Use a pure golang pcr extend (#286)

2025-09-02 15:14:27 +00:00 · 2024-04-19 11:43:05 +00:00
parent d14a047aa6
commit cbf38f553c
5 changed files with 46 additions and 15 deletions
--- a/internal/utils/common.go
+++ b/internal/utils/common.go
@@ -1,6 +1,7 @@
 package utils

 import (
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"os"
@@ -11,6 +12,8 @@ import (
 	"time"

 	"github.com/avast/retry-go"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpm2/transport"
 	"github.com/joho/godotenv"
 	"github.com/kairos-io/immucore/internal/constants"
 	"github.com/kairos-io/kairos-sdk/state"
@@ -263,3 +266,35 @@ func DropToEmergencyShell() {
 		}
 	}
 }
+
+// PCRExtend extends the given pcr with the give data.
+func PCRExtend(pcr int, data []byte) error {
+	t, err := transport.OpenTPM()
+	if err != nil {
+		return err
+	}
+	defer func(t transport.TPMCloser) {
+		_ = t.Close()
+	}(t)
+	digest := sha256.Sum256(data)
+	pcrHandle := tpm2.PCRExtend{
+		PCRHandle: tpm2.AuthHandle{
+			Handle: tpm2.TPMHandle(pcr),
+			Auth:   tpm2.PasswordAuth(nil),
+		},
+		Digests: tpm2.TPMLDigestValues{
+			Digests: []tpm2.TPMTHA{
+				{
+					HashAlg: tpm2.TPMAlgSHA256,
+					Digest:  digest[:],
+				},
+			},
+		},
+	}
+
+	if _, err = pcrHandle.Execute(t); err != nil {
+		return err
+	}
+
+	return nil
+}