TPM1/TPM2: unify wording for TPM Owner Password and cache it externally to /tmp/secret/tpm_password to be reused in a boot session until recovery shell access or reboot

TODO: Why two functions prompt_tpm_password and prompt_new_owner_password Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-19 21:17:55 +00:00 · 2023-10-23 13:13:39 -04:00 · 2023-10-23 13:13:39 -04:00 · 911eb07565
commit 911eb07565
parent 754e3c9165
3 changed files with 25 additions and 8 deletions
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -780,7 +780,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
    fi
    if [ "$CONFIG_TPM" = "y" ]; then
        CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
-TPM Ownership password"
+TPM Owner Password"
    fi
    CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
 GPG Admin PIN
@ -821,7 +821,7 @@ GPG User PIN"
            echo
            if [ "$CONFIG_TPM" = "y" ]; then
                while [[ ${#TPM_PASS} -lt 8 ]]; do
-                    echo -e -n "Enter desired TPM Ownership password: "
+                    echo -e -n "Enter desired TPM Owner Password: "
                    read TPM_PASS
                done
            fi
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -391,7 +391,7 @@ tpm2_seal() {
 	sealed_size="$5"	# Not used for TPM2
 	pass="$6"	# May be empty to seal with no password
 	tpm_password="$7"	# Owner password - will prompt if needed and not empty
-	# Owner password is always needed for TPM2.
+	# TPM Owner Password is always needed for TPM2.

 	mkdir -p "$SECRET_DIR"
 	bname="`basename $file`"
@ -489,7 +489,7 @@ tpm1_seal() {

 	# try it without the owner password first
 	if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then
-		# to create an nvram space we need the TPM owner password
+		# to create an nvram space we need the TPM Owner Password
 		# and the TPM physical presence must be asserted.
 		#
 		# The permissions are 0 since there is nothing special
@ -595,6 +595,9 @@ tpm2_reset() {
 	TRACE "Under /bin/tpmr:tpm2_reset"
 	key_password="$1"
 	mkdir -p "$SECRET_DIR"
+	# output TPM Owner Password key_password to a file to be reused in this boot session until recovery shell/reboot
+	DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_password"
+	echo "$key_password" > "$SECRET_DIR/tpm_password"
 	tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
 	tpm2 changeauth -c owner "$(tpm2_password_hex "$key_password")"
 	tpm2 changeauth -c endorsement "$(tpm2_password_hex "$key_password")"
@ -640,7 +643,10 @@ tpm2_reset() {
 tpm1_reset() {
 	TRACE "Under /bin/tpmr:tpm1_reset"
 	key_password="$1"
-
+	mkdir -p "$SECRET_DIR"
+	# output key_password to a file to be reused in this boot session until recovery shell/reboot
+	DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_password"
+	echo "$key_password" > "$SECRET_DIR/tpm_password"
 	# Make sure the TPM is ready to be reset
 	tpm physicalpresence -s
 	tpm physicalenable
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -194,11 +194,17 @@ list_usb_storage() {
 # line, since some flows need it multiple times and only one prompt is ideal.
 prompt_tpm_password() {
 	TRACE "Under /etc/functions:prompt_tpm_password"
+	#Caller might already have cached the password in tpm_password. If not, prompt for it and cache it externally
 	if [ -n "$tpm_password" ]; then
+		DEBUG "tpm_password variable already set by caller. Reusing"
+		return 0
+	elif [ -s /tmp/secret/tpm_password ]; then
+		DEBUG "/tmp/secret/tpm_password already cached in file. Reusing"
+		tpm_password=$(cat /tmp/secret/tpm_password)
 		return 0
 	fi

-	read -s -p "TPM Owner password: " tpm_password
+	read -s -p "TPM Owner Password: " tpm_password
 	echo # new line after password prompt
 }

@ -211,10 +217,10 @@ prompt_new_owner_password() {
 	key_password=1
 	key_password2=2
 	while [ "$key_password" != "$key_password2" ] || [ "${#key_password}" -gt 32 ] || [ -z "$key_password" ]; do
-		read -s -p "New TPM owner passphrase (2 words suggested, 1-32 characters max): " key_password
+		read -s -p "New TPM Owner Password (2 words suggested, 1-32 characters max): " key_password
 		echo

-		read -s -p "Repeat chosen TPM owner passphrase: " key_password2
+		read -s -p "Repeat chosen TPM Owner Password: " key_password2
 		echo

 		if [ "$key_password" != "$key_password2" ]; then
@ -222,6 +228,11 @@ prompt_new_owner_password() {
 			echo
 		fi
 	done
+
+	# Cache the password externally to be reused by who needs it
+	DEBUG "Caching TPM Owner Password to /tmp/secret/tpm_password"
+	mkdir -p /tmp/secret || die "Unable to create /tmp/secret"
+	echo "$key_password" > /tmp/secret/tpm_password || die "Unable to cache TPM password under /tmp/secret"
 }

 check_tpm_counter() {