kexec-seal-key: remove non-needed shred of file cached /tmp/secret/tpm_owner_password (done when sealing fails under tpmr)

- document why shred is still called under functions:check_tpm_counter for safety and add TODO there Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-18 20:47:55 +00:00 · 2023-11-06 10:07:50 -05:00 · 2023-11-06 10:07:50 -05:00 · 0042163861
commit 0042163861
parent 923b4e1fe9
2 changed files with 6 additions and 4 deletions
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -137,10 +137,7 @@ tpmr pcrread -a 7 "$pcrf"

 DO_WITH_DEBUG --mask-position 7 \
 	tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
-	"$TPM_SIZE" "$key_password" || {
-	shred -n 10 -z -u /tmp/secret/tpm_owner_password 2>/dev/null
-	die "Unable to write TPM Disk Unlock Key to NVRAM"
-}
+	"$TPM_SIZE" "$key_password" || die "Unable to write TPM Disk Unlock Key to NVRAM"

 # should be okay if this fails
 shred -n 10 -z -u "$pcrf" 2>/dev/null ||
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -258,6 +258,11 @@ check_tpm_counter() {
 			tee /tmp/counter ||
 			{
 				DEBUG "Failed to create TPM counter. Shredding TPM Owner Password"
+				#tpm2 counter_cre wipes the cached tpm owner password if invalid.
+				#tpm1 calls counter_create directly and does not wipe the cached password.
+				# This is a workaround to make the two calls behave the same in case we need to create a new counter.
+				# I am not able to get here in my tests: the cached password should be able to create a counter at this point.
+				#TODO: unify the two calls further and delete the next shred call.
 				shred -n 10 -z -u /tmp/secret/tpm_owner_password
 				die "Unable to create TPM counter"
 			}