From 215ff2a397dbf6e5a2dc3e2183d7308a60248d47 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Wed, 8 Mar 2023 16:20:21 -0500
Subject: [PATCH] reboot, poweroff: Prepare TPM2 for shutdown

TPM2 must be prepared for shutdown, or it may track an auth failure for
dictionary attack prevention (per the spec, to prevent an attack by
attempting to authenticate and then powering off the TPM before it can
update the nonvolatile counter).

Add tpmr shutdown to prepare for shutdown (no-op on TPM1).  Invoke it
from poweroff and reboot.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/poweroff |  5 +++++
 initrd/bin/reboot   |  5 +++++
 initrd/bin/tpmr     | 15 +++++++++++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/initrd/bin/poweroff b/initrd/bin/poweroff
index 6290246b..813726ad 100755
--- a/initrd/bin/poweroff
+++ b/initrd/bin/poweroff
@@ -3,6 +3,11 @@
 
 TRACE "Under /bin/poweroff"
 
+# Shut down TPM
+if [ "$CONFIG_TPM" = "y" ]; then
+	tpmr shutdown
+fi
+
 # Sync all mounted filesystems
 echo s > /proc/sysrq-trigger
 
diff --git a/initrd/bin/reboot b/initrd/bin/reboot
index 97d606c9..209dc91b 100755
--- a/initrd/bin/reboot
+++ b/initrd/bin/reboot
@@ -3,6 +3,11 @@
 
 TRACE "Under /bin/reboot"
 
+# Shut down TPM
+if [ "$CONFIG_TPM" = "y" ]; then
+	tpmr shutdown
+fi
+
 # Sync all mounted filesystems
 echo s > /proc/sysrq-trigger
 
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index eba11e7b..ee99b79a 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -477,6 +477,13 @@ tpm1_unseal() {
 		-hk 40000000
 }
 
+tpm2_shutdown() {
+	# Prepare for shutdown.
+	# This is a "clear" shutdown (do not preserve runtime state) since we
+	# are not going to resume later, we are powering off (or rebooting).
+	tpm2 shutdown -Q --clear
+}
+
 if [ "$CONFIG_TPM" != "y" ]; then
 	echo >&2 "No TPM!"
 	exit 1
@@ -495,12 +502,14 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 			echo "$PCR_SIZE";;
 		calcfuturepcr)
 			shift; tpm1_calcfuturepcr "$@";;
-		kexec_finalize)
-			;;	# Nothing on TPM1.
 		seal)
 			shift; tpm1_seal "$@";;
 		unseal)
 			shift; tpm1_unseal "$@";;
+		kexec_finalize)
+			;;	# Nothing on TPM1.
+		shutdown)
+			;;	# Nothing on TPM1.
 		*)
 			exec tpm "$@"
 			;;
@@ -537,6 +546,8 @@ case "$subcmd" in
 		tpm2_reset "$@";;
 	kexec_finalize)
 		tpm2_kexec_finalize "$@";;
+	shutdown)
+		tpm2_shutdown "$@";;
 	*)
 		echo "Command $subcmd not wrapped!"
 		exit 1