Skip to content

Commit

Permalink
flasher: improve logging with secure boot
Browse files Browse the repository at this point in the history 
Print the PCR digest values used to create the PCR policy used to seal
the LUKS passphrase during flashing. These values can be cross
referenced with the logs during secure boot to diagnose policy check
failures.

Change-type: patch
Signed-off-by: Joseph Kogut <[email protected]>
  • Loading branch information
@jakogut
jakogut committed Aug 14, 2024
1 parent 8fde3b3 commit b123e25
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,11 @@ diskenc_setup() {
seek="$(du -b "${PCR_VAL_BIN_PRIMARY}" | cut -f1)"
done

info "Creating combined policy for PCRs ${PCRS}"

print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_PRIMARY"
print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_SECONDARY"

tpm2_createpolicy --policy-pcr \
-l "sha256:${PCRS}" \
-f "${PCR_VAL_BIN_PRIMARY}" \
Expand Down

0 comments on commit b123e25

Please sign in to comment.