mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-18 10:46:44 +00:00
using shred instead of rm on secret related files.
This commit is contained in:
parent
c341609488
commit
0722d42d65
@ -38,7 +38,7 @@ for tries in 1 2 3; do
|
||||
-hk 40000000 \
|
||||
; then
|
||||
# should be okay if this fails
|
||||
rm -f /tmp/secret/sealed || true
|
||||
shred -n 10 -z -u /tmp/secret/sealed || true
|
||||
exit 0
|
||||
fi
|
||||
|
||||
|
@ -28,9 +28,9 @@ tpm unsealfile \
|
||||
-of "$HOTP_SECRET" \
|
||||
|| die "Unable to unseal HOTP secret"
|
||||
|
||||
rm -f "$HOTP_SEALED"
|
||||
shred -n 10 -z -u "$HOTP_SEALED"
|
||||
secret="`cat $HOTP_SECRET`"
|
||||
rm -f "$HOTP_SECRET"
|
||||
shred -n 10 -z -u "$HOTP_SECRET"
|
||||
|
||||
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
||||
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
||||
|
@ -43,7 +43,7 @@ if ! tpm sealfile2 \
|
||||
-ix 4 0000000000000000000000000000000000000000 \
|
||||
-ix 7 X \
|
||||
; then
|
||||
rm -f "$TOTP_SECRET"
|
||||
shred -n 10 -z -u "$TOTP_SECRET"
|
||||
die "Unable to seal secret"
|
||||
fi
|
||||
|
||||
@ -79,7 +79,7 @@ if ! tpm nv_writevalue \
|
||||
|| die "Unable to write sealed secret to NVRAM"
|
||||
fi
|
||||
|
||||
rm -f "$TOTP_SEALED"
|
||||
shred -n 10 -z -u "$TOTP_SEALED"
|
||||
|
||||
url="otpauth://totp/$HOST?secret=$secret"
|
||||
secret=""
|
||||
|
@ -28,7 +28,7 @@ tpm unsealfile \
|
||||
-of "$HOTP_SECRET" \
|
||||
|| die "Unable to unseal HOTP secret"
|
||||
|
||||
rm -f "$HOTP_SEALED"
|
||||
shred -n 10 -z -u "$HOTP_SEALED"
|
||||
|
||||
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
||||
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
||||
@ -51,11 +51,11 @@ fi
|
||||
#counter_value=$(printf "%d" 0x${counter_value})
|
||||
|
||||
if ! hotp $counter_value < "$HOTP_SECRET"; then
|
||||
rm -f "$HOTP_SECRET"
|
||||
shred -n 10 -z -u "$HOTP_SECRET"
|
||||
die 'Unable to compute HOTP hash?'
|
||||
fi
|
||||
|
||||
rm -f "$HOTP_SECRET"
|
||||
shred -n 10 -z -u "$HOTP_SECRET"
|
||||
|
||||
#increment_tpm_counter $counter > /dev/null \
|
||||
#|| die "Unable to increment tpm counter"
|
||||
|
@ -18,12 +18,12 @@ tpm unsealfile \
|
||||
-of "$TOTP_SECRET" \
|
||||
|| die "Unable to unseal totp secret"
|
||||
|
||||
rm -f "$TOTP_SEALED"
|
||||
shred -n 10 -z -u "$TOTP_SEALED"
|
||||
|
||||
if ! totp -q < "$TOTP_SECRET"; then
|
||||
rm -f "$TOTP_SECRET"
|
||||
shred -n 10 -z -u "$TOTP_SECRET"
|
||||
die 'Unable to compute TOTP hash?'
|
||||
fi
|
||||
|
||||
rm -f "$TOTP_SECRET"
|
||||
shred -n 10 -z -u "$TOTP_SECRET"
|
||||
exit 0
|
||||
|
@ -15,6 +15,7 @@ recovery() {
|
||||
|
||||
# Remove any temporary secret files that might be hanging around
|
||||
# but recreate the directory so that new tools can use it.
|
||||
shred -n 10 -z -u /tmp/secret/* 2> /dev/null
|
||||
rm -rf /tmp/secret
|
||||
mkdir -p /tmp/secret
|
||||
|
||||
@ -234,7 +235,7 @@ replace_config() {
|
||||
# then copy any remaining settings from the existing config file, minus the option you changed
|
||||
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true
|
||||
sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE}
|
||||
rm -f ${CONFIG_FILE}.tmp
|
||||
shred -n 10 -z -u ${CONFIG_FILE}.tmp
|
||||
}
|
||||
combine_configs() {
|
||||
cat /etc/config* > /tmp/config
|
||||
|
Loading…
Reference in New Issue
Block a user