From 729f2b17b822097a1a87fed034347cb21d68d65a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 23 Oct 2023 17:23:38 -0400 Subject: [PATCH] WiP to be squashed: we need to refactor prompt_tpm_password which is used both for TPM Owner Password prompt and caching reused for TPM disk unlock key passphrase which of course fails Signed-off-by: Thierry Laurion --- initrd/bin/kexec-seal-key | 4 ++++ initrd/bin/kexec-select-boot | 33 ++++++++++++++++++--------------- initrd/etc/functions | 3 +++ 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 881797a5..4e0cb321 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -135,6 +135,10 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" # We take into consideration user files in cbfs tpmr pcrread -a 7 "$pcrf" +DEBUG "TODO: REMOVE THIS: key_password=$key_password here" +DEBUG "TODO: REMOVE THIS: content of /tmp/secret/tpm_password: $(cat /tmp/secret/tpm_password) here" + + DO_WITH_DEBUG --mask-position 7 \ tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ "$TPM_SIZE" "$key_password" || { diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 1562638c..6f4cdfc7 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -50,21 +50,24 @@ bootdir="${bootdir%%/}" paramsdev="${paramsdev%%/}" paramsdir="${paramsdir%%/}" -PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt" -if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then - if [ -r "$PRIMHASH_FILE" ]; then - sha256sum -c "$PRIMHASH_FILE" \ - || { - echo "FATAL: Hash of TPM2 primary key handle mismatch!"; - warn "If you have not intentionally regenerated TPM2 primary key,"; - warn "your system may have been compromised"; - } - else - warn "Hash of TPM2 primary key handle does not exist" - warn "Please rebuild the boot hash tree" - default_failed="y" - fi -fi + +#PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt" +#if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then +# if [ -r "$PRIMHASH_FILE" ]; then +# sha256sum -c "$PRIMHASH_FILE" \ +# || { +# echo "FATAL: Hash of TPM2 primary key handle mismatch!"; +# warn "If you have not intentionally regenerated TPM2 primary key,"; +# warn "your system may have been compromised"; +# } +# else +# warn "Hash of TPM2 primary key handle does not exist" +# warn "Please rebuild the boot hash tree" +# default_failed="y" +# fi +#fi +#TODO: Readd when this can work successfully by simply resealing TOTP/HOTP without having to reset TPM2, this is a major pain point for users +#And acutally don't work as intended, even more with TPM DUK verify_global_hashes() { diff --git a/initrd/etc/functions b/initrd/etc/functions index 60ff97c7..1227c66c 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -197,14 +197,17 @@ prompt_tpm_password() { #Caller might already have cached the password in tpm_password. If not, prompt for it and cache it externally if [ -n "$tpm_password" ]; then DEBUG "tpm_password variable already set by caller. Reusing" + DEBUG "TODO REMOVE THIS! tpm_password is $tpm_password here." return 0 elif [ -s /tmp/secret/tpm_password ]; then DEBUG "/tmp/secret/tpm_password already cached in file. Reusing" tpm_password=$(cat /tmp/secret/tpm_password) + DEBUG "TODO REMOVE THIS! tpm_password is $tpm_password here." return 0 fi read -s -p "TPM Owner Password: " tpm_password + #TODO: This function is called for both owner and TPM sealing calls. We should probably have a different prompt for each echo # new line after password prompt # Cache the password externally to be reused by who needs it