diff options
Diffstat (limited to 'sys/boot/tpm.nix')
| -rw-r--r-- | sys/boot/tpm.nix | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/sys/boot/tpm.nix b/sys/boot/tpm.nix index 4093e47..196c406 100644 --- a/sys/boot/tpm.nix +++ b/sys/boot/tpm.nix @@ -22,9 +22,22 @@ with lib; let # Genera auth.policy y auth.sig tpm2-grant-next-boot = pkgs.writeShellApplication { name = "tpm2-grant-next-boot"; - runtimeInputs = [ pkgs.openssl pkgs.tpm2-tools ]; + + runtimeInputs = [ + pkgs.jq + pkgs.openssl + pkgs.sbctl + pkgs.tpm2-tools + ]; text = '' + if [ -z "$YES_I_DO_WANT_TO_SIGN_WITH_SECURE_BOOT_DISABLED" ] && [ "$(sbctl status --json | jq .secure_boot)" != "truee" ]; then + echo "$0: bad Secure Boot state, check the output of \`sbctl status\`" >&2 + echo "$0: signing a TPM PCR policy with Secure Boot disabled is dangerous" >&2 + echo "$0: set 'YES_I_DO_WANT_TO_SIGN_WITH_SECURE_BOOT_DISABLED' to skip this check" >&2 + exit 1 + fi + ctx_dir="$(mktemp -d)" trap 'rm -rf -- "$ctx_dir"' EXIT @@ -53,7 +66,23 @@ in pcrs = mkOption { type = with types; listOf (ints.between 0 23); - default = [ 0 2 7 8 11 ]; + + # From 'systemd-analyze pcrs' + default = [ + 0 # platform-code + 1 # platform-config + 2 # external-code + 3 # external-config + 4 # boot-loader-code + 5 # boot-loader-config + 7 # secure-boot-policy + 9 # kernel-initrd + 11 # kernel-boot + 12 # kernel-config + 13 # sysexts + 14 # shim-policy + + ]; }; }; }; |