qubes-measure-luks: Change implementation from luksDump to luksHeader…

…Backup Fixes linuxboot#1089
tlaurion · Jan 18, 2022 · eb3ee36 · eb3ee36
1 parent fba79ab
commit eb3ee36
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks
@@ -4,11 +4,18 @@
 
 die() { echo >&2 "$@"; exit 1; }
 
+#Following file should be clean since the actual script is called to populate /tmp/luksDump.txt
+# /tmp/luksDump.txt is then used kexec-seal-key to calcfuturepcr into pcr 10 (unused) 
+# and then extend that clean value into PCR 6 (which should be zeroed too).
+rm -f /tmp/luksDump.txt
+
 # Measure the luks headers into PCR 6
 for dev in "$@"; do
-	cryptsetup luksDump $dev \
+	cryptsetup luksHeaderBackup $dev --header-backup-file /tmp/tmp_luks_header \
 	|| die "$dev: Unable to measure"
-done > /tmp/luksDump.txt
+	cat /tmp/tmp_luks_header >> /tmp/luksDump.txt
+	rm -f /tmp/tmp_luks_header
+done
 
 tpm extend -ix 6 -if /tmp/luksDump.txt \
 || die "Unable to extend PCR"