Log TDX measurements on boot (#143)

* Log TDX measurements on boot

* Use perl script rather than attested-tls-proxy for measurement logging

* Switch to systemd oneshot service

Author: ameba23

shared/mkosi.conf

@@ -36,6 +36,7 @@ Packages=kmod
          busybox
          util-linux
          procps
+         perl
          ca-certificates
          openssl
          iproute2

shared/mkosi.extra/etc/systemd/system/print-measurements.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Log TDX measurements
+After=basic.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/print-measurements
+StandardOutput=journal+console
+StandardError=journal+console
+
+[Install]
+WantedBy=minimal.target

shared/mkosi.extra/usr/bin/print-measurements

@@ -0,0 +1,8 @@
+#!/usr/bin/env perl
+
+my $errmsg = "Measurements not available on this platform\n";
+my $b = "\0" x 1088;
+sysopen F, "/dev/tdx_guest", 2 or do { warn $errmsg; exit 0; };
+ioctl F, 0xc4405401, $b or do { warn $errmsg; exit 0; };
+my @r = unpack "(H96)4", substr $b, 784, 192;
+print "RTMR$_: $r[$_]\n" for 0..3;

shared/mkosi.postinst.d/90-debloat-systemd.sh

@@ -50,6 +50,7 @@ done
 # Enable chrony service
 mkosi-chroot systemctl add-wants minimal.target \
     chrony.service \
+    print-measurements.service \
     systemd-resolved.service \
     systemd-networkd.service \
     systemd-networkd-wait-online.service