2023-02-08 21:01:48 +00:00
#!/bin/bash
2024-03-27 14:04:10 +00:00
# Unseal a LUKS Disk Unlock Key from TPM and add to a new initramfs
2017-07-12 04:17:45 +00:00
set -e -o pipefail
. /etc/functions
2024-02-01 19:30:31 +00:00
TRACE_FUNC
2023-02-18 17:58:43 +00:00
2017-07-12 04:17:45 +00:00
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
INITRD="$1"
if [ -z "$INITRD" ]; then
die "Usage: $0 /boot/initramfs... "
fi
if [ ! -r "$TMP_KEY_DEVICES" ]; then
die "No devices defined for disk encryption"
fi
if [ -r "$TMP_KEY_LVM" ]; then
# Activate the LVM volume group
2023-08-30 20:49:39 +00:00
VOLUME_GROUP=$(cat $TMP_KEY_LVM)
2017-07-12 04:17:45 +00:00
if [ -z "$TMP_KEY_LVM" ]; then
die "No LVM volume group defined for activation"
fi
2023-08-30 20:49:39 +00:00
lvm vgchange -a y $VOLUME_GROUP ||
die "$VOLUME_GROUP: unable to activate volume group"
2017-07-12 04:17:45 +00:00
fi
2024-03-27 14:04:10 +00:00
# Measure the LUKS headers before we unseal the LUKS Disk Unlock Key from TPM
2023-08-30 20:49:39 +00:00
cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks ||
die "LUKS measure failed"
2017-07-12 04:17:45 +00:00
2020-11-06 06:03:44 +00:00
# Unpack the initrd and fixup the crypttab
2017-07-12 04:17:45 +00:00
# this is a hack to split it into two parts since
# we know that the first 0x3400 bytes are the microcode
INITRD_DIR=/tmp/secret/initrd
SECRET_CPIO=/tmp/secret/initrd.cpio
2020-11-06 06:03:44 +00:00
bootdir=$(dirname "$INITRD")
2023-01-16 20:15:21 +00:00
mkdir -p "$INITRD_DIR/etc"
2017-07-12 04:17:45 +00:00
2024-04-08 20:22:57 +00:00
if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then
if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt >/dev/null 2>&1; then
#LUKS header hash part of detached signed hash digest under boot doesn't match qubes-measure-luks tmp file
warn "Encrypted disk keys have changed since the TPM Disk Unlock Key was sealed. If you did not make this change, the disk may be compromised"
exit 1
else
#LUKS header hash part of detached signed hash digest matches
echo "+++ Encrypted disk keys have not been changed since sealed in TPM Disk Unlock Key"
#TODO: remove "+++" with boot info helper when added, same with "!!!" currently for info.
fi
else
warn "Could not check for tampering of Encrypted disk keys"
warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)."
fi
# Attempt to unseal the Disk Unlock Key from the TPM
2017-07-12 04:17:45 +00:00
# should we give this some number of tries?
2017-07-29 17:24:34 +00:00
unseal_failed="n"
2023-08-30 20:49:39 +00:00
if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
2017-07-29 17:24:34 +00:00
unseal_failed="y"
2024-01-19 16:51:20 +00:00
echo
2024-03-27 14:04:10 +00:00
echo "!!! Failed to unseal the TPM LUKS Disk Unlock Key"
2017-07-12 04:17:45 +00:00
fi
# Override PCR 4 so that user can't read the key
2023-11-06 20:53:17 +00:00
DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
2023-08-30 20:49:39 +00:00
tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR'
2017-07-12 04:17:45 +00:00
2017-07-29 17:24:34 +00:00
# Check to continue
if [ "$unseal_failed" = "y" ]; then
confirm_boot="n"
read \
-n 1 \
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.
'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''
Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:
'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.
The passphrase associated with this key will be asked from the user
under the following conditions:
1-Every boot if no Disk Unlock Key was added to the TPM
2-If the TPM fails (hardware failure)
3-If the firmware has been tampered with/modified by the user
This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.
At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.
Hit Enter to continue.
'''
Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-19 17:32:04 +00:00
-p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \
2017-07-29 17:24:34 +00:00
confirm_boot
2024-04-18 16:21:27 +00:00
echo
2017-07-29 17:24:34 +00:00
if [ "$confirm_boot" != 'y' \
-a "$confirm_boot" != 'Y' \
-a -n "$confirm_boot" ] \
2023-08-30 20:49:39 +00:00
; then
2024-03-27 14:04:10 +00:00
die "!!! Aborting boot due to failure to unseal TPM Disk Unlock Key"
2017-07-29 17:24:34 +00:00
fi
fi
2023-08-30 20:49:39 +00:00
echo
2017-07-12 04:17:45 +00:00
echo '+++ Building initrd'
# pad the initramfs (dracut doesn't pad the last gz blob)
# without this the kernel init/initramfs.c fails to read
# the subsequent uncompressed/compressed cpio
2023-08-30 20:49:39 +00:00
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync ||
die "Failed to copy initrd to /tmp"
2017-07-12 04:17:45 +00:00
2017-07-29 17:24:34 +00:00
if [ "$unseal_failed" = "n" ]; then
2023-08-30 20:49:39 +00:00
# kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio
2023-01-16 20:15:21 +00:00
if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then
2023-03-09 18:28:04 +00:00
echo "+++ $bootdir/kexec_initrd_crypttab_overrides.txt found..."
echo "+++ Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
2023-01-16 20:15:21 +00:00
# kexec-save-default has found crypttab files under initrd and saved them
cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do
crypttab_file=$(echo "$line" | awk -F ':' {'print $1'})
crypttab_entry=$(echo "$line" | awk -F ':' {'print $NF'})
# Replace each initrd crypttab file with modified entry containing /secret.key path
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
2023-08-30 20:49:39 +00:00
echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" >/dev/null
2023-03-09 18:28:04 +00:00
echo "+++ initramfs's $crypttab_file will be overriden with: $crypttab_entry"
2023-01-16 20:15:21 +00:00
done
else
# No crypttab files were found under selected default boot option's initrd file
2023-08-30 20:49:39 +00:00
# Meanwhile, force crypttab to be created from scratch on both possible locations: /etc/crypttab and /cryptroot/crypttab
crypttab_files="etc/crypttab cryptroot/crypttab"
for crypttab_file in $crypttab_files; do
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
# overwrite crypttab to mirror behavior of seal-key
echo "+++ The following $crypttab_file overrides will be passed through concatenated secret/initrd.cpio at kexec call:"
for uuid in $(cat "$TMP_KEY_DEVICES" | cut -d\ -f2); do
# NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd
echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file"
done
2023-01-16 20:15:21 +00:00
done
fi
2023-08-30 20:49:39 +00:00
(
cd "$INITRD_DIR"
find . -type f | cpio -H newc -o
) >>"$SECRET_CPIO"
2017-07-29 17:24:34 +00:00
fi
