import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151)

2025-02-20 09:16:21 +00:00 · 2017-04-12 06:49:39 -04:00 · 2017-04-12 06:49:39 -04:00 · 7a9ab72144
commit 7a9ab72144
parent c5c47c6b1c
3 changed files with 117 additions and 2 deletions
--- a/initrd/bin/seal-totp
+++ b/initrd/bin/seal-totp
@ -0,0 +1,87 @@
+#!/bin/sh
+# Generate a random secret, seal it with the PCRs
+# and write it to the TPM NVRAM.
+#
+# Pass in a hostname if you want to change it from the default string
+#
+
+. /etc/functions
+
+TPM_NVRAM_SPACE=4d47
+
+HOST="$1"
+if [ -z "$HOST" ]; then
+	HOST="TPMTOTP"
+fi
+
+TOTP_SECRET="/tmp/secret/totp.key"
+TOTP_SEALED="/tmp/secret/totp.sealed"
+
+dd \
+	if=/dev/urandom \
+	of="$TOTP_SECRET" \
+	count=1 \
+	bs=20 \
+	2>/dev/null \
+|| die "Unable to generate 20 random bytes"
+
+secret="`base32 < $TOTP_SECRET`"
+
+# Use the current values of the PCRs, which will be read
+# from the TPM as part of the sealing ("X").
+# PCR4 == 0 means that we are still in the boot process and
+# not a recovery shell.
+# should this read the storage root key?
+if ! tpm sealfile2 \
+	-if "$TOTP_SECRET" \
+	-of "$TOTP_SEALED" \
+	-hk 40000000 \
+	-ix 0 X \
+	-ix 1 X \
+	-ix 2 X \
+	-ix 3 X \
+	-ix 4 0000000000000000000000000000000000000000 \
+; then
+	rm -f "$TOTP_SECRET"
+	 die "Unable to seal secret"
+fi
+
+
+# to create an nvram space we need the TPM owner password
+# and the TPM physical presence must be asserted.
+#
+# The permissions are 0 since there is nothing special
+# about the sealed file
+tpm physicalpresence -s \
+|| warn "Warning: Unable to assert physical presence"
+
+# Try to write it without the password first, and then create
+# the NVRAM space using the owner password if it fails for some reason.
+if ! tpm nv_writevalue \
+	-in $TPM_NVRAM_SPACE \
+	-if "$TOTP_SEALED" \
+; then
+	warn 'NVRAM space does not exist? Owner password is required'
+	read -s -p "TPM Owner password: " tpm_password
+	echo
+
+	tpm nv_definespace \
+		-in $TPM_NVRAM_SPACE \
+		-sz 312 \
+		-pwdo "$tpm_password" \
+		-per 0 \
+	|| die "Unable to define NVRAM space"
+
+	tpm nv_writevalue \
+		-in $TPM_NVRAM_SPACE \
+		-if "$TOTP_SEALED" \
+	|| die "Unable to write sealed secret to NVRAM"
+fi
+
+rm -f "$TOTP_SEALED"
+
+url="otpauth://totp/$HOST?secret=$secret"
+secret=""
+
+qrenc "$url"
+#echo "$url"
--- a/initrd/bin/unseal-totp
+++ b/initrd/bin/unseal-totp
@ -0,0 +1,30 @@
+#!/bin/sh
+# Retrieve the sealed file from the NVRAM, unseal it and compute the totp
+
+. /etc/functions
+
+TOTP_SEALED="/tmp/secret/totp.sealed"
+TOTP_SECRET="/tmp/secret/totp.key"
+
+tpm nv_readvalue \
+	-in 4d47 \
+	-sz 312 \
+	-of "$TOTP_SEALED" \
+|| die "Unable to retrieve sealed file from TPM NV"
+
+tpm unsealfile  \
+	-hk 40000000 \
+	-if "$TOTP_SEALED" \
+	-of "$TOTP_SECRET" \
+|| die "Unable to unseal totp secret"
+
+rm -f "$TOTP_SEALED"
+
+echo -n "`date`: "
+if ! totp < "$TOTP_SECRET"; then
+	rm -f "$TOTP_SECRET"
+	die 'Unable to compute TOTP hash?'
+fi
+
+rm -f "$TOTP_SECRET"
+exit 0
--- a/modules/tpmtotp
+++ b/modules/tpmtotp
@ -20,8 +20,6 @@ tpmtotp_output := \
 	totp \
 	base32 \
 	qrenc \
-	sealtotp.sh \
-	unsealtotp.sh \
 	util/tpm \

 tpmtotp_libraries := \