2023-02-08 21:01:48 +00:00
|
|
|
#!/bin/bash
|
2017-04-12 10:49:39 +00:00
|
|
|
# Generate a random secret, seal it with the PCRs
|
|
|
|
# and write it to the TPM NVRAM.
|
|
|
|
#
|
|
|
|
# Pass in a hostname if you want to change it from the default string
|
|
|
|
#
|
|
|
|
|
|
|
|
. /etc/functions
|
|
|
|
|
2023-02-20 16:01:17 +00:00
|
|
|
TRACE "Under /bin/seal-totp"
|
2023-02-18 17:58:43 +00:00
|
|
|
|
2017-04-12 10:49:39 +00:00
|
|
|
TPM_NVRAM_SPACE=4d47
|
|
|
|
|
|
|
|
HOST="$1"
|
|
|
|
if [ -z "$HOST" ]; then
|
|
|
|
HOST="TPMTOTP"
|
|
|
|
fi
|
2023-03-10 20:36:24 +00:00
|
|
|
TPM_PASSWORD="$2"
|
2017-04-12 10:49:39 +00:00
|
|
|
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
|
|
TOTP_SEALED="/tmp/secret/totp.sealed"
|
|
|
|
|
|
|
|
dd \
|
|
|
|
if=/dev/urandom \
|
|
|
|
of="$TOTP_SECRET" \
|
|
|
|
count=1 \
|
|
|
|
bs=20 \
|
|
|
|
2>/dev/null \
|
|
|
|
|| die "Unable to generate 20 random bytes"
|
|
|
|
|
|
|
|
secret="`base32 < $TOTP_SECRET`"
|
2023-03-08 17:39:06 +00:00
|
|
|
pcrf="/tmp/secret/pcrf.bin"
|
|
|
|
tpmr pcrread 0 "$pcrf"
|
|
|
|
tpmr pcrread -a 1 "$pcrf"
|
|
|
|
tpmr pcrread -a 2 "$pcrf"
|
|
|
|
tpmr pcrread -a 3 "$pcrf"
|
|
|
|
# pcr 4 is expected to be zero (boot mode: init)
|
2023-03-08 21:42:19 +00:00
|
|
|
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
|
2023-03-08 17:39:06 +00:00
|
|
|
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
|
2023-03-09 18:28:04 +00:00
|
|
|
DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
|
2023-03-08 17:39:06 +00:00
|
|
|
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
|
2023-03-09 18:28:04 +00:00
|
|
|
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
|
2023-03-08 17:39:06 +00:00
|
|
|
# pcr 7 is containing measurements of user injected stuff in cbfs
|
|
|
|
tpmr pcrread -a 7 "$pcrf"
|
2023-03-10 20:36:24 +00:00
|
|
|
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" \
|
2023-03-08 17:39:06 +00:00
|
|
|
|| die "Unable to write sealed secret to NVRAM"
|
2019-02-22 01:16:02 +00:00
|
|
|
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
|
2017-04-12 10:49:39 +00:00
|
|
|
|
|
|
|
url="otpauth://totp/$HOST?secret=$secret"
|
|
|
|
secret=""
|
|
|
|
|
|
|
|
qrenc "$url"
|
2021-08-07 17:40:13 +00:00
|
|
|
echo "$url"
|