Refactor uinit

Nitrokey · Nov 4, 2024 · d8631a3 · d8631a3
1 parent dbe02ed
commit d8631a3
Show file tree

Hide file tree

Showing 20 changed files with 96 additions and 113 deletions.
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -234,7 +234,7 @@ build_muen_prodrive_hermes:
     - if: $CI_COMMIT_BRANCH != $DEFAULT_BRANCH
   variables:
     MODE: muen
-    MUEN_HARDWARE: prodrive-hermes-1.0
+    MUEN_HARDWARE: prodrive-hermes-1
     GIT_LFS_SKIP_SMUDGE: 0
   stage: build
   needs:
@@ -259,7 +259,7 @@ build_muen_msi_z790:
     - if: $CI_COMMIT_BRANCH != $DEFAULT_BRANCH
   variables:
     MODE: muen
-    MUEN_HARDWARE: msi-z790-1.0
+    MUEN_HARDWARE: msi-z790-1
     GIT_LFS_SKIP_SMUDGE: 0
   stage: build
   needs:

diff --git a/Makefile.sub b/Makefile.sub
@@ -23,7 +23,7 @@ NET_INTERNAL ?= tap201
 # (actual setting is performed later)
 
 # Set MUEN_HARDWARE to the specific hardware platform the Muen system is being
-# built for. Currently supported: qemu-kvm or prodrive-hermes-1.0.
+# built for. Currently supported: qemu-kvm or prodrive-hermes-1 msi-z790-1.
 #
 # TODO: This should be persisted similarly to MODE=, or otherwise detect that
 # it changed?
@@ -129,6 +129,7 @@ endif
 
 SOFTWARE_VERSION := src/keyfender/softwareVersion
 BUILD_TAG := $(strip $(shell git -C . describe --tags --always --long))
+GO_HW_TAG := $(shell echo -n $(MUEN_HARDWARE) | tr -- - _)
 
 src/keyfender/buildTag:
 	echo $(BUILD_TAG) > $@
@@ -140,7 +141,7 @@ $(SOFTWARE_VERSION): CHANGES.md
 ifneq ($(CCACHE_DIR),)
 	mkdir -p $(CCACHE_DIR)
 endif
-ifneq ($(filter $(MUEN_HARDWARE),prodrive-hermes-1.0 msi-z790-1.0),)
+ifneq ($(filter $(MUEN_HARDWARE),prodrive-hermes-1 msi-z790-1),)
 	opam source gmp-freestanding --dir $(TOP_DIR)/src/gmp-freestanding
 	patch -p1 -d $(TOP_DIR)/src/gmp-freestanding <$(TOP_DIR)/src/muen/gmp-kabylake.patch
 	opam pin -y -n gmp-freestanding $(TOP_DIR)/src/gmp-freestanding
@@ -470,7 +471,7 @@ MUEN_LINUX_CONFIG := $(TOP_DIR)/src/muen/linux/config-6.1-$(MUEN_HARDWARE)
 MUEN_HARDWARE_XML := $(MUEN_POLICY_DIR)/hardware/nethsm-$(MUEN_HARDWARE).xml
 MUEN_PLATFORM_XML := $(MUEN_POLICY_DIR)/platform/nethsm-$(MUEN_HARDWARE).xml
 
-ifeq ($(filter $(MUEN_HARDWARE),qemu-kvm prodrive-hermes-1.0 msi-z790-1.0),)
+ifeq ($(filter $(MUEN_HARDWARE),qemu-kvm prodrive-hermes-1 msi-z790-1),)
 $(error Invalid MUEN_HARDWARE)
 endif
 
@@ -546,10 +547,9 @@ $(INSTALL_DATA_CPIO): $(OBJ_DATA_CPIO)
 OBJ_INITRAMFS_CPIO := $(OBJ_DIR)/initramfs.cpio
 OBJ_INITRAMFS := $(OBJ_DIR)/initramfs.cpio.gz
 U_ROOT_SRC := /nethsm-tools/u-root
-U_ROOT_UINIT_DIR := $(TOP_DIR)/src/u-root/uinit
+U_ROOT_DIR := $(TOP_DIR)/src/u-root
+U_ROOT_UINIT_DIR := $(U_ROOT_DIR)/uinit
 U_ROOT_UINIT := $(U_ROOT_UINIT_DIR)/uinit
-U_ROOT_BUILD_TAG := $(U_ROOT_UINIT_DIR)/.build_tag
-U_ROOT_HW_VERSION := $(U_ROOT_UINIT_DIR)/.hardware_version
 # XXX the documented shorthand of cmds/core/{foo,bar} doesn't seem to work here.
 U_ROOT_PKGS := ./cmds/core/init \
     ./cmds/core/cpio \
@@ -559,16 +559,10 @@ U_ROOT_PKGS := ./cmds/core/init \
     ./cmds/core/mkdir \
     ./cmds/core/mount \
     ./cmds/core/shutdown \
-    ./cmds/core/umount \
+    ./cmds/core/umount
 
