mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-22 06:17:52 +00:00
46 lines
920 B
Plaintext
46 lines
920 B
Plaintext
|
#!/bin/sh
|
||
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
||
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
||
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
||
|
set -e -o pipefail
|
||
|
|
||
|
TPM_INDEX=3
|
||
|
TPM_SIZE=312
|
||
|
|
||
|
. /etc/functions
|
||
|
mkdir -p /tmp/secret
|
||
|
|
||
|
sealed_file="/tmp/secret/sealed.key"
|
||
|
key_file="$1"
|
||
|
|
||
|
if [ -z "$key_file" ]; then
|
||
|
key_file="/tmp/secret/secret.key"
|
||
|
fi
|
||
|
|
||
|
tpm nv_readvalue \
|
||
|
-in "$TPM_INDEX" \
|
||
|
-sz "$TPM_SIZE" \
|
||
|
-of "$sealed_file" \
|
||
|
|| die "Unable to read key from TPM NVRAM"
|
||
|
|
||
|
for tries in 1 2 3; do
|
||
|
read -s -p "Enter unlock password: " tpm_password
|
||
|
echo
|
||
|
|
||
|
if tpm unsealfile \
|
||
|
-if "$sealed_file" \
|
||
|
-of "$key_file" \
|
||
|
-pwdd "$tpm_password" \
|
||
|
-hk 40000000 \
|
||
|
; then
|
||
|
# should be okay if this fails
|
||
|
rm -f /tmp/secret/sealed || true
|
||
|
exit 0
|
||
|
fi
|
||
|
|
||
|
pcrs
|
||
|
warn "Unable to unseal disk encryption key"
|
||
|
done
|
||
|
|
||
|
die "Retry count exceeded..."
|