feat: measure pcr 15

config/basic/default.nix

@@ -20,6 +20,7 @@
 
     ../../modules/deterministic-ids.nix
     ../../modules/distributed-config.nix
+    ../../modules/ensure-pcr.nix
     ../../modules/globals.nix
     ../../modules/meta.nix
     ../../modules/iwd.nix

hosts/desktopnix/fs.nix

@@ -65,4 +65,12 @@
       };
     };
   };
+  boot.initrd.luks.devices.rpool_m2-ssd.crypttabExtraOpts = [
+    "tpm2-device=auto"
+    "tpm2-measure-pcr=yes"
+  ];
+  boot.initrd.luks.devices.panzer_sata-hdd.crypttabExtraOpts = [
+    "tpm2-device=auto"
+    "tpm2-measure-pcr=yes"
+  ];
 }

hosts/patricknix/fs.nix

@@ -1,5 +1,11 @@
-{ config, lib, ... }:
 {
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+
   disko.devices = {
     disk = {
       m2-ssd = rec {
@@ -27,4 +33,31 @@
   };
   fileSystems."/state".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
+
+  boot.initrd.systemd.extraBin = {
+    jq = lib.getExe pkgs.jq;
+  };
+  # In ermergency shell type:
+  # ´systemctl disable check-pcrs´
+  # ´systemctl default´
+  # to continue booting
+  boot.initrd.systemd.services.check-pcrs = {
+    script = ''
+      echo "Checking PCRS tag: ctiectie"
+      if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "a8cfdc8ec869f9edf4635129ba6bb19a076a5d234655cf4684286dc57e325a38" ]] ; then
+        echo "PCR 15 contains invalid hash"
+        exit 1
+      else
+        echo "PCR 15 checked"
+      fi
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    unitConfig.DefaultDependencies = "no";
+    after = [ "cryptsetup.target" ];
+    before = [ "sysroot.mount" ];
+    requiredBy = [ "sysroot.mount" ];
+  };
 }

modules/ensure-pcr.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+{
+  options.boot.initrd.luks.devices = lib.mkOption {
+    type =
+      with lib.types;
+      attrsOf (submodule {
+        config.crypttabExtraOpts = [
+          "tpm2-device=auto"
+          "tpm2-measure-pcr=yes"
+        ];
+      });
+  };
+}