initdata: measure initdata digest into rt register

This adds two post exec directives for process-user-data in the mkosi to extend PCR 8 (grub, which we don't use it mkosi podvms: https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) with the digest of initdata. Sha256 and Sha384 banks are attempted. initdata.digest contains a hex value that will fit only in one of those. A failure of either post exec step will be ignored and do not turn the unit status into a failure. This is a bit provisional, but since things with init-data and runtime measurement are a bit in flux still, which doesn't warrant to put such logic in code yet. Signed-off-by: Magnus Kulke <[email protected]>
confidential-containers · Aug 12, 2024 · b2f252c · b2f252c
1 parent c1034d0
commit b2f252c
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/...or/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/process-user-data.d/10-override.conf b/...or/podvm-mkosi/mkosi.skeleton/usr/lib/systemd/system/process-user-data.d/10-override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPost=-/bin/bash -c 'tpm2_pcrextend 8:sha256=$(cat /run/peerpod/initdata.digest)'
+ExecStartPost=-/bin/bash -c 'tpm2_pcrextend 8:sha384=$(cat /run/peerpod/initdata.digest)'