kexec-unseal-key, tpmr: Deduplicate TPM1/2 code and always use stdin pass

Always send password via stdin to tpm2 create, tpm2 unseal.  The password
could being with things like 'file:', 'str:', 'pcr:' that would be
interpreted by tpm2.

Deduplicate the TPM1/2 code in kexec-unseal-key.  The TPM2 code was not
actually prompting for the password or sending it to tpmr unseal.

Password is still not working yet though.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-02-23 10:14:32 -05:00
parent 2c6caa18a7
commit 79e10ee135
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
2 changed files with 32 additions and 41 deletions

View File

@ -18,57 +18,48 @@ if [ -z "$key_file" ]; then
key_file="/tmp/secret/secret.key"
fi
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
echo "DEBUG: Show PCRs"
pcrs
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
echo "Bring up network for remote attestation"
network-init-recovery
fi
for tries in 1 2 3; do
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
if [ $? -eq 0 ]; then
# should be okay if this fails
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
exit 0
fi
pcrs
warn "Unable to unseal disk encryption key"
done
elif [ "$CONFIG_TPM" = "y" ]; then
# TPM1 only - read the sealed value first manually
if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
tpm nv_readvalue \
-in "$TPM_INDEX" \
-sz "$TPM_SIZE" \
-of "$sealed_file" \
|| die "Unable to read key from TPM NVRAM"
fi
for tries in 1 2 3; do
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
echo "DEBUG: Show PCRs"
pcrs
for tries in 1 2 3; do
read -s -p "Enter unlock password (blank to abort): " tpm_password
echo
if [ -z "$tpm_password" ]; then
die "Aborting unseal disk encryption key"
fi
unseal_result=1
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
unseal_result="$?"
else
tpm unsealfile \
-if "$sealed_file" \
-of "$key_file" \
-pwdd "$tpm_password" \
-hk 40000000
unseal_result="$?"
fi
if [ $? -eq 0 ]; then
# should be okay if this fails
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
exit 0
fi
pcrs
warn "Unable to unseal disk encryption key"
done
fi
done
die "Retry count exceeded..."

View File

@ -129,7 +129,7 @@ tpm2_sealfile() {
bname="`basename $file`"
tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
if [ "$pass" ];then
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "$pass"
echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-"
else
tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE"
fi
@ -145,9 +145,9 @@ tpm2_unseal() {
handle="$1"
pcrl="$2"
pass="$3"
echo "debug handle: $handle prcl: $pcrl pass $pass"
echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console
if [ "$pass" ];then
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+$pass"
echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-"
else
tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl"
fi