Script for regenerating clevis-luks bindings on a standard Ubuntu ZFS rpool installation

clevis-regen.sh

#!/bin/bash
# Script to regenerate the Clevis LUKS bindings (and to track the changes causing them.)

# PCR#
# 	Used by	From Location	Measured Objects	Log	Use Reported By
# 0
# 	Firmware 💻	UEFI Boot Component	Core system firmware executable code	UEFI TPM event log	n/a
# 1
# 	Firmware 💻	UEFI Boot Component	Core system firmware data/host platform configuration; typically contains serial and model numbers	UEFI TPM event log	n/a
# 2
# 	Firmware 💻	UEFI Boot Component	Extended or pluggable executable code; includes option ROMs on pluggable hardware	UEFI TPM event log	n/a
# 3
# 	Firmware 💻	UEFI Boot Component	Extended or pluggable firmware data; includes information about pluggable hardware	UEFI TPM event log	n/a
# 4
# 	Firmware 💻	UEFI Boot Component	Boot loader and additional drivers; binaries and extensions loaded by the boot loader	UEFI TPM event log	n/a
# 5
# 	Firmware 💻	UEFI Boot Component	GPT/Partition table	UEFI TPM event log	n/a
# 7
# 	Firmware 💻	UEFI Boot Component	SecureBoot state	UEFI TPM event log	n/a
# 8
# 	grub 🍲	UEFI Boot Component	Commands and kernel command line	UEFI TPM event log	n/a
# 9
# 	grub 🍲	UEFI Boot Component	All files read (including kernel image)	UEFI TPM event log	n/a
# 	Linux kernel 🌰	Kernel	All passed initrds (when the new LOAD_FILE2 initrd protocol is used)	UEFI TPM event log	n/a
# 10
# 	IMA 📐	Kernel	Protection of the IMA measurement log	IMA event log	n/a
# 11
# 	systemd-stub 🚀	UEFI Stub	All components of unified kernel images (UKIs)	UEFI TPM event log	in EFI variable StubPcrKernelImage
# 	systemd-pcrphase 🚀	Userspace	Boot phase strings, indicating various milestones of the boot process	Journal (for now)	n/a
# 12
# 	systemd-stub 🚀	UEFI Stub	Kernel command line, system credentials and system configuration images	UEFI TPM event log	in EFI variable StubPcrKernelParameters
# 13
# 	systemd-stub 🚀	UEFI Stub	All system extension images for the initrd	UEFI TPM event log	in EFI variable StubPcrInitRDSysExts
# 14
# 	shim 🔑	UEFI Boot Component	“MOK” certificates and hashes	UEFI TPM event log	n/a
# 15
# 	[email protected] 🚀	Userspace	Root file system volume encryption key	Journal (for now)	n/a
# 	systemd-pcrmachine.service 🚀	Userspace	Machine ID (/etc/machine-id)	Journal (for now)	n/a
# 	[email protected] 🚀	Userspace	File system mount point, UUID, label, partition UUID label of root file system and /var/	Journal (for now)	n/a

declare -A TPM_PCRS

TPM_PCRS["0"]="Core system firmware executable code"
TPM_PCRS["1"]="Core system firmware data/host platform configuration; typically contains serial and model numbers"
TPM_PCRS["2"]="Extended or pluggable executable code; includes option ROMs on pluggable hardware"
TPM_PCRS["3"]="Extended or pluggable firmware data; includes information about pluggable hardware"
TPM_PCRS["4"]="Boot loader and additional drivers; binaries and extensions loaded by the boot loader"
TPM_PCRS["7"]="SecureBoot state"
TPM_PCRS["8"]="Commands and kernel command line"
TPM_PCRS["9"]="All files read (including kernel image)"

LUKS_SLOT=1

CURR_PCR="$HOME/.curr.pcrs"
PREV_PCR="$HOME/.prev.pcrs"

# sudo clevis luks regen -q -s 1 -d /dev/zvol/rpool/keystore
if ! sudo clevis luks regen -q -s $LUKS_SLOT -d /dev/zvol/rpool/keystore; then
    echo "clevis regen failed"
    exit 1
fi

if [ -e "$CURR_PCR" ]; then
    mv -f "$CURR_PCR" "$PREV_PCR"
fi

sudo tpm2_pcrread > "$CURR_PCR"

# Output the PCR differences
if [ -e "$PREV_PCR" ]; then
    diff -u "$PREV_PCR" "$CURR_PCR"
fi