flasher: improve logging with secure boot

Print the PCR digest values used to create the PCR policy used to seal the LUKS passphrase during flashing. These values can be cross referenced with the logs during secure boot to diagnose policy check failures. Change-type: patch Signed-off-by: Joseph Kogut <[email protected]>
balena-os · Aug 13, 2024 · 890618f · 890618f
1 parent 137a788
commit 890618f
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
@@ -78,6 +78,11 @@ diskenc_setup() {
 			     seek="$(du -b "${PCR_VAL_BIN_PRIMARY}" | cut -f1)"
 	done
 
+	info "Creating combined policy for PCRs ${PCRS}"
+
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_PRIMARY"
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_SECONDARY"
+
 	tpm2_createpolicy --policy-pcr \
 		-l "sha256:${PCRS}" \
 		-f "${PCR_VAL_BIN_PRIMARY}" \