From 0722d42d659ee99006f06e6e2b5d091f9b017dbe Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 16 Feb 2019 12:26:51 -0500 Subject: [PATCH 1/6] using shred instead of rm on secret related files. --- initrd/bin/kexec-unseal-key | 2 +- initrd/bin/seal-libremkey | 4 ++-- initrd/bin/seal-totp | 4 ++-- initrd/bin/unseal-hotp | 6 +++--- initrd/bin/unseal-totp | 6 +++--- initrd/etc/functions | 3 ++- 6 files changed, 13 insertions(+), 12 deletions(-) diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 122ede4d..fdacc0c6 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -38,7 +38,7 @@ for tries in 1 2 3; do -hk 40000000 \ ; then # should be okay if this fails - rm -f /tmp/secret/sealed || true + shred -n 10 -z -u /tmp/secret/sealed || true exit 0 fi diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index ddee9e97..52d20713 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -28,9 +28,9 @@ tpm unsealfile \ -of "$HOTP_SECRET" \ || die "Unable to unseal HOTP secret" -rm -f "$HOTP_SEALED" +shred -n 10 -z -u "$HOTP_SEALED" secret="`cat $HOTP_SECRET`" -rm -f "$HOTP_SECRET" +shred -n 10 -z -u "$HOTP_SECRET" # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index f46f4520..f34f5226 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -43,7 +43,7 @@ if ! tpm sealfile2 \ -ix 4 0000000000000000000000000000000000000000 \ -ix 7 X \ ; then - rm -f "$TOTP_SECRET" + shred -n 10 -z -u "$TOTP_SECRET" die "Unable to seal secret" fi @@ -79,7 +79,7 @@ if ! tpm nv_writevalue \ || die "Unable to write sealed secret to NVRAM" fi -rm -f "$TOTP_SEALED" +shred -n 10 -z -u "$TOTP_SEALED" url="otpauth://totp/$HOST?secret=$secret" secret="" diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 8d4ef192..9e38b465 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -28,7 +28,7 @@ tpm unsealfile \ -of "$HOTP_SECRET" \ || die "Unable to unseal HOTP secret" -rm -f "$HOTP_SEALED" +shred -n 10 -z -u "$HOTP_SEALED" # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots @@ -51,11 +51,11 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) if ! hotp $counter_value < "$HOTP_SECRET"; then - rm -f "$HOTP_SECRET" + shred -n 10 -z -u "$HOTP_SECRET" die 'Unable to compute HOTP hash?' fi -rm -f "$HOTP_SECRET" +shred -n 10 -z -u "$HOTP_SECRET" #increment_tpm_counter $counter > /dev/null \ #|| die "Unable to increment tpm counter" diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp index c123ba0e..b499d0bb 100755 --- a/initrd/bin/unseal-totp +++ b/initrd/bin/unseal-totp @@ -18,12 +18,12 @@ tpm unsealfile \ -of "$TOTP_SECRET" \ || die "Unable to unseal totp secret" -rm -f "$TOTP_SEALED" +shred -n 10 -z -u "$TOTP_SEALED" if ! totp -q < "$TOTP_SECRET"; then - rm -f "$TOTP_SECRET" + shred -n 10 -z -u "$TOTP_SECRET" die 'Unable to compute TOTP hash?' fi -rm -f "$TOTP_SECRET" +shred -n 10 -z -u "$TOTP_SECRET" exit 0 diff --git a/initrd/etc/functions b/initrd/etc/functions index 8913870e..6e7f136b 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -15,6 +15,7 @@ recovery() { # Remove any temporary secret files that might be hanging around # but recreate the directory so that new tools can use it. + shred -n 10 -z -u /tmp/secret/* 2> /dev/null rm -rf /tmp/secret mkdir -p /tmp/secret @@ -234,7 +235,7 @@ replace_config() { # then copy any remaining settings from the existing config file, minus the option you changed grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE} - rm -f ${CONFIG_FILE}.tmp + shred -n 10 -z -u ${CONFIG_FILE}.tmp } combine_configs() { cat /etc/config* > /tmp/config From 14c76d062c199f17ff6369091a80d2885cb54914 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 21 Feb 2019 20:16:02 -0500 Subject: [PATCH 2/6] supress errors on console when files don't exist (equivalent of rm -f) --- initrd/bin/kexec-unseal-key | 2 +- initrd/bin/seal-libremkey | 4 ++-- initrd/bin/seal-totp | 4 ++-- initrd/bin/unseal-hotp | 6 +++--- initrd/bin/unseal-totp | 6 +++--- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index fdacc0c6..e016f5bd 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -38,7 +38,7 @@ for tries in 1 2 3; do -hk 40000000 \ ; then # should be okay if this fails - shred -n 10 -z -u /tmp/secret/sealed || true + shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true exit 0 fi diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 52d20713..7203b719 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -28,9 +28,9 @@ tpm unsealfile \ -of "$HOTP_SECRET" \ || die "Unable to unseal HOTP secret" -shred -n 10 -z -u "$HOTP_SEALED" +shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null