tpm2-setup: introduce nvpcr for measuring Verity images

I thnk it's crucial we start to measure Verity images as we activate
them, so that the event log has a full trace of the compisition of the
system. hence let's introduce a new NvPCR for this purpse, under the
name "verity".

diff --git a/src/tpm2-setup/meson.build b/src/tpm2-setup/meson.build
index 9814fe1005660ab4fa70789d32e9f645edfe3577..a862e7239cc6ba2f3f55a12379699b0f11b967d6 100644 (file)
--- a/src/tpm2-setup/meson.build
+++ b/src/tpm2-setup/meson.build
@@ -31,12 +31,12 @@ executables += [
                         'HAVE_TPM2',
                 ],
         },
-
 ]
 
 if conf.get('ENABLE_BOOTLOADER') == 1 and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_TPM2') == 1
         nvpcrs = [ 'cryptsetup',
-                   'hardware' ]
+                   'hardware',
+                   'verity']
         foreach n : nvpcrs
                 custom_target(
                         input : 'nvpcr/' + n + '.nvpcr.in',

diff --git a/src/tpm2-setup/nvpcr/verity.nvpcr.in b/src/tpm2-setup/nvpcr/verity.nvpcr.in
new file mode 100644 (file)
index 0000000..b4fb62b
--- /dev/null
+++ b/src/tpm2-setup/nvpcr/verity.nvpcr.in
@@ -0,0 +1,5 @@
+{
+    "name" : "verity",
+    "algorithm" : "sha256",
+    "nvIndex" : {{TPM2_NVPCR_BASE + 2}}
+}