heads/initrd/bin/qubes-measure-luks

#!/bin/sh
# Measure all of the luks disk encryption headers into
# a PCR so that we can detect disk swap attacks.
. /etc/functions

TRACE "Under /bin/qubes-measure-luks"

die() { echo >&2 "$@"; exit 1; }

# Measure the luks headers into PCR 6
for dev in "$@"; do
	cryptsetup luksHeaderBackup $dev \
		   --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') \
		|| die "$dev: Unable to read luks header"
done

sha256sum /tmp/lukshdr-* > /tmp/luksDump.txt || die "Unable to hash luks headers"
rm /tmp/lukshdr-*

tpmr extend -ix 6 -if /tmp/luksDump.txt \
|| die "Unable to extend PCR"
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00			`#!/bin/sh`
			`# Measure all of the luks disk encryption headers into`
			`# a PCR so that we can detect disk swap attacks.`
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config -qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now 2023-02-18 12:58:43 -05:00			`. /etc/functions`

Add TRACE function tracing function to output on console when enabled - Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs - Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc) - add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action 2023-02-20 11:01:17 -05:00			`TRACE "Under /bin/qubes-measure-luks"`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00
			`die() { echo >&2 "$@"; exit 1; }`

			`# Measure the luks headers into PCR 6`
			`for dev in "$@"; do`
Use luksHeaderBackup rather than luksDump to measure luks headers. 2022-01-19 07:07:03 +02:00			`cryptsetup luksHeaderBackup $dev \`
			`--header-backup-file /tmp/lukshdr-$(echo "$dev" \| sed 's/\//_/g') \`
			`\|\| die "$dev: Unable to read luks header"`
			`done`

			`sha256sum /tmp/lukshdr-* > /tmp/luksDump.txt \|\| die "Unable to hash luks headers"`
			`rm /tmp/lukshdr-*`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities 2022-08-25 14:43:31 -04:00			`tpmr extend -ix 6 -if /tmp/luksDump.txt \`
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00			`\|\| die "Unable to extend PCR"`