mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 15:16:42 +00:00
kexec-unseal-key, tpmr: Deduplicate TPM1/2 code and always use stdin pass
Always send password via stdin to tpm2 create, tpm2 unseal. The password could being with things like 'file:', 'str:', 'pcr:' that would be interpreted by tpm2. Deduplicate the TPM1/2 code in kexec-unseal-key. The TPM2 code was not actually prompting for the password or sending it to tpmr unseal. Password is still not working yet though. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
parent
2c6caa18a7
commit
79e10ee135
@ -18,57 +18,48 @@ if [ -z "$key_file" ]; then
|
|||||||
key_file="/tmp/secret/secret.key"
|
key_file="/tmp/secret/secret.key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
|
# TPM1 only - read the sealed value first manually
|
||||||
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
||||||
echo "DEBUG: Show PCRs"
|
|
||||||
pcrs
|
|
||||||
|
|
||||||
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
||||||
if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
|
|
||||||
echo "Bring up network for remote attestation"
|
|
||||||
network-init-recovery
|
|
||||||
fi
|
|
||||||
for tries in 1 2 3; do
|
|
||||||
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
|
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
# should be okay if this fails
|
|
||||||
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
pcrs
|
|
||||||
warn "Unable to unseal disk encryption key"
|
|
||||||
done
|
|
||||||
elif [ "$CONFIG_TPM" = "y" ]; then
|
|
||||||
tpm nv_readvalue \
|
tpm nv_readvalue \
|
||||||
-in "$TPM_INDEX" \
|
-in "$TPM_INDEX" \
|
||||||
-sz "$TPM_SIZE" \
|
-sz "$TPM_SIZE" \
|
||||||
-of "$sealed_file" \
|
-of "$sealed_file" \
|
||||||
|| die "Unable to read key from TPM NVRAM"
|
|| die "Unable to read key from TPM NVRAM"
|
||||||
|
fi
|
||||||
|
|
||||||
for tries in 1 2 3; do
|
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
|
||||||
|
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
||||||
|
echo "DEBUG: Show PCRs"
|
||||||
|
pcrs
|
||||||
|
|
||||||
|
for tries in 1 2 3; do
|
||||||
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
||||||
echo
|
echo
|
||||||
if [ -z "$tpm_password" ]; then
|
if [ -z "$tpm_password" ]; then
|
||||||
die "Aborting unseal disk encryption key"
|
die "Aborting unseal disk encryption key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
unseal_result=1
|
||||||
|
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||||
|
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
|
||||||
|
unseal_result="$?"
|
||||||
|
else
|
||||||
tpm unsealfile \
|
tpm unsealfile \
|
||||||
-if "$sealed_file" \
|
-if "$sealed_file" \
|
||||||
-of "$key_file" \
|
-of "$key_file" \
|
||||||
-pwdd "$tpm_password" \
|
-pwdd "$tpm_password" \
|
||||||
-hk 40000000
|
-hk 40000000
|
||||||
|
unseal_result="$?"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
# should be okay if this fails
|
# should be okay if this fails
|
||||||
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pcrs
|
pcrs
|
||||||
warn "Unable to unseal disk encryption key"
|
warn "Unable to unseal disk encryption key"
|
||||||
done
|
done
|
||||||
fi
|
|
||||||
|
|
||||||
die "Retry count exceeded..."
|
die "Retry count exceeded..."
|
||||||
|
@ -129,7 +129,7 @@ tpm2_sealfile() {
|
|||||||
bname="`basename $file`"
|
bname="`basename $file`"
|
||||||
tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
|
tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
|
||||||
if [ "$pass" ];then
|
if [ "$pass" ];then
|
||||||
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "$pass"
|
echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-"
|
||||||
else
|
else
|
||||||
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE"
|
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE"
|
||||||
fi
|
fi
|
||||||
@ -145,9 +145,9 @@ tpm2_unseal() {
|
|||||||
handle="$1"
|
handle="$1"
|
||||||
pcrl="$2"
|
pcrl="$2"
|
||||||
pass="$3"
|
pass="$3"
|
||||||
echo "debug handle: $handle prcl: $pcrl pass $pass"
|
echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console
|
||||||
if [ "$pass" ];then
|
if [ "$pass" ];then
|
||||||
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+$pass"
|
echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-"
|
||||||
else
|
else
|
||||||
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl"
|
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl"
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user