tpmr: move TPM2 related secrets artifacts to /tmp/secret to be autowiped when recovery shell is accessed. If you want to see those, use qemu and have main console launching qemu under recovery shell prior of doing ops you want to see /tmp/secret/ artifacts before being deleted. We still have pcap under /tmp which is as expected

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2023-11-02 11:30:59 -04:00
parent af3287c001
commit 921acd0f6f
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93

View File

@ -5,9 +5,9 @@
SECRET_DIR="/tmp/secret" SECRET_DIR="/tmp/secret"
PRIMARY_HANDLE="0x81000000" PRIMARY_HANDLE="0x81000000"
ENC_SESSION_FILE="enc.ctx" ENC_SESSION_FILE="$SECRET_DIR/enc.ctx"
DEC_SESSION_FILE="dec.ctx" DEC_SESSION_FILE="$SECRET_DIR/dec.ctx"
PRIMARY_HANDLE_FILE="primary.handle" PRIMARY_HANDLE_FILE="$SECRET_DIR/primary.handle"
# PCR size in bytes. Set when we determine what TPM version is in use. # PCR size in bytes. Set when we determine what TPM version is in use.
# TPM1 PCRs are always 20 bytes. TPM2 is allowed to provide multiple PCR banks # TPM1 PCRs are always 20 bytes. TPM2 is allowed to provide multiple PCR banks
@ -321,10 +321,10 @@ tpm2_startsession() {
tpm2 flushcontext -Q \ tpm2 flushcontext -Q \
--saved-session \ --saved-session \
|| die "tpm2_flushcontext: unable to flush saved session" || die "tpm2_flushcontext: unable to flush saved session"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "/tmp/$PRIMARY_HANDLE_FILE" tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
tpm2 startauthsession -Q -c "/tmp/$PRIMARY_HANDLE_FILE" --hmac-session -S "/tmp/$ENC_SESSION_FILE" tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE"
tpm2 startauthsession -Q -c "/tmp/$PRIMARY_HANDLE_FILE" --hmac-session -S "/tmp/$DEC_SESSION_FILE" tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE"
tpm2 sessionconfig -Q --disable-encrypt "/tmp/$DEC_SESSION_FILE" tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
} }
# Use cleanup_session() with at_exit to release a TPM2 session and delete the # Use cleanup_session() with at_exit to release a TPM2 session and delete the
@ -403,8 +403,8 @@ tpm2_seal() {
# Create a policy requiring both PCRs and the object's authentication # Create a policy requiring both PCRs and the object's authentication
# value using a trial session. # value using a trial session.
TRIAL_SESSION=/tmp/sealfile_trial.session TRIAL_SESSION="$SECRET_DIR/sealfile_trial.session"
AUTH_POLICY=/tmp/sealfile_auth.policy AUTH_POLICY="$SECRET_DIR/sealfile_auth.policy"
rm -f "$TRIAL_SESSION" "$AUTH_POLICY" rm -f "$TRIAL_SESSION" "$AUTH_POLICY"
tpm2 startauthsession -g sha256 -S "$TRIAL_SESSION" tpm2 startauthsession -g sha256 -S "$TRIAL_SESSION"
# We have to clean up the session # We have to clean up the session
@ -430,16 +430,16 @@ tpm2_seal() {
# (The default is to allow either policy auth _or_ password auth. In # (The default is to allow either policy auth _or_ password auth. In
# this case the policy includes the password, and we don't want to allow # this case the policy includes the password, and we don't want to allow
# the password on its own.) # the password on its own.)
tpm2 create -Q -C "/tmp/$PRIMARY_HANDLE_FILE" \ tpm2 create -Q -C "$PRIMARY_HANDLE_FILE" \
-i "$file" \ -i "$file" \
-u "$SECRET_DIR/$bname.priv" \ -u "$SECRET_DIR/$bname.priv" \
-r "$SECRET_DIR/$bname.pub" \ -r "$SECRET_DIR/$bname.pub" \
-L "$AUTH_POLICY" \ -L "$AUTH_POLICY" \
-S "/tmp/$DEC_SESSION_FILE" \ -S "$DEC_SESSION_FILE" \
-a "fixedtpm|fixedparent|adminwithpolicy" \ -a "fixedtpm|fixedparent|adminwithpolicy" \
"${CREATE_PASS_ARGS[@]}" "${CREATE_PASS_ARGS[@]}"
tpm2 load -Q -C "/tmp/$PRIMARY_HANDLE_FILE" \ tpm2 load -Q -C "$PRIMARY_HANDLE_FILE" \
-u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" \ -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" \
-c "$SECRET_DIR/$bname.seal.ctx" -c "$SECRET_DIR/$bname.seal.ctx"
prompt_tpm_owner_password prompt_tpm_owner_password
@ -531,13 +531,13 @@ tpm2_unseal() {
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will # If we don't have the primary handle (TPM hasn't been reset), tpm2 will
# print nonsense error messages about an unexpected handle value. We # print nonsense error messages about an unexpected handle value. We
# can't do anything without a primary handle. # can't do anything without a primary handle.
if [ ! -f "/tmp/$PRIMARY_HANDLE_FILE" ]; then if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal" DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
warn "No TPM primary handle. You must reset TPM to seal secret" warn "No TPM primary handle. You must reset TPM to seal secret"
exit 1 exit 1
fi fi
POLICY_SESSION=/tmp/unsealfile_policy.session POLICY_SESSION="$SECRET_DIR/unsealfile_policy.session"
rm -f "$POLICY_SESSION" rm -f "$POLICY_SESSION"
tpm2 startauthsession -Q -g sha256 -S "$POLICY_SESSION" --policy-session tpm2 startauthsession -Q -g sha256 -S "$POLICY_SESSION" --policy-session
at_exit cleanup_session "$POLICY_SESSION" at_exit cleanup_session "$POLICY_SESSION"
@ -555,7 +555,7 @@ tpm2_unseal() {
fi fi
tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \ tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "/tmp/$ENC_SESSION_FILE" > "$file" -S "$ENC_SESSION_FILE" > "$file"
} }
tpm1_unseal() { tpm1_unseal() {
TRACE "Under /bin/tpmr:tpm1_unseal" TRACE "Under /bin/tpmr:tpm1_unseal"
@ -596,7 +596,7 @@ tpm2_reset() {
TRACE "Under /bin/tpmr:tpm2_reset" TRACE "Under /bin/tpmr:tpm2_reset"
tpm_owner_password="$1" tpm_owner_password="$1"
mkdir -p "$SECRET_DIR" mkdir -p "$SECRET_DIR"
# output TPM Owner Password key_password to a file to be reused in this boot session until recovery shell/reboot # output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password" DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" > "$SECRET_DIR/tpm_owner_password" echo -n "$tpm_owner_password" > "$SECRET_DIR/tpm_owner_password"
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy" tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
@ -630,7 +630,7 @@ tpm2_reset() {
--max-tries=10 \ --max-tries=10 \
--recovery-time=3600 \ --recovery-time=3600 \
--lockout-recovery-time=0 \ --lockout-recovery-time=0 \
--auth="session:/tmp/$ENC_SESSION_FILE" --auth="session:$ENC_SESSION_FILE"
# Set a random DA lockout password, so the DA lockout can't be cleared # Set a random DA lockout password, so the DA lockout can't be cleared
# with a password. Heads doesn't offer dictionary attach reset, instead # with a password. Heads doesn't offer dictionary attach reset, instead