constellation/image/measured-boot/precalculate_pcr_12.sh

79 lines
2.1 KiB
Bash
Raw Normal View History

2022-10-12 09:13:33 -04:00
#!/usr/bin/env bash
# Copyright (c) Edgeless Systems GmbH
#
# SPDX-License-Identifier: AGPL-3.0-only
2022-11-17 09:37:39 -05:00
# This script is used to precalculate the PCR[12] value for a Constellation OS image.
# PCR[12] contains the hash of the kernel command line and is measured by systemd-boot.
# This value was previously measured into PCR[8].
# This script may produce wrong results for systemd-boot versions < 251.
# Usage: precalculate_pcr_12.sh <path to image> <path to output file> <csp>
2022-10-12 09:13:33 -04:00
set -euo pipefail
shopt -s inherit_errexit
2022-10-12 09:13:33 -04:00
source "$(dirname "$0")/measure_util.sh"
get_cmdline_from_uki() {
local uki="$1"
local output="$2"
objcopy -O binary --only-section=.cmdline "${uki}" "${output}"
2022-10-12 09:13:33 -04:00
}
cmdline_measure() {
local path="$1"
local tmp
tmp=$(mktemp)
# convert to utf-16le and add a null terminator
iconv -f utf-8 -t utf-16le "${path}" -o "${tmp}"
truncate -s +2 "${tmp}"
sha256sum "${tmp}" | cut -d " " -f 1
rm "${tmp}"
2022-10-12 09:13:33 -04:00
}
write_output() {
local out="$1"
cat > "${out}" << EOF
2022-10-12 09:13:33 -04:00
{
"measurements": {
"12": {
"expected": "${expected_pcr_12}"
}
},
"cmdline": "${cmdline}",
"cmdline-sha256": "${cmdline_hash}"
2022-10-12 09:13:33 -04:00
}
EOF
}
IMAGE="$1"
OUT="$2"
CSP="$3"
DIR=$(mktempdir)
trap 'cleanup "${DIR}"' EXIT
extract "${IMAGE}" "/efi/EFI/Linux" "${DIR}/uki"
sudo chown -R "${USER}:${USER}" "${DIR}/uki"
cp "${DIR}"/uki/*.efi "${DIR}/03-uki.efi"
2022-10-12 09:13:33 -04:00
get_cmdline_from_uki "${DIR}/03-uki.efi" "${DIR}/cmdline"
cmdline=$(cat "${DIR}/cmdline")
cmdline_hash=$(cmdline_measure "${DIR}/cmdline")
cleanup "${DIR}"
2022-11-17 09:37:39 -05:00
expected_pcr_12=0000000000000000000000000000000000000000000000000000000000000000
expected_pcr_12=$(pcr_extend "${expected_pcr_12}" "${cmdline_hash}" "sha256sum")
if [[ ${CSP} == "azure" ]]; then
# Azure displays the boot menu
# triggering an extra measurement of the kernel command line.
2022-11-17 09:37:39 -05:00
expected_pcr_12=$(pcr_extend "${expected_pcr_12}" "${cmdline_hash}" "sha256sum")
2022-10-12 09:13:33 -04:00
fi
echo "Kernel commandline: ${cmdline}"
echo "Kernel Commandline measurement ${cmdline_hash}"
echo ""
2022-11-17 09:37:39 -05:00
echo "Expected PCR[12]: ${expected_pcr_12}"
2022-10-12 06:13:41 -04:00
echo ""
2022-10-12 09:13:33 -04:00
write_output "${OUT}"