kexec-unseal-key, tpmr: Deduplicate TPM1/2 code and always use stdin pass

Always send password via stdin to tpm2 create, tpm2 unseal.  The password
could being with things like 'file:', 'str:', 'pcr:' that would be
interpreted by tpm2.

Deduplicate the TPM1/2 code in kexec-unseal-key.  The TPM2 code was not
actually prompting for the password or sending it to tpmr unseal.

Password is still not working yet though.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-02-23 10:14:32 -05:00
parent 2c6caa18a7
commit 79e10ee135
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
2 changed files with 32 additions and 41 deletions

View File

@ -18,57 +18,48 @@ if [ -z "$key_file" ]; then
key_file="/tmp/secret/secret.key" key_file="/tmp/secret/secret.key"
fi fi
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM" # TPM1 only - read the sealed value first manually
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
echo "DEBUG: Show PCRs"
pcrs
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
echo "Bring up network for remote attestation"
network-init-recovery
fi
for tries in 1 2 3; do
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
if [ $? -eq 0 ]; then
# should be okay if this fails
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
exit 0
fi
pcrs
warn "Unable to unseal disk encryption key"
done
elif [ "$CONFIG_TPM" = "y" ]; then
tpm nv_readvalue \ tpm nv_readvalue \
-in "$TPM_INDEX" \ -in "$TPM_INDEX" \
-sz "$TPM_SIZE" \ -sz "$TPM_SIZE" \
-of "$sealed_file" \ -of "$sealed_file" \
|| die "Unable to read key from TPM NVRAM" || die "Unable to read key from TPM NVRAM"
fi
for tries in 1 2 3; do echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
echo "DEBUG: Show PCRs"
pcrs
for tries in 1 2 3; do
read -s -p "Enter unlock password (blank to abort): " tpm_password read -s -p "Enter unlock password (blank to abort): " tpm_password
echo echo
if [ -z "$tpm_password" ]; then if [ -z "$tpm_password" ]; then
die "Aborting unseal disk encryption key" die "Aborting unseal disk encryption key"
fi fi
unseal_result=1
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
unseal_result="$?"
else
tpm unsealfile \ tpm unsealfile \
-if "$sealed_file" \ -if "$sealed_file" \
-of "$key_file" \ -of "$key_file" \
-pwdd "$tpm_password" \ -pwdd "$tpm_password" \
-hk 40000000 -hk 40000000
unseal_result="$?"
fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
# should be okay if this fails # should be okay if this fails
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
exit 0 exit 0
fi fi
pcrs pcrs
warn "Unable to unseal disk encryption key" warn "Unable to unseal disk encryption key"
done done
fi
die "Retry count exceeded..." die "Retry count exceeded..."

View File

@ -129,7 +129,7 @@ tpm2_sealfile() {
bname="`basename $file`" bname="`basename $file`"
tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy" tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
if [ "$pass" ];then if [ "$pass" ];then
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "$pass" echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-"
else else
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE"
fi fi
@ -145,9 +145,9 @@ tpm2_unseal() {
handle="$1" handle="$1"
pcrl="$2" pcrl="$2"
pass="$3" pass="$3"
echo "debug handle: $handle prcl: $pcrl pass $pass" echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console
if [ "$pass" ];then if [ "$pass" ];then
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+$pass" echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-"
else else
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl" tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl"
fi fi