --- a/builder/image.d/make_repart_disk +++ b/builder/image.d/make_repart_disk @@ -34,3 +34,10 @@ cat > "$target/etc/systemd/system/systemd-veritysetup@.service.d/override.conf" [Unit] Before=systemd-repart.service EOF + +mkdir -p "$target/etc/systemd/system/systemd-pcrphase-initrd.service.d" +cat > "$target/etc/systemd/system/systemd-pcrphase-initrd.service.d/override.conf" << EOF +[Unit] +After=sys-devices-platform-MSFT0101:00-tpm-tpm0.device +Requires=sys-devices-platform-MSFT0101:00-tpm-tpm0.device +EOF diff --git a/builder/image.d/makesecureboot b/builder/image.d/makesecureboot index 8e93111..5e8465f 100755 --- a/builder/image.d/makesecureboot +++ b/builder/image.d/makesecureboot @@ -79,7 +79,7 @@ chroot "$rootfs" env dracut \ --no-hostonly \ --force \ --kver "$kernel_version" \ - --modules "bash dash systemd systemd-initrd systemd-veritysetup systemd-repart kernel-modules kernel-modules-extra terminfo udev-rules dracut-systemd base fs-lib shutdown crypt $tpm2" \ + --modules "bash dash systemd systemd-initrd systemd-veritysetup systemd-repart kernel-modules kernel-modules-extra terminfo udev-rules dracut-systemd base fs-lib shutdown crypt systemd-pcrphase $tpm2" \ --install "/etc/veritytab cryptsetup head mkfs.ext4 systemd-escape lsblk" \ --include "$dracut_include" "/" \ --reproducible \ @@ -105,13 +105,35 @@ case "$BUILDER_ARCH" in ;; esac +# pre-calculation PCR11 values +unified_image_tmp="$(mktemp)" +pcr_tmp="$(mktemp)" + +/usr/lib/systemd/ukify build \ + --stub "$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" \ + --linux "$kernel_file" \ + --initrd "$initrd" \ + --cmdline "$cmdline" \ + --output "$unified_image_tmp" \ + --os-release "@$rootfs/etc/os-release" \ + --pcr-banks "sha256" \ + --measure > "$pcr_tmp" + +read -r pcr_value < "$pcr_tmp" +pcr_value=$(echo $pcr_value | cut -d '=' -f2) + +rm $unified_image_tmp +rm $pcr_tmp +# *** + # create unified image /usr/lib/systemd/ukify build \ --stub "$rootfs/usr/lib/systemd/boot/efi/linux$(tr '[:upper:]' '[:lower:]' <<< "$uefi_arch").efi.stub" \ --linux "$kernel_file" \ --initrd "$initrd" \ --cmdline "$cmdline" \ - --output "$unified_image" + --output "$unified_image" \ + --os-release "@$rootfs/etc/os-release" efi_dir="$(mktemp -d)" mkdir -p "$efi_dir/EFI/BOOT/"