flasher: improve logging with secure boot

Print the PCR digest values used to create the PCR policy used to seal the LUKS passphrase during flashing. These values can be cross referenced with the logs during secure boot to diagnose policy check failures. Change-type: patch Signed-off-by: Joseph Kogut <[email protected]>
balena-os · Sep 11, 2024 · 459773c · 459773c
1 parent 5310f76
commit 459773c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
@@ -78,6 +78,11 @@ diskenc_setup() {
 			     seek="$(du -b "${PCR_VAL_BIN_PRIMARY}" | cut -f1)"
 	done
 
+	info "Creating combined policy for PCRs ${PCRS}"
+
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_PRIMARY"
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_SECONDARY"
+
 	tpm2_createpolicy --policy-pcr \
 		-l "sha256:${PCRS}" \
 		-f "${PCR_VAL_BIN_PRIMARY}" \