hup: signed-update: print predicted PCR values after creating a policy

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>

meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update

@@ -155,10 +155,12 @@ updateKeys() {
             measured)
                 info "Using PCR7 digest with EFI binary measurements"
                 POLICY="${POLICY_EFIBIN}"
+                print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_EFIBIN}"
                 ;;
             unmeasured)
                 info "Using PCR7 digest without EFI binary measurements"
                 POLICY="${POLICY_UPDATED}"
+                print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_UPDATED}"
                 ;;
             unknown)
                 # we don't have access to the TPM event log, and can't
@@ -170,6 +172,10 @@ updateKeys() {
                               "sha256:$(find "${POLICY_PATH}" -type f | sort | xargs | sed 's/ /,/g')"
                 POLICY="${POLICY_COMBINED}"
                 cp -rf "${POLICY_PATH}" "${EFI_MOUNT_DIR}"
+
+                print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_EFIBIN}"
+                printf "\nOR\n"
+                print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_UPDATED}"
                 ;;
         esac
 

meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2

@@ -125,7 +125,19 @@ firmware_measures_efibins() {
     fi
 }
 
-
+print_pcr_val_bin() {
+    PCRS=$1
+    PCR_VAL_BIN=$2
+    DIGEST_SIZE=32
+    SKIP=0
+    printf " %s:\n" "sha256"
+    for pcr in $(echo "${PCRS}" | sed 's/,/ /g'); do
+        digest=$(dd if="${PCR_VAL_BIN}" bs=1 count=$DIGEST_SIZE status=none skip=$SKIP | _hexencode)
+        SKIP=$((SKIP + DIGEST_SIZE))
+        printf "   %s : %s\n" "$pcr" "$digest"
+    done
+    printf "\n"
+}
 
 hw_gen_passphrase() {
     tpm2_getrandom 32