From 835f7702a4007f4d91b5a5c42057ab066f2e44e7 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Wed, 12 Oct 2022 12:13:41 +0200
Subject: [PATCH] Precalculate expected PCR[9]

---
 .../mkosi/measured-boot/precalculate_pcr_4.sh |  1 +
 .../mkosi/measured-boot/precalculate_pcr_8.sh |  1 +
 .../mkosi/measured-boot/precalculate_pcr_9.sh | 54 +++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100755 image/mkosi/measured-boot/precalculate_pcr_9.sh

diff --git a/image/mkosi/measured-boot/precalculate_pcr_4.sh b/image/mkosi/measured-boot/precalculate_pcr_4.sh
index 0ad4af1e1..d2d716ff4 100755
--- a/image/mkosi/measured-boot/precalculate_pcr_4.sh
+++ b/image/mkosi/measured-boot/precalculate_pcr_4.sh
@@ -67,5 +67,6 @@ echo "Stage 2 – sd-boot:                    ${sd_boot_authentihash}"
 echo "Stage 3 – Unified Kernel Image (UKI): ${uki_authentihash}"
 echo ""
 echo "Expected PCR[4]:                      ${expected_pcr_4}"
+echo ""
 
 write_output "$2"
diff --git a/image/mkosi/measured-boot/precalculate_pcr_8.sh b/image/mkosi/measured-boot/precalculate_pcr_8.sh
index eccd5f900..a870206a4 100755
--- a/image/mkosi/measured-boot/precalculate_pcr_8.sh
+++ b/image/mkosi/measured-boot/precalculate_pcr_8.sh
@@ -66,5 +66,6 @@ echo "Kernel commandline:            ${cmdline}"
 echo "Kernel Commandline measurement ${cmdline_hash}"
 echo ""
 echo "Expected PCR[8]:               ${expected_pcr_8}"
+echo ""
 
 write_output "${OUT}"
diff --git a/image/mkosi/measured-boot/precalculate_pcr_9.sh b/image/mkosi/measured-boot/precalculate_pcr_9.sh
new file mode 100755
index 000000000..0ba09dd1b
--- /dev/null
+++ b/image/mkosi/measured-boot/precalculate_pcr_9.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+# This script is used to precalculate the PCR[9] value for a Constellation OS image.
+# PCR[9] contains the hash of the initrd and is measured by the linux kernel after loading the initrd.
+# Usage: precalculate_pcr_9.sh <path to image> <path to output file>
+
+set -euo pipefail
+source "$(dirname "$0")/measure_util.sh"
+
+get_initrd_from_uki () {
+    local uki="$1"
+    local output="$2"
+    objcopy -O binary --only-section=.initrd "${uki}" "${output}"
+}
+
+initrd_measure () {
+    local path="$1"
+    sha256sum "${path}" | cut -d " " -f 1
+}
+
+
+write_output () {
+    local out="$1"
+    cat > "${out}" <<EOF
+{
+    "pcr9": "${expected_pcr_9}",
+    "initrd": "${initrd_hash}"
+}
+EOF
+}
+
+DIR=$(mktempdir)
+trap 'cleanup "${DIR}"' EXIT
+
+extract "$1" "/efi/EFI/Linux" "${DIR}/uki"
+sudo chown -R "$USER:$USER" "${DIR}/uki"
+cp ${DIR}/uki/*.efi "${DIR}/03-uki.efi"
+get_initrd_from_uki "${DIR}/03-uki.efi" "${DIR}/initrd"
+
+initrd_hash=$(initrd_measure "${DIR}/initrd")
+cleanup "${DIR}"
+
+expected_pcr_9=0000000000000000000000000000000000000000000000000000000000000000
+expected_pcr_9=$(pcr_extend "${expected_pcr_9}" "${initrd_hash}" "sha256sum")
+
+echo "Initrd measurement ${initrd_hash}"
+echo ""
+echo "Expected PCR[9]:   ${expected_pcr_9}"
+echo ""
+
+write_output "$2"