Merge pull request #628 from MrChromebox/hotp_check_boot

unseal-hotp: ensure /boot mounted before checking HOTP secret
2025-03-11 15:03:54 +00:00 · 2019-11-25 09:26:07 -08:00 · 2019-11-25 09:26:07 -08:00 · 8110b6192c
commit 8110b6192c
parent 9576a427a0 0dbc748233
1 changed files with 14 additions and 15 deletions
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@ -21,21 +21,6 @@ mount_boot_or_die()
 # get current value of HOTP counter in TPM, create if absent
 mount_boot_or_die

-tpm nv_readvalue \
-	-in 4d47 \
-	-sz 312 \
-	-of "$HOTP_SEALED" \
-|| die "Unable to retrieve sealed file from TPM NV"
-
-tpm unsealfile  \
-	-hk 40000000 \
-	-if "$HOTP_SEALED" \
-	-of "$HOTP_SECRET" \
-|| die "Unable to unseal HOTP secret"
-
-shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
-
-
 #check_tpm_counter $HOTP_COUNTER hotp \
 #|| die "Unable to find/create TPM counter"
 #counter="$TPM_COUNTER"
@ -51,6 +36,20 @@ fi

 #counter_value=$(printf "%d" 0x${counter_value})

+tpm nv_readvalue \
+	-in 4d47 \
+	-sz 312 \
+	-of "$HOTP_SEALED" \
+|| die "Unable to retrieve sealed file from TPM NV"
+
+tpm unsealfile  \
+	-hk 40000000 \
+	-if "$HOTP_SEALED" \
+	-of "$HOTP_SECRET" \
+|| die "Unable to unseal HOTP secret"
+
+shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
+
 if ! hotp $counter_value < "$HOTP_SECRET"; then
 	shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
 	die 'Unable to compute HOTP hash?'