From 747c7c18918a3e22ea0246442b56e19c2cbaa9ca Mon Sep 17 00:00:00 2001
From: Trammell hudson <hudson@trmm.net>
Date: Sun, 23 Aug 2020 13:42:17 +0200
Subject: [PATCH] recovery-sign: ignore boot menu in PCR2

---
 sbin/safeboot | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/sbin/safeboot b/sbin/safeboot
index 97b3fb0e..30ec3cdb 100755
--- a/sbin/safeboot
+++ b/sbin/safeboot
@@ -653,8 +653,22 @@ pcrs-sign() {
 	ev_sep="$(echo "00000000" | hex2bin | tpm2_trial_extend 0)"
 	pcr4_computed="$(echo -n "${ev_sep}${linux_hash}" | hex2bin | sha256)"
 
+	pcr2_read="$(tpm2 pcrread sha256:2 | tail -1 | cut -c9- | tr '[:upper:]' '[:lower:]')"
 	pcr4_read="$(tpm2 pcrread sha256:4 | tail -1 | cut -c9- | tr '[:upper:]' '[:lower:]')"
 
+	# HACK: this assumes PCR2 is the second in the list
+	if [ "$pcr2_read" != "$ev_sep" ]; then
+		warn "PCR2: ignoring BootMenu entries"
+		echo -n "$ev_sep" | hex2bin \
+		| dd \
+			of="$TMP/pcrs.bin" \
+			conv=notrunc \
+			seek=1 \
+			bs=32 \
+			2>/dev/null \
+		|| die "$TPM/pcrs.bin: unable to update PCR2"
+	fi
+
 	warn "$linux: PE hash $linux_hash"
 
 	if [ "$pcr4_computed" == "$pcr4_read" ]; then
@@ -662,7 +676,7 @@ pcrs-sign() {
 	else
 		warn "PCR4 $pcr4_computed"
 
-		# HACK: replace the PCR with the computed one
+		# HACK: replace the PCR with the computed one, assuming PCR14 is the 3rd
 		# initrd dd does not support iflag=fullblock status=none
 		echo -n "$pcr4_computed" | hex2bin \
 		| dd \