2022-10-18 10:23:00 -04:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
# Copyright (c) Edgeless Systems GmbH
|
|
|
|
#
|
|
|
|
# SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
|
|
|
# This script is used to precalculate the PCR[4] value for a Constellation OS image.
|
|
|
|
# Usage: precalculate_pcr_4.sh <path to image> <path to output file>
|
|
|
|
|
|
|
|
set -euo pipefail
|
2022-11-10 04:28:35 -05:00
|
|
|
shopt -s inherit_errexit
|
2022-10-18 10:23:00 -04:00
|
|
|
source "$(dirname "$0")/measure_util.sh"
|
|
|
|
|
|
|
|
ev_efi_action_sha256=3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba
|
|
|
|
ev_efi_separator_sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119
|
|
|
|
|
2022-11-10 08:17:04 -05:00
|
|
|
authentihash() {
|
|
|
|
local path="$1"
|
|
|
|
"$(dirname "$0")/extract_authentihash.py" "${path}"
|
2022-10-18 10:23:00 -04:00
|
|
|
}
|
|
|
|
|
2022-11-10 08:17:04 -05:00
|
|
|
write_output() {
|
|
|
|
local out="$1"
|
|
|
|
cat > "${out}" << EOF
|
2022-10-18 10:23:00 -04:00
|
|
|
{
|
2022-11-16 09:45:10 -05:00
|
|
|
"measurements": {
|
2023-01-09 04:04:13 -05:00
|
|
|
"4": {
|
|
|
|
"expected": "${expected_pcr_4}"
|
|
|
|
}
|
2022-11-16 09:45:10 -05:00
|
|
|
},
|
|
|
|
"efistages": [
|
|
|
|
{
|
|
|
|
"name": "shim",
|
|
|
|
"sha256": "${shim_authentihash}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"name": "systemd-boot",
|
|
|
|
"sha256": "${sd_boot_authentihash}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"name": "uki",
|
|
|
|
"sha256": "${uki_authentihash}"
|
|
|
|
}
|
|
|
|
]
|
2022-10-18 10:23:00 -04:00
|
|
|
}
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
DIR=$(mktempdir)
|
|
|
|
trap 'cleanup "${DIR}"' EXIT
|
|
|
|
|
|
|
|
extract "$1" "/efi/EFI/BOOT/BOOTX64.EFI" "${DIR}/01-shim.efi"
|
|
|
|
extract "$1" "/efi/EFI/BOOT/grubx64.efi" "${DIR}/02-sd-boot.efi"
|
|
|
|
extract "$1" "/efi/EFI/Linux" "${DIR}/uki"
|
2022-11-10 04:28:35 -05:00
|
|
|
sudo chown -R "${USER}:${USER}" "${DIR}/uki"
|
|
|
|
cp "${DIR}"/uki/*.efi "${DIR}/03-uki.efi"
|
2022-10-18 10:23:00 -04:00
|
|
|
|
|
|
|
shim_authentihash=$(authentihash "${DIR}/01-shim.efi")
|
|
|
|
sd_boot_authentihash=$(authentihash "${DIR}/02-sd-boot.efi")
|
|
|
|
uki_authentihash=$(authentihash "${DIR}/03-uki.efi")
|
|
|
|
cleanup "${DIR}"
|
|
|
|
|
|
|
|
expected_pcr_4=0000000000000000000000000000000000000000000000000000000000000000
|
|
|
|
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${ev_efi_action_sha256}" "sha256sum")
|
|
|
|
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${ev_efi_separator_sha256}" "sha256sum")
|
|
|
|
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${shim_authentihash}" "sha256sum")
|
|
|
|
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${sd_boot_authentihash}" "sha256sum")
|
|
|
|
expected_pcr_4=$(pcr_extend "${expected_pcr_4}" "${uki_authentihash}" "sha256sum")
|
|
|
|
|
|
|
|
echo "Authentihashes:"
|
2022-11-10 08:17:04 -05:00
|
|
|
echo "Stage 1 - shim: ${shim_authentihash}"
|
|
|
|
echo "Stage 2 - sd-boot: ${sd_boot_authentihash}"
|
|
|
|
echo "Stage 3 - Unified Kernel Image (UKI): ${uki_authentihash}"
|
2022-10-18 10:23:00 -04:00
|
|
|
echo ""
|
|
|
|
echo "Expected PCR[4]: ${expected_pcr_4}"
|
2022-10-12 06:13:41 -04:00
|
|
|
echo ""
|
2022-10-18 10:23:00 -04:00
|
|
|
|
|
|
|
write_output "$2"
|