@@ -228,6 +228,49 @@ replay_pcr() {
228228 # (6: LUKS header, 7: user related cbfs files loaded from cbfs-init)
229229}
230230
231+ # usage: calc_pcr <alg> <pcr_num> [ <input_file>|<input_hash> ... ]
232+ # Calculate PCR value to compare with CBMEM event log.
233+ # First argument is PCR number, followed by optional
234+ # hashes and/or files.
235+ # Resulting PCR value is returned in binary form.
236+ calc_pcr () {
237+ TRACE " Under /bin/tpmr:calc_pcr"
238+ if [ -z " $2 " ; then
239+ echo >&2 " No PCR number passed"
240+ return
241+ fi
242+ if [ " $2 " -ge 8 ]; then
243+ echo >&2 " Illegal PCR number ($2 )"
244+ return
245+ fi
246+ local alg=" $1 "
247+ local pcr=" $2 "
248+ local alg_digits=0
249+ # SHA-1 hashes are 40 chars
250+ if [ " $alg " = " sha1" ; then alg_digits=40; fi
251+ # SHA-256 hashes are 64 chars
252+ if [ " $alg " = " sha256" ; then alg_digits=64; fi
253+ shift 2
254+ replayed_pcr=$( extend_pcr_state $alg $( printf " %.${alg_digits} d" ) $@ )
255+ echo $replayed_pcr | hex2bin
256+ DEBUG " Replayed cbmem -L clean boot state of PCR=$pcr ALG=$alg : $replayed_pcr "
257+ # To manually introspect calculated to PCR values:
258+ # TODO: fix the following examples with WORKING examples
259+ # PCR-2:
260+ # bash tpmr calc_pcr 2 <(cbmem -r 464d4150) <(cbfs --read bootblock) \
261+ # <(cbfs --read fallback/romstage) <(cbfs --read fallback/postcar) \
262+ # <(cbfs --read fallback/ramstage) <(cbfs --read bootsplash.jpg) \
263+ # <(cbfs --read fallback/payload) | xxd -p
264+ # PCR-4, in case of recovery shell (bash used for process substitution):
265+ # bash -c "tpmr calc_pcr 4 <(echo -n recovery)" | xxd -p
266+ # PCR-4, in case of normal boot passing through kexec-select-boot:
267+ # bash -c "tpmr calc_pcr 4 <(echo -n generic)" | xxd -p
268+ # PCR-5, depending on which modules are loaded for given board:
269+ # tpmr calc_pcr 5 module0.ko module1.ko module2.ko | xxd -p
270+ # PCR-6 and PCR-7: similar to 5, but with different files passed
271+ # (6: LUKS header, 7: user related cbfs files loaded from cbfs-init)
272+ }
273+
231274tpm2_extend () {
232275 TRACE " Under /bin/tpmr:tpm2_extend"
233276 while true ; do
@@ -519,7 +562,7 @@ tpm1_seal() {
519562 -of " $sealed_file "
520563 -hk 40000000 \
521564 " ${POLICY_ARGS[@]} "
522-
565+
523566 # try it without the TPM Owner Password first
524567 if ! tpm nv_writevalue -in " $index " " $sealed_file " ; then
525568 # to create an nvram space we need the TPM Owner Password
@@ -751,6 +794,10 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
751794 shift
752795 replay_pcr " sha1" " $@ "
753796 ;;
797+ calc_pcr)
798+ shift
799+ calc_pcr " sha1" " $@ "
800+ ;;
754801 counter_create)
755802 shift
756803 tpm1_counter_create " $@ "
@@ -796,6 +843,9 @@ pcrsize)
796843calcfuturepcr)
797844 replay_pcr " sha256" " $@ "
798845 ;;
846+ calc_pcr)
847+ calc_pcr " sha256" " $@ "
848+ ;;
799849extend)
800850 tpm2_extend " $@ "
801851 ;;
0 commit comments