ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

kexec-(un)seal-key: Delete CONFIG_AUTO_UNLOCK logic

Browse Source 
CONFIG_AUTO_UNLOCK does not exist in Heads.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-02-23 09:15:00 -05:00
parent b500505312
commit 2c6caa18a7
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
2 changed files with 31 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
initrd/bin/kexec-seal-key
View File

@ -48,15 +48,13 @@ read -s -p "Enter disk recovery key: " disk_password
echo -n "$disk_password" > "$RECOVERY_KEY" echo -n "$disk_password" > "$RECOVERY_KEY"
echo echo
if [ "$CONFIG_AUTO_UNLOCK" != y ]; then read -s -p "New disk unlock password for booting: " key_password
read -s -p "New disk unlock password for booting: " key_password echo
echo read -s -p "Repeat unlock code: " key_password2
read -s -p "Repeat unlock code: " key_password2 echo
echo
if [ "$key_password" != "$key_password2" ]; then if [ "$key_password" != "$key_password2" ]; then
die "Key passwords do not match" die "Key passwords do not match"
fi
fi fi
# Generate key file # Generate key file
@ -114,34 +112,19 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
# loaded in the recovery shell. # loaded in the recovery shell.
# Otherwise use the current values of the PCRs, which will be read # Otherwise use the current values of the PCRs, which will be read
# from the TPM as part of the sealing ("X"). # from the TPM as part of the sealing ("X").
if [ "$CONFIG_AUTO_UNLOCK" != y ]; then tpm sealfile2 \
tpm sealfile2 \ -if "$KEY_FILE" \
-if "$KEY_FILE" \ -of "$TPM_SEALED" \
-of "$TPM_SEALED" \ -pwdd "$key_password" \
-pwdd "$key_password" \ -hk 40000000 \
-hk 40000000 \ -ix 0 X \
-ix 0 X \ -ix 1 X \
-ix 1 X \ -ix 2 X \
-ix 2 X \ -ix 3 X \
-ix 3 X \ -ix 4 0000000000000000000000000000000000000000 \
-ix 4 0000000000000000000000000000000000000000 \ -ix 5 $pcr_5 \
-ix 5 $pcr_5 \ -ix 6 $luks_pcr \
-ix 6 $luks_pcr \ -ix 7 X
-ix 7 X
else
tpm sealfile2 \
-if "$KEY_FILE" \
-of "$TPM_SEALED" \
-hk 40000000 \
-ix 0 X \
-ix 1 X \
-ix 2 X \
-ix 3 X \
-ix 4 0000000000000000000000000000000000000000 \
-ix 5 $pcr_5 \
-ix 6 $luks_pcr \
-ix 7 X
fi
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
die "Unable to seal secret" die "Unable to seal secret"
@ -205,15 +188,7 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpm2 pcrreset 23 tpm2 pcrreset 23
# We take into consideration user files in cbfs # We take into consideration user files in cbfs
tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf" tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
if [ "$CONFIG_AUTO_UNLOCK" = "y" ]; then tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"
#TODO: There is no CONFIG_AUTO_UNLOCK. Should be removed
tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf"
else
#TODO: wrap TPM disk encryption key passphrase, otherwise prompt to user looks like if we were asking for TPM ownership passphrase
#TODO: everything is supposed to be under $pcrf, why considering them twice?
# TODO: review syntax to not duplicate expending pcr 2 times with pcr0-7: find a way to only use $pcrf? : sha256 "$pcrf" "$key_password"
tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"
fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# should be okay if this fails # should be okay if this fails
shred -n 10 -z -u "$pcrf".* 2> /dev/null || true shred -n 10 -z -u "$pcrf".* 2> /dev/null || true

33
initrd/bin/kexec-unseal-key
View File

@ -29,11 +29,7 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
network-init-recovery network-init-recovery
fi fi
for tries in 1 2 3; do for tries in 1 2 3; do
if [ "$CONFIG_AUTO_UNLOCK" = "y" ]; then tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" > "$key_file"
else
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# should be okay if this fails # should be okay if this fails
@ -52,25 +48,18 @@ elif [ "$CONFIG_TPM" = "y" ]; then
|| die "Unable to read key from TPM NVRAM" || die "Unable to read key from TPM NVRAM"
for tries in 1 2 3; do for tries in 1 2 3; do
if [ "$CONFIG_AUTO_UNLOCK" != y ]; then read -s -p "Enter unlock password (blank to abort): " tpm_password
read -s -p "Enter unlock password (blank to abort): " tpm_password echo
echo if [ -z "$tpm_password" ]; then
if [ -z "$tpm_password" ]; then die "Aborting unseal disk encryption key"
die "Aborting unseal disk encryption key"
fi
tpm unsealfile \
-if "$sealed_file" \
-of "$key_file" \
-pwdd "$tpm_password" \
-hk 40000000
else
tpm unsealfile \
-if "$sealed_file" \
-of "$key_file" \
-hk 40000000
fi fi
tpm unsealfile \
-if "$sealed_file" \
-of "$key_file" \
-pwdd "$tpm_password" \
-hk 40000000
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# should be okay if this fails # should be okay if this fails
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true