diff --git a/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update b/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update index 2b05b34f43..54bba156ff 100644 --- a/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update +++ b/meta-balena-common/recipes-support/hostapp-update-hooks/files/0-signed-update @@ -155,10 +155,12 @@ updateKeys() { measured) info "Using PCR7 digest with EFI binary measurements" POLICY="${POLICY_EFIBIN}" + print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_EFIBIN}" ;; unmeasured) info "Using PCR7 digest without EFI binary measurements" POLICY="${POLICY_UPDATED}" + print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_UPDATED}" ;; unknown) # we don't have access to the TPM event log, and can't @@ -170,6 +172,10 @@ updateKeys() { "sha256:$(find "${POLICY_PATH}" -type f | sort | xargs | sed 's/ /,/g')" POLICY="${POLICY_COMBINED}" cp -rf "${POLICY_PATH}" "${EFI_MOUNT_DIR}" + + print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_EFIBIN}" + printf "\nOR\n" + print_pcr_val_bin "${PCRS}" "${PCR_VAL_BIN_UPDATED}" ;; esac diff --git a/meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2 b/meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2 index 2bbc116b36..95630ac483 100644 --- a/meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2 +++ b/meta-balena-common/recipes-support/os-helpers/os-helpers/os-helpers-tpm2 @@ -125,7 +125,19 @@ firmware_measures_efibins() { fi } - +print_pcr_val_bin() { + PCRS=$1 + PCR_VAL_BIN=$2 + DIGEST_SIZE=32 + SKIP=0 + printf " %s:\n" "sha256" + for pcr in $(echo "${PCRS}" | sed 's/,/ /g'); do + digest=$(dd if="${PCR_VAL_BIN}" bs=1 count=$DIGEST_SIZE status=none skip=$SKIP | _hexencode) + SKIP=$((SKIP + DIGEST_SIZE)) + printf " %s : %s\n" "$pcr" "$digest" + done + printf "\n" +} hw_gen_passphrase() { tpm2_getrandom 32