-$(U_ROOT_BUILD_TAG):
-	echo -n "$(BUILD_TAG)" >$@
-
-$(U_ROOT_HW_VERSION):
-	echo -n "$(MUEN_HARDWARE)" >$@
-
-$(U_ROOT_UINIT): $(U_ROOT_BUILD_TAG) $(U_ROOT_HW_VERSION)
-	cd $(U_ROOT_UINIT_DIR) && go build .
+$(U_ROOT_UINIT):
+	cd $(U_ROOT_UINIT_DIR) && go build -tags $(GO_HW_TAG) .
 
 INITRAMFS_DEPS := $(INSTALL_ETCD_DAEMON) $(INSTALL_MKE2FS) $(INSTALL_ETC_DIR) $(INSTALL_SFDISK) \
     $(INSTALL_DATA_CPIO)
@@ -585,9 +579,7 @@ $(OBJ_INITRAMFS): $(U_ROOT_BIN) $(INITRAMFS_DEPS) $(U_ROOT_UINIT)
 
 # Ensure u-root initramfs is rebuilt if nethsm uinit sources change.
 # There might be a better way of doing this, but this will have to do for now.
-$(OBJ_INITRAMFS): \
-    $(wildcard $(U_ROOT_UINIT_DIR)/*.go) \
-    $(U_ROOT_UINIT_DIR)/script/script.go
+$(OBJ_INITRAMFS): $(wildcard $(U_ROOT_DIR)/**/*)
 
 # ------------------------------------------------------------------------------
 MUEN_POLICY_OBJ_DIR := $(MUEN_DIR)/policy/obj
@@ -664,34 +656,31 @@ $(OBJ_UPDATE_IMG): $(OBJ_SYSTEM_IMG) $(SIGN_UPDATE) $(OBJ_UPDATE_CHANGELOG)
 OBJ_INSTALLER_IMG := $(OBJ_DIR)/installer.img
 OBJ_INSTALLER_ROOT := $(OBJ_DIR)/installer
 OBJ_INSTALLER_INITRAMFS := $(OBJ_INSTALLER_ROOT)/boot/initramfs
-INSTALLER_DIR := $(TOP_DIR)/src/installer
-INSTALLER_UINIT := $(INSTALLER_DIR)/uinit
-INSTALLER_HW_VERSION := $(INSTALLER_DIR)/.hardware_version
+INSTALLER_DIR := $(U_ROOT_DIR)/installer
+INSTALLER_BIN := $(INSTALLER_DIR)/installer
+INSTALLER_FILES := $(TOP_DIR)/src/installer
 
 INSTALLER_INITRAMFS_DEPS := $(MKE2FS) $(SFDISK) $(OBJ_SYSTEM_IMG) $(OBJ_UPDATE_CHANGELOG)
 
-$(OBJ_INSTALLER_ROOT): $(wildcard $(INSTALLER_DIR)/root/**/*)
+$(OBJ_INSTALLER_ROOT): $(wildcard $(INSTALLER_FILES)/root/**/*)
 	rm -rf $@
-	cp -a $(INSTALLER_DIR)/root $@
+	cp -a $(INSTALLER_FILES)/root $@
 	sed -i s/__BUILD_TAG__/$(BUILD_TAG)/ $@/boot/grub/grub.cfg
 
-$(INSTALLER_HW_VERSION):
-	echo -n "$(MUEN_HARDWARE)" >$@
-
-$(INSTALLER_UINIT): $(INSTALLER_DIR)/uinit.go $(INSTALLER_HW_VERSION)
-	cd $(INSTALLER_DIR) && go build ./uinit.go
+$(INSTALLER_BIN): $(wildcard $(U_ROOT_DIR)/**/*)
+	cd $(INSTALLER_DIR) && go build -tags $(GO_HW_TAG) .
 
