WiP to be squashed: we need to refactor prompt_tpm_password which is used both for TPM Owner Password prompt and caching reused for TPM disk unlock key passphrase which of course fails

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/bin/kexec-seal-key

@@ -135,6 +135,10 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
 # We take into consideration user files in cbfs
 tpmr pcrread -a 7 "$pcrf"
 
+DEBUG "TODO: REMOVE THIS: key_password=$key_password here"
+DEBUG "TODO: REMOVE THIS: content of /tmp/secret/tpm_password: $(cat /tmp/secret/tpm_password) here"
+
+
 DO_WITH_DEBUG --mask-position 7 \
 	tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
 	"$TPM_SIZE" "$key_password" || {

initrd/bin/kexec-select-boot

@@ -50,21 +50,24 @@ bootdir="${bootdir%%/}"
 paramsdev="${paramsdev%%/}"
 paramsdir="${paramsdir%%/}"
 
-PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
-if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-	if [ -r "$PRIMHASH_FILE" ]; then
-		sha256sum -c "$PRIMHASH_FILE" \
-			|| {
-			echo "FATAL: Hash of TPM2 primary key handle mismatch!";
-			warn "If you have not intentionally regenerated TPM2 primary key,";
-			warn "your system may have been compromised";
-		}
-	else
-		warn "Hash of TPM2 primary key handle does not exist"
-		warn "Please rebuild the boot hash tree"
-		default_failed="y"
-	fi
-fi
+
+#PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
+#if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
+#	if [ -r "$PRIMHASH_FILE" ]; then
+#		sha256sum -c "$PRIMHASH_FILE" \
+#			|| {
+#			echo "FATAL: Hash of TPM2 primary key handle mismatch!";
+#			warn "If you have not intentionally regenerated TPM2 primary key,";
+#			warn "your system may have been compromised";
+#		}
+#	else
+#		warn "Hash of TPM2 primary key handle does not exist"
+#		warn "Please rebuild the boot hash tree"
+#		default_failed="y"
+#	fi
+#fi
+#TODO: Readd when this can work successfully by simply resealing TOTP/HOTP without having to reset TPM2, this is a major pain point for users
+#And acutally don't work as intended, even more with TPM DUK
 
 verify_global_hashes()
 {

initrd/etc/functions

@@ -197,14 +197,17 @@ prompt_tpm_password() {
 	#Caller might already have cached the password in tpm_password. If not, prompt for it and cache it externally
 	if [ -n "$tpm_password" ]; then
 		DEBUG "tpm_password variable already set by caller. Reusing"
+		DEBUG "TODO REMOVE THIS! tpm_password is $tpm_password here."
 		return 0
 	elif [ -s /tmp/secret/tpm_password ]; then
 		DEBUG "/tmp/secret/tpm_password already cached in file. Reusing"
 		tpm_password=$(cat /tmp/secret/tpm_password)
+		DEBUG "TODO REMOVE THIS! tpm_password is $tpm_password here."
 		return 0
 	fi
 
 	read -s -p "TPM Owner Password: " tpm_password
+	#TODO: This function is called for both owner and TPM sealing calls. We should probably have a different prompt for each
 	echo # new line after password prompt
 
 	# Cache the password externally to be reused by who needs it