2023-02-08 16:01:48 -05:00
|
|
|
#!/bin/bash
|
2017-07-12 00:17:45 -04:00
|
|
|
# Generate a TPM key used to unlock LUKS disks
|
2023-08-22 14:34:29 -04:00
|
|
|
|
|
|
|
. /etc/functions
|
|
|
|
|
2024-02-01 14:30:31 -05:00
|
|
|
TRACE_FUNC
|
2017-07-12 00:17:45 -04:00
|
|
|
set -e -o pipefail
|
|
|
|
. /etc/functions
|
|
|
|
|
|
|
|
lvm_volume_group=""
|
2017-07-22 16:32:10 -04:00
|
|
|
skip_sign="n"
|
|
|
|
while getopts "sp:d:l:" arg; do
|
2017-07-12 00:17:45 -04:00
|
|
|
case $arg in
|
2023-09-01 15:18:36 -04:00
|
|
|
s) skip_sign="y" ;;
|
|
|
|
p) paramsdir="$OPTARG" ;;
|
|
|
|
d) paramsdev="$OPTARG" ;;
|
|
|
|
l) lvm_volume_group="$OPTARG" ;;
|
2017-07-12 00:17:45 -04:00
|
|
|
esac
|
|
|
|
done
|
2023-08-22 14:34:29 -04:00
|
|
|
|
|
|
|
DEBUG "kexec-save-key prior of parsing: paramsdir: $paramsdir, paramsdev: $paramsdev, lvm_volume_group: $lvm_volume_group"
|
|
|
|
|
2023-09-01 15:18:36 -04:00
|
|
|
shift $(expr $OPTIND - 1)
|
2017-07-12 00:17:45 -04:00
|
|
|
key_devices="$@"
|
|
|
|
|
2023-08-22 14:34:29 -04:00
|
|
|
DEBUG "kexec-save-key: key_devices: $key_devices"
|
|
|
|
|
2017-07-12 00:17:45 -04:00
|
|
|
if [ -z "$paramsdir" ]; then
|
2017-07-22 16:32:10 -04:00
|
|
|
die "Usage: $0 [-s] -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
|
2017-07-12 00:17:45 -04:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -z "$paramsdev" ]; then
|
|
|
|
paramsdev="$paramsdir"
|
2023-08-22 14:34:29 -04:00
|
|
|
DEBUG "kexec-save-key: paramsdev modified to : $paramsdev"
|
2017-07-12 00:17:45 -04:00
|
|
|
fi
|
|
|
|
|
2017-07-22 14:25:39 -04:00
|
|
|
paramsdev="${paramsdev%%/}"
|
|
|
|
paramsdir="${paramsdir%%/}"
|
|
|
|
|
2023-08-22 14:34:29 -04:00
|
|
|
DEBUG "kexec-save-key prior of last override: paramsdir: $paramsdir, paramsdev: $paramsdev, lvm_volume_group: $lvm_volume_group"
|
|
|
|
|
2017-07-12 00:17:45 -04:00
|
|
|
if [ -n "$lvm_volume_group" ]; then
|
2023-09-01 15:18:36 -04:00
|
|
|
lvm vgchange -a y $lvm_volume_group ||
|
|
|
|
die "Failed to activate the LVM group"
|
2017-07-12 00:17:45 -04:00
|
|
|
for dev in /dev/$lvm_volume_group/*; do
|
|
|
|
key_devices="$key_devices $dev"
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [ -z "$key_devices" ]; then
|
|
|
|
die "No devices specified for TPM key insertion"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# try to switch to rw mode
|
|
|
|
mount -o rw,remount $paramsdev
|
|
|
|
|
|
|
|
rm -f $paramsdir/kexec_key_lvm.txt || true
|
|
|
|
if [ -n "$lvm_volume_group" ]; then
|
2023-08-22 14:34:29 -04:00
|
|
|
DEBUG "kexec-save-key saving under $paramsdir/kexec_key_lvm.txt : lvm_volume_group: $lvm_volume_group"
|
2023-09-01 15:18:36 -04:00
|
|
|
echo "$lvm_volume_group" >$paramsdir/kexec_key_lvm.txt ||
|
|
|
|
die "Failed to write lvm group to key config "
|
2017-07-12 00:17:45 -04:00
|
|
|
fi
|
|
|
|
|
|
|
|
rm -f $paramsdir/kexec_key_devices.txt || true
|
2017-07-12 00:43:08 -04:00
|
|
|
for dev in $key_devices; do
|
2023-09-01 15:18:36 -04:00
|
|
|
DEBUG "Getting UUID for $dev"
|
|
|
|
uuid=$(cryptsetup luksUUID "$dev" 2>/dev/null) ||
|
|
|
|
die "Failed to get UUID for device $dev"
|
|
|
|
DEBUG "Saving under $paramsdir/kexec_key_devices.txt : dev: $dev, uuid: $uuid"
|
|
|
|
echo "$dev $uuid" >>$paramsdir/kexec_key_devices.txt ||
|
|
|
|
die "Failed to add $dev:$uuid to key devices config"
|
2017-07-12 00:17:45 -04:00
|
|
|
done
|
|
|
|
|
2023-09-01 15:18:36 -04:00
|
|
|
kexec-seal-key $paramsdir ||
|
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.
'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''
Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:
'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.
The passphrase associated with this key will be asked from the user
under the following conditions:
1-Every boot if no Disk Unlock Key was added to the TPM
2-If the TPM fails (hardware failure)
3-If the firmware has been tampered with/modified by the user
This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.
At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.
Hit Enter to continue.
'''
Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-19 12:32:04 -05:00
|
|
|
die "Failed to save and generate LUKS TPM Disk Unlock Key"
|
2017-07-12 00:17:45 -04:00
|
|
|
|
2017-07-22 16:32:10 -04:00
|
|
|
if [ "$skip_sign" != "y" ]; then
|
2022-08-25 14:43:31 -04:00
|
|
|
extparam=
|
|
|
|
if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
|
|
|
|
extparam=-r
|
|
|
|
fi
|
2017-07-22 16:32:10 -04:00
|
|
|
# sign and auto-roll config counter
|
2023-09-01 15:18:36 -04:00
|
|
|
kexec-sign-config -p $paramsdir $extparam ||
|
|
|
|
die "Failed to sign updated config"
|
2017-07-22 16:32:10 -04:00
|
|
|
fi
|
2017-07-12 00:17:45 -04:00
|
|
|
|
|
|
|
# switch back to ro mode
|
2023-09-01 15:18:36 -04:00
|
|
|
mount -o ro,remount $paramsdev
|