-$(OBJ_INSTALLER_INITRAMFS): $(U_ROOT_BIN) $(INSTALLER_INITRAMFS_DEPS) $(OBJ_INSTALLER_ROOT) $(INSTALLER_UINIT)
+$(OBJ_INSTALLER_INITRAMFS): $(U_ROOT_BIN) $(INSTALLER_INITRAMFS_DEPS) $(OBJ_INSTALLER_ROOT) $(INSTALLER_BIN)
 	cd $(U_ROOT_SRC) && ./u-root \
 		-o /tmp/installer_initramfs.cpio \
 		-defaultsh="" \
-		-files $(INSTALLER_DIR)/initramfs:. \
+		-files $(INSTALLER_FILES)/initramfs:. \
 		-files $(MKE2FS):bin/mke2fs \
 		-files $(SFDISK):bin/sfdisk \
 		-files $(ETC_DIR)/mke2fs.conf:etc/mke2fs.conf \
 		-files $(OBJ_SYSTEM_IMG):system.img.cpio \
 		-files $(OBJ_UPDATE_CHANGELOG):update.changelog \
-		-files "$(INSTALLER_UINIT):bin/uinit" \
+		-files "$(INSTALLER_BIN):bin/uinit" \
 		./cmds/core/init \
 		./cmds/core/insmod \
 		./cmds/core/echo \
@@ -715,11 +704,11 @@ $(OBJ_INSTALLER_IMG): $(OBJ_INSTALLER_INITRAMFS) $(OBJ_INSTALLER_ROOT) tools/gpg
 
 ARTIFACTS := $(OBJ_SYSTEM_IMG) $(OBJ_UPDATE_IMG)
 
-ifeq ($(MUEN_HARDWARE),prodrive-hermes-1.0)
+ifeq ($(MUEN_HARDWARE),prodrive-hermes-1)
 ARTIFACTS += $(OBJ_INSTALLER_IMG)
 endif
 
-ifeq ($(MUEN_HARDWARE),msi-z790-1.0)
+ifeq ($(MUEN_HARDWARE),msi-z790-1)
 ARTIFACTS += $(OBJ_INSTALLER_IMG)
 endif
 

diff --git a/docs/developer-documentation.md b/docs/developer-documentation.md
@@ -311,7 +311,7 @@ This is supported on Linux and FreeBSD systems, and to a lesser extent on Mac (`
     make -j$(nproc) build
     ```
 
-For building all artifacts for the ProDrive Hermes hardware add `MODE=muen MUEN_HARDWARE=prodrive-hermes-1.0 WITH_COREBOOT=1` to the build command. In case this changes the mode in the stamp file the build process will fail. In this case you have to run `make distclean` before.
+For building all artifacts for the ProDrive Hermes hardware add `MODE=muen MUEN_HARDWARE=prodrive-hermes-1 WITH_COREBOOT=1` to the build command. In case this changes the mode in the stamp file the build process will fail. In this case you have to run `make distclean` before.
 
 #### Running
 
@@ -370,7 +370,7 @@ The build process inside the builder container needs access to the repositories
     make -j$(nproc) build
     ```
 
-For building all artifacts for the ProDrive Hermes hardware add `MODE=muen MUEN_HARDWARE=prodrive-hermes-1.0 WITH_COREBOOT=1` to the build command. In case this changes the mode in the stamp file the build process will fail. In this case you have to run `make distclean` before.
+For building all artifacts for the ProDrive Hermes hardware add `MODE=muen MUEN_HARDWARE=prodrive-hermes-1 WITH_COREBOOT=1` to the build command. In case this changes the mode in the stamp file the build process will fail. In this case you have to run `make distclean` before.
 
 Notes:
 
@@ -476,7 +476,7 @@ cargo install openapi-fuzzer
 And running
 
 ```sh
-openapi-fuzzer resend --url <url> <json result file> 
+openapi-fuzzer resend --url <url> <json result file>
 ```
 
