virgilhem · February 7, 2024 10:39
diff --git a/compute_pcr7.sh b/compute_pcr7.sh
 #!/bin/bash
 PK=/path/to/PK.esl
 KEK=(/path/to/KEK1.esl /path/to/KEK2.esl)
 DB=(/path/to/db1.esl /path/to/db2.esl)

 hash_expand() {
  [ ! -v H ] && H="$(printf '00%.0s' {1..32})"
  H="$(printf "${H}$1" | xxd -r -p | sha256sum | awk '{print $1}')"
 }

 pcr_event_digest() {
  local UnicodeName UnicodeNameLength VariableData VariableDataLength
  local VariableName f1 f2 f3 f4 f5 f1_le f2_le f3_le
  if [ -z "$1" ]; then
    printf "00000000" | xxd -r -p | sha256sum | awk '{print $1}'
    return
  fi
  UnicodeName="$1"
  VariableName="8be4df61-93ca-11d2-aa0d-00e098032b8c"
  [[ "$1" =~ ^db ]] && VariableName="d719b2cb-3d3a-4596-a3bc-dad00e67656f"
  VariableData="$2"
  [ -f "$2" ] &&  VariableData="$(cat "${@: 2}" | xxd -p -c-)"
  UnicodeNameLength="${#UnicodeName}"
  VariableDataLength="$((${#VariableData}/2))"
  IFS=- read -r f1 f2 f3 f4 f5 <<< "${VariableName}"
  f1_le="$(printf "${f1}" | tac -rs ..)"
  f2_le="$(printf "${f2}" | tac -rs ..)"
  f3_le="$(printf "${f3}" | tac -rs ..)"
  efi_uid="${f1_le}${f2_le}${f3_le}${f4}${f5}"
  u_length="$(printf "%016x" "${UnicodeNameLength}" | tac -rs ..)"
  v_length="$(printf "%016x" "${VariableDataLength}" | tac -rs ..)"
  name="$(printf "${UnicodeName}" | iconv -f ASCII -t UTF-16LE | xxd -p -c-)"
  printf "${efi_uid}${u_length}${v_length}${name}${VariableData}" | xxd -r -p | sha256sum | awk '{print $1}'
 }

 compute_expected_hash_pcr7() {
  local H
  hash_expand "$(pcr_event_digest SecureBoot 01)"
  hash_expand "$(pcr_event_digest PK "${PK}")"
  hash_expand "$(pcr_event_digest KEK "${KEK[@]}")"
  hash_expand "$(pcr_event_digest db "${DB[@]}")"
  hash_expand "$(pcr_event_digest dbx \
    "$(efi-readvar -v dbx -o /dev/stdout | sed 's/Variable.*$//' | perl -pe 'chomp if eof' | xxd -p -c-)")"
  hash_expand "$(pcr_event_digest)"
  hash_expand "$(pcr_event_digest db "$(xxd -p -c- "${DB[0]}" | sed 's/^.\{56\}//')")"
  expected_hash="${H^^}"
 }

 compute_expected_hash_pcr7
 echo "hash = ${expected_hash}"
	#!/bin/bash
	PK=/path/to/PK.esl
	KEK=(/path/to/KEK1.esl /path/to/KEK2.esl)
	DB=(/path/to/db1.esl /path/to/db2.esl)

	hash_expand() {
	[ ! -v H ] && H="$(printf '00%.0s' {1..32})"
	H="$(printf "${H}$1" \| xxd -r -p \| sha256sum \| awk '{print $1}')"
	}

	pcr_event_digest() {
	local UnicodeName UnicodeNameLength VariableData VariableDataLength
	local VariableName f1 f2 f3 f4 f5 f1_le f2_le f3_le
	if [ -z "$1" ]; then
	printf "00000000" \| xxd -r -p \| sha256sum \| awk '{print $1}'
	return
	fi
	UnicodeName="$1"
	VariableName="8be4df61-93ca-11d2-aa0d-00e098032b8c"
	[[ "$1" =~ ^db ]] && VariableName="d719b2cb-3d3a-4596-a3bc-dad00e67656f"
	VariableData="$2"
	[ -f "$2" ] && VariableData="$(cat "${@: 2}" \| xxd -p -c-)"
	UnicodeNameLength="${#UnicodeName}"
	VariableDataLength="$((${#VariableData}/2))"
	IFS=- read -r f1 f2 f3 f4 f5 <<< "${VariableName}"
	f1_le="$(printf "${f1}" \| tac -rs ..)"
	f2_le="$(printf "${f2}" \| tac -rs ..)"
	f3_le="$(printf "${f3}" \| tac -rs ..)"
	efi_uid="${f1_le}${f2_le}${f3_le}${f4}${f5}"
	u_length="$(printf "%016x" "${UnicodeNameLength}" \| tac -rs ..)"
	v_length="$(printf "%016x" "${VariableDataLength}" \| tac -rs ..)"
	name="$(printf "${UnicodeName}" \| iconv -f ASCII -t UTF-16LE \| xxd -p -c-)"
	printf "${efi_uid}${u_length}${v_length}${name}${VariableData}" \| xxd -r -p \| sha256sum \| awk '{print $1}'
	}

	compute_expected_hash_pcr7() {
	local H
	hash_expand "$(pcr_event_digest SecureBoot 01)"
	hash_expand "$(pcr_event_digest PK "${PK}")"
	hash_expand "$(pcr_event_digest KEK "${KEK[@]}")"
	hash_expand "$(pcr_event_digest db "${DB[@]}")"
	hash_expand "$(pcr_event_digest dbx \
	"$(efi-readvar -v dbx -o /dev/stdout \| sed 's/Variable.*$//' \| perl -pe 'chomp if eof' \| xxd -p -c-)")"
	hash_expand "$(pcr_event_digest)"
	hash_expand "$(pcr_event_digest db "$(xxd -p -c- "${DB[0]}" \| sed 's/^.\{56\}//')")"
	expected_hash="${H^^}"
	}

	compute_expected_hash_pcr7
	echo "hash = ${expected_hash}"