secret="`cat $HOTP_SECRET`" -shred -n 10 -z -u "$HOTP_SECRET" +shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index f34f5226..af7896b5 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -43,7 +43,7 @@ if ! tpm sealfile2 \ -ix 4 0000000000000000000000000000000000000000 \ -ix 7 X \ ; then - shred -n 10 -z -u "$TOTP_SECRET" + shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null die "Unable to seal secret" fi @@ -79,7 +79,7 @@ if ! tpm nv_writevalue \ || die "Unable to write sealed secret to NVRAM" fi -shred -n 10 -z -u "$TOTP_SEALED" +shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null url="otpauth://totp/$HOST?secret=$secret" secret="" diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 9e38b465..5a697f36 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -28,7 +28,7 @@ tpm unsealfile \ -of "$HOTP_SECRET" \ || die "Unable to unseal HOTP secret" -shred -n 10 -z -u "$HOTP_SEALED" +shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots @@ -51,11 +51,11 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) if ! hotp $counter_value < "$HOTP_SECRET"; then - shred -n 10 -z -u "$HOTP_SECRET" + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die 'Unable to compute HOTP hash?' fi -shred -n 10 -z -u "$HOTP_SECRET" +shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null #increment_tpm_counter $counter > /dev/null \ #|| die "Unable to increment tpm counter" diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp index b499d0bb..c9c339b1 100755 --- a/initrd/bin/unseal-totp +++ b/initrd/bin/unseal-totp @@ -18,12 +18,12 @@ tpm unsealfile \ -of "$TOTP_SECRET" \ || die "Unable to unseal totp secret" -shred -n 10 -z -u "$TOTP_SEALED" +shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null if ! totp -q < "$TOTP_SECRET"; then - shred -n 10 -z -u "$TOTP_SECRET" + shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null die 'Unable to compute TOTP hash?' fi -shred -n 10 -z -u "$TOTP_SECRET" +shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null exit 0 From 9fbfb41a71a9889c8c80ab3595e3f513ad613758 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 21 Feb 2019 20:17:16 -0500 Subject: [PATCH 3/6] reverting shred on a file that is not a secret to be shredded --- initrd/etc/functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index 6e7f136b..453590b8 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -235,7 +235,7 @@ replace_config() { # then copy any remaining settings from the existing config file, minus the option you changed grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE} - shred -n 10 -z -u ${CONFIG_FILE}.tmp + rm -f ${CONFIG_FILE}.tmp } combine_configs() { cat /etc/config* > /tmp/config From b3a6c285c8ac8596a654571023132bcbf5c754c9 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 22 Feb 2019 10:48:00 -0500 Subject: [PATCH 4/6] also shred LUKS key when done instead of rm it --- initrd/bin/kexec-seal-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index f574b558..c96dc637 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -117,7 +117,7 @@ tpm sealfile2 \ -ix 7 X \ || die "Unable to seal secret" -rm -f "$KEY_FILE" \ +shred -n 10 -z -u "$KEY_FILE" 2> /dev/null \ || die "Failed to delete key file" # try it without the owner password first From 8310a3d62eb3aff2ce39f8c08e6a6e54f9219557 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 22 Feb 2019 10:52:35 -0500 Subject: [PATCH 5/6] also shred LUKS sealed secret when done instead of rm it --- initrd/bin/kexec-seal-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index c96dc637..46980af8 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -150,5 +150,5 @@ if ! tpm nv_writevalue \ || die "Unable to write sealed secret to NVRAM" fi -rm "$TPM_SEALED" \ +shred -n 10 -z -u "$TPM_SEALED" 2> /dev/null \ || warn "Failed to delete the sealed secret - continuing" From 2740317d67dfe3aa185ff501e6391ba3cf785d6f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 24 Feb 2019 11:11:00 -0500 Subject: [PATCH 6/6] shred TOTP_SECRET also when generation is successful --- initrd/bin/seal-totp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index af7896b5..f33449e5 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -44,9 +44,11 @@ if ! tpm sealfile2 \ -ix 7 X \ ; then shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null - die "Unable to seal secret" + die "Unable to seal secret" fi +shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null + # to create an nvram space we need the TPM owner password # and the TPM physical presence must be asserted.