 You can add `-H 'Authorization: Basic <b64>'` to the command line to add an authorization header (replace `<b64>` by the base64 encoded auth string)

diff --git a/docs/nethsm-api.yaml b/docs/nethsm-api.yaml
@@ -2145,8 +2145,8 @@ paths:
             schema:
               $ref: "#/components/schemas/RestoreRequest"
       security:
-        - {}         # for complete restore
-        - basic: []  # for partial restore
+        - {} # for complete restore
+        - basic: [] # for partial restore
       x-annotation-role:
         - Public
       x-annotation-state:
@@ -2806,7 +2806,7 @@ components:
         softwareVersion: "1.7"
         softwareBuild: f3f6292
         firmwareVersion: 1.0-devel
-        hardwareVersion: prodrive-hermes-1.0
+        hardwareVersion: prodrive-hermes-1
         deviceId: 5UMIP364R2
         akPub:
           P256: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEup7z8QYvkzkBuLryG1SgVQjlPhSFW3PzYn1l3uLNd+pSBxX0OBpslcbnmPFr5wSs/iP46+H8MFlEAYUkYv6uuQ==

diff --git a/src/muen/linux/config-6.1-msi-z790-1.0 → src/muen/linux/config-6.1-msi-z790-1 b/src/muen/linux/config-6.1-msi-z790-1.0 → src/muen/linux/config-6.1-msi-z790-1
diff --git a/...muen/linux/config-6.1-prodrive-hermes-1.0 → src/muen/linux/config-6.1-prodrive-hermes-1 b/...muen/linux/config-6.1-prodrive-hermes-1.0 → src/muen/linux/config-6.1-prodrive-hermes-1
diff --git a/...n/policy/hardware/nethsm-msi-z790-1.0.xml → ...uen/policy/hardware/nethsm-msi-z790-1.xml b/...n/policy/hardware/nethsm-msi-z790-1.0.xml → ...uen/policy/hardware/nethsm-msi-z790-1.xml
diff --git a/...y/hardware/nethsm-prodrive-hermes-1.0.xml → ...icy/hardware/nethsm-prodrive-hermes-1.xml b/...y/hardware/nethsm-prodrive-hermes-1.0.xml → ...icy/hardware/nethsm-prodrive-hermes-1.xml
diff --git a/...n/policy/platform/nethsm-msi-z790-1.0.xml → ...uen/policy/platform/nethsm-msi-z790-1.xml b/...n/policy/platform/nethsm-msi-z790-1.0.xml → ...uen/policy/platform/nethsm-msi-z790-1.xml
diff --git a/...y/platform/nethsm-prodrive-hermes-1.0.xml → ...icy/platform/nethsm-prodrive-hermes-1.xml b/...y/platform/nethsm-prodrive-hermes-1.0.xml → ...icy/platform/nethsm-prodrive-hermes-1.xml
diff --git a/src/u-root/uinit/go.mod → src/u-root/go.mod b/src/u-root/uinit/go.mod → src/u-root/go.mod
@@ -1,7 +1,7 @@
 // Copyright 2023 - 2023, Nitrokey GmbH
 // SPDX-License-Identifier: EUPL-1.2
 
-module nethsm/uinit
+module nethsm
 
 go 1.21
 
@@ -11,7 +11,6 @@ require (
 	github.com/canonical/go-tpm2 v1.7.6
 	github.com/google/nftables v0.2.0
 	github.com/u-root/u-root v0.14.0
-	golang.org/x/sys v0.25.0
 )
 
 require (
@@ -20,8 +19,9 @@ require (
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/mdlayher/netlink v1.7.2 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
-	golang.org/x/crypto v0.27.0 // indirect
-	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.26.0 // indirect
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 // indirect
 )
diff --git a/src/u-root/uinit/go.sum → src/u-root/go.sum b/src/u-root/uinit/go.sum → src/u-root/go.sum
@@ -29,16 +29,16 @@ github.com/u-root/u-root v0.14.0 h1:Ka4T10EEML7dQ5XDvO9c3MBN8z4nuSnGjcd1jmU2ivg=
 github.com/u-root/u-root v0.14.0/go.mod h1:hAyZorapJe4qzbLWlAkmSVCJGbfoU9Pu4jpJ1WMluqE=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/mod v0.15.0 h1:SernR4v+D55NyBH2QiEQrlBAnj1ECL6AGrA5+dPaMY8=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
 golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

