ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 05:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

seal-totp: add missing PCR7 DEBUG call for CBFS measured content, add DEBUG for TOTP secret/qrcode output to console

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-08-17 12:00:43 -04:00
parent 70a7419c0a
commit 03746e3e11
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/seal-totp
View File

@ -46,6 +46,7 @@ DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modul
# pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp # pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)" DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
# pcr 7 is containing measurements of user injected stuff in cbfs # pcr 7 is containing measurements of user injected stuff in cbfs
DEBUG "Sealing TOTP with actual state of PCR7 (User injected stuff in cbfs)"
tpmr pcrread -a 7 "$pcrf" tpmr pcrread -a 7 "$pcrf"
#Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP #Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" || tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" ||
@ -56,5 +57,6 @@ shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
url="otpauth://totp/$HOST?secret=$secret" url="otpauth://totp/$HOST?secret=$secret"
secret="" secret=""
DEBUG "TOTP secret output on screen (both URL and QR code)"
qrenc "$url" qrenc "$url"
echo "$url" echo "$url"