File tree Expand file tree Collapse file tree 1 file changed +15
-1
lines changed
Expand file tree Collapse file tree 1 file changed +15
-1
lines changed Original file line number Diff line number Diff line change @@ -653,16 +653,30 @@ pcrs-sign() {
653653 ev_sep=" $( echo " 00000000" | hex2bin | tpm2_trial_extend 0) "
654654 pcr4_computed=" $( echo -n " ${ev_sep}${linux_hash} " | hex2bin | sha256) "
655655
656+ pcr2_read=" $( tpm2 pcrread sha256:2 | tail -1 | cut -c9- | tr ' [:upper:]' ' [:lower:]' ) "
656657 pcr4_read=" $( tpm2 pcrread sha256:4 | tail -1 | cut -c9- | tr ' [:upper:]' ' [:lower:]' ) "
657658
659+ # HACK: this assumes PCR2 is the second in the list
660+ if [ " $pcr2_read " != " $ev_sep " ; then
661+ warn " PCR2: ignoring BootMenu entries"
662+ echo -n " $ev_sep " | hex2bin \
663+ | dd \
664+ of=" $TMP /pcrs.bin"
665+ conv=notrunc \
666+ seek=1 \
667+ bs=32 \
668+ 2> /dev/null \
669+ || die " $TPM /pcrs.bin: unable to update PCR2"
670+ fi
671+
658672 warn " $linux : PE hash $linux_hash "
659673
660674 if [ " $pcr4_computed " == " $pcr4_read " ; then
661675 warn " PCR4 unchanged"
662676 else
663677 warn " PCR4 $pcr4_computed "
664678
665- # HACK: replace the PCR with the computed one
679+ # HACK: replace the PCR with the computed one, assuming PCR14 is the 3rd
666680 # initrd dd does not support iflag=fullblock status=none
667681 echo -n " $pcr4_computed " | hex2bin \
668682 | dd \
You can’t perform that action at this time.
0 commit comments