Ignore PCR5 when sealing key when Librem Key is enabled

When the Librem Key is enabled, the kernel loads USB modules at boot, this causes PCR5 to change and breaks unsealing the LUKS key (if set). This change retains the protection of the PCR5 check unless Librem Key is enabled.
linuxboot · Nov 7, 2018 · 79a09e7 · 79a09e7
1 parent fd99d16
commit 79a09e7
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -84,6 +84,14 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
 
+# Librem Key loads USB modules which changes PCR5.
+# In the event Librem Key is enabled, skip verification of PCR5
+if [ -x /bin/libremkey_hotp_verification ]; then
+  pcr_5="X"
+else
+  pcr_5="0000000000000000000000000000000000000000"
+fi
+
 # Note that PCR 4 needs to be set with the "normal-boot"
 # path value, which we do not have right now since we are
 # in a recovery shell.
@@ -104,7 +112,7 @@ tpm sealfile2 \
 	-ix 2 X \
 	-ix 3 X \
 	-ix 4 0000000000000000000000000000000000000000 \
-	-ix 5 0000000000000000000000000000000000000000 \
+	-ix 5 $pcr_5 \
 	-ix 6 $luks_pcr \
 	-ix 7 X \
 || die "Unable to seal secret"