From 79e10ee1357658cbd63af2a518924aaa3db35c32 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Thu, 23 Feb 2023 10:14:32 -0500
Subject: [PATCH] kexec-unseal-key, tpmr: Deduplicate TPM1/2 code and always
 use stdin pass

Always send password via stdin to tpm2 create, tpm2 unseal.  The password
could being with things like 'file:', 'str:', 'pcr:' that would be
interpreted by tpm2.

Deduplicate the TPM1/2 code in kexec-unseal-key.  The TPM2 code was not
actually prompting for the password or sending it to tpmr unseal.

Password is still not working yet though.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/kexec-unseal-key | 67 ++++++++++++++++---------------------
 initrd/bin/tpmr             |  6 ++--
 2 files changed, 32 insertions(+), 41 deletions(-)

diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
index 91cbe7e1..5b1039e3 100755
--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@@ -18,57 +18,48 @@ if [ -z "$key_file" ]; then
 	key_file="/tmp/secret/secret.key"
 fi
 
+# TPM1 only - read the sealed value first manually
+if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
+	tpm nv_readvalue \
+		-in "$TPM_INDEX" \
+		-sz "$TPM_SIZE" \
+		-of "$sealed_file" \
+		|| die "Unable to read key from TPM NVRAM"
+fi
+
 echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
 echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
 echo "DEBUG: Show PCRs"
 pcrs
 
-if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-	if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
-		echo "Bring up network for remote attestation"
-		network-init-recovery
+for tries in 1 2 3; do
+	read -s -p "Enter unlock password (blank to abort): " tpm_password
+	echo
+	if [ -z "$tpm_password" ]; then
+		die "Aborting unseal disk encryption key"
 	fi
-	for tries in 1 2 3; do
-		tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
-
-		if [ $? -eq 0 ]; then
-			# should be okay if this fails
-			shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
-			exit 0
-		fi
-
-		pcrs
-		warn "Unable to unseal disk encryption key"
-	done
-elif [ "$CONFIG_TPM" = "y" ]; then
-	tpm nv_readvalue \
-	    -in "$TPM_INDEX" \
-	    -sz "$TPM_SIZE" \
-	    -of "$sealed_file" \
-		|| die "Unable to read key from TPM NVRAM"
-
-	for tries in 1 2 3; do
-		read -s -p "Enter unlock password (blank to abort): " tpm_password
-		echo
-		if [ -z "$tpm_password" ]; then
-			die "Aborting unseal disk encryption key"
-		fi
 
+	unseal_result=1
+	if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
+		tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
+		unseal_result="$?"
+	else
 		tpm unsealfile \
 			-if "$sealed_file" \
 			-of "$key_file" \
 			-pwdd "$tpm_password" \
 			-hk 40000000
+		unseal_result="$?"
+	fi
 
-		if [ $? -eq 0 ]; then
-			# should be okay if this fails
-			shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
-			exit 0
-		fi
+	if [ $? -eq 0 ]; then
+		# should be okay if this fails
+		shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
+		exit 0
+	fi
 
-		pcrs
-		warn "Unable to unseal disk encryption key"
-	done
-fi
+	pcrs
+	warn "Unable to unseal disk encryption key"
+done
 
 die "Retry count exceeded..."
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index 65b36b01..b4731446 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -129,7 +129,7 @@ tpm2_sealfile() {
 	bname="`basename $file`"
 	tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
 	if [ "$pass" ];then
-		tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "$pass"
+		echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-"
 	else
 		tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE"
 	fi
@@ -145,9 +145,9 @@ tpm2_unseal() {
 	handle="$1"
 	pcrl="$2"
 	pass="$3"
-	echo "debug handle: $handle prcl: $pcrl pass $pass" 
+	echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console
 	if [ "$pass" ];then
-		tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+$pass"
+		echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-"
 	else
 		tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl"
 	fi