From 459773c85689797e53f0fe1c31293e7f835a4c8f Mon Sep 17 00:00:00 2001
From: Joseph Kogut <joseph@balena.io>
Date: Tue, 13 Aug 2024 12:08:46 -0700
Subject: [PATCH] flasher: improve logging with secure boot

Print the PCR digest values used to create the PCR policy used to seal
the LUKS passphrase during flashing. These values can be cross
referenced with the logs during secure boot to diagnose policy check
failures.

Change-type: patch
Signed-off-by: Joseph Kogut <joseph@balena.io>
---
 .../resin-init/resin-init-flasher/balena-init-flasher-tpm    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
index 00450c0ed9..939ffbcb64 100644
--- a/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
+++ b/meta-balena-common/recipes-support/resin-init/resin-init-flasher/balena-init-flasher-tpm
@@ -78,6 +78,11 @@ diskenc_setup() {
 			     seek="$(du -b "${PCR_VAL_BIN_PRIMARY}" | cut -f1)"
 	done
 
+	info "Creating combined policy for PCRs ${PCRS}"
+
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_PRIMARY"
+	print_pcr_val_bin "$PCRS" "$PCR_VAL_BIN_SECONDARY"
+
 	tpm2_createpolicy --policy-pcr \
 		-l "sha256:${PCRS}" \
 		-f "${PCR_VAL_BIN_PRIMARY}" \