From 7a9ab72144d2a1c092dc85d97a63b236740c263f Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 12 Apr 2017 06:49:39 -0400 Subject: [PATCH] import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151) --- initrd/bin/seal-totp | 87 ++++++++++++++++++++++++++++++++++++++++++ initrd/bin/unseal-totp | 30 +++++++++++++++ modules/tpmtotp | 2 - 3 files changed, 117 insertions(+), 2 deletions(-) create mode 100755 initrd/bin/seal-totp create mode 100755 initrd/bin/unseal-totp diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp new file mode 100755 index 00000000..fc89d897 --- /dev/null +++ b/initrd/bin/seal-totp @@ -0,0 +1,87 @@ +#!/bin/sh +# Generate a random secret, seal it with the PCRs +# and write it to the TPM NVRAM. +# +# Pass in a hostname if you want to change it from the default string +# + +. /etc/functions + +TPM_NVRAM_SPACE=4d47 + +HOST="$1" +if [ -z "$HOST" ]; then + HOST="TPMTOTP" +fi + +TOTP_SECRET="/tmp/secret/totp.key" +TOTP_SEALED="/tmp/secret/totp.sealed" + +dd \ + if=/dev/urandom \ + of="$TOTP_SECRET" \ + count=1 \ + bs=20 \ + 2>/dev/null \ +|| die "Unable to generate 20 random bytes" + +secret="`base32 < $TOTP_SECRET`" + +# Use the current values of the PCRs, which will be read +# from the TPM as part of the sealing ("X"). +# PCR4 == 0 means that we are still in the boot process and +# not a recovery shell. +# should this read the storage root key? +if ! tpm sealfile2 \ + -if "$TOTP_SECRET" \ + -of "$TOTP_SEALED" \ + -hk 40000000 \ + -ix 0 X \ + -ix 1 X \ + -ix 2 X \ + -ix 3 X \ + -ix 4 0000000000000000000000000000000000000000 \ +; then + rm -f "$TOTP_SECRET" + die "Unable to seal secret" +fi + + +# to create an nvram space we need the TPM owner password +# and the TPM physical presence must be asserted. +# +# The permissions are 0 since there is nothing special +# about the sealed file +tpm physicalpresence -s \ +|| warn "Warning: Unable to assert physical presence" + +# Try to write it without the password first, and then create +# the NVRAM space using the owner password if it fails for some reason. +if ! tpm nv_writevalue \ + -in $TPM_NVRAM_SPACE \ + -if "$TOTP_SEALED" \ +; then + warn 'NVRAM space does not exist? Owner password is required' + read -s -p "TPM Owner password: " tpm_password + echo + + tpm nv_definespace \ + -in $TPM_NVRAM_SPACE \ + -sz 312 \ + -pwdo "$tpm_password" \ + -per 0 \ + || die "Unable to define NVRAM space" + + tpm nv_writevalue \ + -in $TPM_NVRAM_SPACE \ + -if "$TOTP_SEALED" \ + || die "Unable to write sealed secret to NVRAM" +fi + +rm -f "$TOTP_SEALED" + +url="otpauth://totp/$HOST?secret=$secret" +secret="" + +qrenc "$url" +#echo "$url" diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp new file mode 100755 index 00000000..ccd37e95 --- /dev/null +++ b/initrd/bin/unseal-totp @@ -0,0 +1,30 @@ +#!/bin/sh +# Retrieve the sealed file from the NVRAM, unseal it and compute the totp + +. /etc/functions + +TOTP_SEALED="/tmp/secret/totp.sealed" +TOTP_SECRET="/tmp/secret/totp.key" + +tpm nv_readvalue \ + -in 4d47 \ + -sz 312 \ + -of "$TOTP_SEALED" \ +|| die "Unable to retrieve sealed file from TPM NV" + +tpm unsealfile \ + -hk 40000000 \ + -if "$TOTP_SEALED" \ + -of "$TOTP_SECRET" \ +|| die "Unable to unseal totp secret" + +rm -f "$TOTP_SEALED" + +echo -n "`date`: " +if ! totp < "$TOTP_SECRET"; then + rm -f "$TOTP_SECRET" + die 'Unable to compute TOTP hash?' +fi + +rm -f "$TOTP_SECRET" +exit 0 diff --git a/modules/tpmtotp b/modules/tpmtotp index 6fd1a9f0..46a2fd9c 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -20,8 +20,6 @@ tpmtotp_output := \ totp \ base32 \ qrenc \ - sealtotp.sh \ - unsealtotp.sh \ util/tpm \ tpmtotp_libraries := \