diff --git a/src/u-root/hw/const_hermes.go b/src/u-root/hw/const_hermes.go
@@ -0,0 +1,15 @@
+//go:build prodrive_hermes_1
+
+package hw
+
+import "github.com/canonical/go-tpm2"
+
+const (
+	Version    = "prodrive-hermes-1"
+	DiskDev    = "/dev/sda"
+	DiskPrefix = "/dev/sda"
+)
+
+func MeasuredPCRs() tpm2.PCRSelect {
+	return tpm2.PCRSelect{0, 2}
+}
diff --git a/src/u-root/hw/const_z790.go b/src/u-root/hw/const_z790.go
@@ -0,0 +1,15 @@
+//go:build msi_z790_1
+
+package hw
+
+import "github.com/canonical/go-tpm2"
+
+const (
+	Version    = "msi-z790-1"
+	DiskDev    = "/dev/nvme0n1"
+	DiskPrefix = "/dev/nvme0n1p"
+)
+
+func MeasuredPCRs() tpm2.PCRSelect {
+	return tpm2.PCRSelect{2}
+}
diff --git a/src/installer/uinit.go → src/u-root/installer/uinit.go b/src/installer/uinit.go → src/u-root/installer/uinit.go
@@ -7,14 +7,9 @@ import (
 	"os/exec"
 	"strings"
 	"time"
-)
-
-//go:embed .hardware_version
-var hardwareVersion string
 
-func isZ790() bool {
-	return hardwareVersion[:9] == "msi-z790-"
-}
+	"nethsm/hw"
+)
 
 func main() {
 	// Load kernel modules
@@ -32,14 +27,6 @@ name="data"
 	reset := false
 	fast := false
 
-	diskDev := "/dev/sda"
-	partPrefix := "/dev/sda"
-
-	if isZ790() {
-		diskDev = "/dev/nvme0n1"
-		partPrefix = "/dev/nvme0n1p"
-	}
-
 	// Check for factory reset command-line arguments
 	for _, arg := range os.Args[1:] {
 		if arg == "factory-reset" {
@@ -83,16 +70,16 @@ name="data"
 	if reset {
 		fmt.Println(sep)
 		fmt.Println("Partitioning hard disk")
-		partitionDisk(partitions, diskDev)
+		partitionDisk(partitions, hw.DiskDev)
 		fmt.Println(sep)
 		fmt.Println("Writing to first system partition")
-		writeToPartition(file, partPrefix+"1")
+		writeToPartition(file, hw.DiskPrefix+"1")
 		fmt.Println(sep)
 		fmt.Println("Writing to second system partition")
-		writeToPartition(file, partPrefix+"2")
+		writeToPartition(file, hw.DiskPrefix+"2")
 		fmt.Println(sep)
 		fmt.Println("Formatting data partition")
-		formatDataPartition(partPrefix + "3")
+		formatDataPartition(hw.DiskPrefix + "3")
 		fmt.Println(sep)
 		fmt.Println("Successfully installed:")
 		fmt.Println(changeLog)
@@ -101,7 +88,7 @@ name="data"
 	} else {
 		fmt.Println(sep)
 		fmt.Println("Writing to first system partition")
-		writeToPartition(file, partPrefix+"1")
+		writeToPartition(file, hw.DiskPrefix+"1")
 	}
 
 	fmt.Println(sep)

diff --git a/src/u-root/uinit/script/script.go → src/u-root/script/script.go b/src/u-root/uinit/script/script.go → src/u-root/script/script.go
diff --git a/src/u-root/uinit/firmwareversion.go b/src/u-root/uinit/firmwareversion.go
@@ -5,15 +5,13 @@
 // the "Device Key" stored in the TPM.
 package main
 
-var firmwareVersions = map[string]string{
-	"2eeb3fbb4a1e4533ab7246d05049a7676d4a378d62426976c32774263d945806": "0.9-devel",
-	"db89554134cbbc1f54e625a5df8e175a1f5189a3bfdffdfe249640a99a4bbbee": "1.0-devel",
-	"6164cc90d15caca5da0bbcba579c438b1e274dfb979b8aeeb5a497b2e4ab2e69": "1.0-prod",
-}
-
-const firmwarePCRIdx = 2
-
 func getFirmwareVersion(pcr map[int]string) string {
+	const firmwarePCRIdx = 2
+	firmwareVersions := map[string]string{
+		"2eeb3fbb4a1e4533ab7246d05049a7676d4a378d62426976c32774263d945806": "0.9-devel",
+		"db89554134cbbc1f54e625a5df8e175a1f5189a3bfdffdfe249640a99a4bbbee": "1.0-devel",
+		"6164cc90d15caca5da0bbcba579c438b1e274dfb979b8aeeb5a497b2e4ab2e69": "1.0-prod",
+	}
 	version, ok := firmwareVersions[pcr[firmwarePCRIdx]]
 	if ok {
 		return version