Precalculate expected PCR[9]

2025-02-22 16:00:05 -05:00 · 2022-10-12 12:13:41 +02:00 · 2022-10-12 12:13:41 +02:00 · 835f7702a4
commit 835f7702a4
parent 6859c6b00e
3 changed files with 56 additions and 0 deletions
--- a/image/mkosi/measured-boot/precalculate_pcr_4.sh
+++ b/image/mkosi/measured-boot/precalculate_pcr_4.sh
@ -67,5 +67,6 @@ echo "Stage 2 – sd-boot:                    ${sd_boot_authentihash}"
 echo "Stage 3 – Unified Kernel Image (UKI): ${uki_authentihash}"
 echo ""
 echo "Expected PCR[4]:                      ${expected_pcr_4}"
+echo ""

 write_output "$2"
--- a/image/mkosi/measured-boot/precalculate_pcr_8.sh
+++ b/image/mkosi/measured-boot/precalculate_pcr_8.sh
@ -66,5 +66,6 @@ echo "Kernel commandline:            ${cmdline}"
 echo "Kernel Commandline measurement ${cmdline_hash}"
 echo ""
 echo "Expected PCR[8]:               ${expected_pcr_8}"
+echo ""

 write_output "${OUT}"
--- a/image/mkosi/measured-boot/precalculate_pcr_9.sh
+++ b/image/mkosi/measured-boot/precalculate_pcr_9.sh
@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# Copyright (c) Edgeless Systems GmbH
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+# This script is used to precalculate the PCR[9] value for a Constellation OS image.
+# PCR[9] contains the hash of the initrd and is measured by the linux kernel after loading the initrd.
+# Usage: precalculate_pcr_9.sh <path to image> <path to output file>
+
+set -euo pipefail
+source "$(dirname "$0")/measure_util.sh"
+
+get_initrd_from_uki () {
+    local uki="$1"
+    local output="$2"
+    objcopy -O binary --only-section=.initrd "${uki}" "${output}"
+}
+
+initrd_measure () {
+    local path="$1"
+    sha256sum "${path}" | cut -d " " -f 1
+}
+
+
+write_output () {
+    local out="$1"
+    cat > "${out}" <<EOF
+{
+    "pcr9": "${expected_pcr_9}",
+    "initrd": "${initrd_hash}"
+}
+EOF
+}
+
+DIR=$(mktempdir)
+trap 'cleanup "${DIR}"' EXIT
+
+extract "$1" "/efi/EFI/Linux" "${DIR}/uki"
+sudo chown -R "$USER:$USER" "${DIR}/uki"
+cp ${DIR}/uki/*.efi "${DIR}/03-uki.efi"
+get_initrd_from_uki "${DIR}/03-uki.efi" "${DIR}/initrd"
+
+initrd_hash=$(initrd_measure "${DIR}/initrd")
+cleanup "${DIR}"
+
+expected_pcr_9=0000000000000000000000000000000000000000000000000000000000000000
+expected_pcr_9=$(pcr_extend "${expected_pcr_9}" "${initrd_hash}" "sha256sum")
+
+echo "Initrd measurement ${initrd_hash}"
+echo ""
+echo "Expected PCR[9]:   ${expected_pcr_9}"
+echo ""
+
+write_output "$2"