mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
tpmr: Improve debug output, hide secrets, trim extend output more
Provide mask_param() function to uniformly mask secret parameters, while still indicating whether they are empty. Extend DO_WITH_DEBUG to allow masking a password parameter by position, using mask_param(). Move from ash_functions to functions (isn't used by ash scripts). Mask password parameters in kexec-unseal-key and tpmr seal. Use mask_param() on existing masked params in tpmr. Trim more troubleshooting output from tpm2_extend() in tpmr. Clarify tpmr kexec_finalize echo; it's the TPM's platform heirarchy, users might not know what this was referring to. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
parent
93459563d0
commit
92a6b5410d
@ -32,7 +32,9 @@ for tries in 1 2 3; do
|
|||||||
die "Aborting unseal disk encryption key"
|
die "Aborting unseal disk encryption key"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DO_WITH_DEBUG tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" "$key_file" "$tpm_password"
|
DO_WITH_DEBUG --mask-position 6 \
|
||||||
|
tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" \
|
||||||
|
"$key_file" "$tpm_password"
|
||||||
|
|
||||||
if [ "$?" -eq 0 ]; then
|
if [ "$?" -eq 0 ]; then
|
||||||
exit 0
|
exit 0
|
||||||
|
@ -20,29 +20,23 @@ TRACE "Under /bin/tpmr"
|
|||||||
|
|
||||||
tpm2_extend() {
|
tpm2_extend() {
|
||||||
TRACE "Under /bin/tpmr:tpm2_extend"
|
TRACE "Under /bin/tpmr:tpm2_extend"
|
||||||
DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6"
|
|
||||||
while true; do
|
while true; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
-ix)
|
-ix)
|
||||||
DEBUG "case: -ix $2"
|
|
||||||
index="$2"
|
index="$2"
|
||||||
shift 2;;
|
shift 2;;
|
||||||
-ic)
|
-ic)
|
||||||
DEBUG "case: -ic $2"
|
|
||||||
hash="`echo $2|sha256sum|cut -d' ' -f1`"
|
hash="`echo $2|sha256sum|cut -d' ' -f1`"
|
||||||
shift 2;;
|
shift 2;;
|
||||||
-if)
|
-if)
|
||||||
DEBUG "case: -if $2"
|
|
||||||
hash="`sha256sum $2|cut -d' ' -f1`"
|
hash="`sha256sum $2|cut -d' ' -f1`"
|
||||||
shift 2;;
|
shift 2;;
|
||||||
*)
|
*)
|
||||||
break;;
|
break;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
DEBUG "tpm2 pcrextend $index:sha256=$hash"
|
|
||||||
tpm2 pcrextend "$index:sha256=$hash"
|
tpm2 pcrextend "$index:sha256=$hash"
|
||||||
DEBUG "tpm2 pcread sha256:$index"
|
DO_WITH_DEBUG tpm2 pcrread "sha256:$index"
|
||||||
tpm2 pcrread "sha256:$index"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tpm2_counter_read() {
|
tpm2_counter_read() {
|
||||||
@ -159,7 +153,7 @@ tpm2_seal() {
|
|||||||
mkdir -p "$SECRET_DIR"
|
mkdir -p "$SECRET_DIR"
|
||||||
bname="`basename $file`"
|
bname="`basename $file`"
|
||||||
|
|
||||||
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
|
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$(mask_param "$pass")"
|
||||||
|
|
||||||
# Create a policy requiring both PCRs and the object's authentication
|
# Create a policy requiring both PCRs and the object's authentication
|
||||||
# value using a trial session.
|
# value using a trial session.
|
||||||
@ -206,7 +200,9 @@ tpm2_seal() {
|
|||||||
echo # new line after password prompt
|
echo # new line after password prompt
|
||||||
# remove possible data occupying this handle
|
# remove possible data occupying this handle
|
||||||
tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
|
tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
|
||||||
DO_WITH_DEBUG tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle"
|
DO_WITH_DEBUG --mask-position 6 \
|
||||||
|
tpm2 evictcontrol -Q -C o -P "$key_password" \
|
||||||
|
-c "$SECRET_DIR/$bname.seal.ctx" "$handle"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Unseal a file sealed by tpm2_seal. The PCR list must be provided, the
|
# Unseal a file sealed by tpm2_seal. The PCR list must be provided, the
|
||||||
@ -226,7 +222,7 @@ tpm2_unseal() {
|
|||||||
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
||||||
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
||||||
|
|
||||||
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
|
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$(mask_param "$pass")"
|
||||||
|
|
||||||
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
|
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
|
||||||
# print nonsense error messages about an unexpected handle value. We
|
# print nonsense error messages about an unexpected handle value. We
|
||||||
@ -285,7 +281,7 @@ tpm2_kexec_finalize() {
|
|||||||
# Add a random passphrase to platform hierarchy to prevent TPM2 from
|
# Add a random passphrase to platform hierarchy to prevent TPM2 from
|
||||||
# being cleared in the OS.
|
# being cleared in the OS.
|
||||||
# This passphrase is only effective before the next boot.
|
# This passphrase is only effective before the next boot.
|
||||||
echo "Locking platform hierarchy..."
|
echo "Locking TPM2 platform hierarchy..."
|
||||||
randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p)
|
randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p)
|
||||||
tpm2 changeauth -c platform "$randpass" \
|
tpm2 changeauth -c platform "$randpass" \
|
||||||
|| warn "Failed to lock platform hierarchy of TPM2!"
|
|| warn "Failed to lock platform hierarchy of TPM2!"
|
||||||
|
@ -20,11 +20,6 @@ DEBUG() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
DO_WITH_DEBUG() {
|
|
||||||
DEBUG "$@"
|
|
||||||
"$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
TRACE() {
|
TRACE() {
|
||||||
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
|
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
|
||||||
echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
|
echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
|
||||||
|
@ -2,6 +2,37 @@
|
|||||||
# Shell functions for most initialization scripts
|
# Shell functions for most initialization scripts
|
||||||
. /etc/ash_functions
|
. /etc/ash_functions
|
||||||
|
|
||||||
|
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
|
||||||
|
# optional password parameter.
|
||||||
|
mask_param() {
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
echo "<empty>"
|
||||||
|
else
|
||||||
|
echo "<hidden>"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Trace a command with DEBUG, then execute it.
|
||||||
|
# A password parameter can be masked by passing --mask-position N before the
|
||||||
|
# command to execute, the debug trace will just indicate whether the password
|
||||||
|
# was empty or nonempty (which is important when use of a password is optional).
|
||||||
|
# N=0 is the name of the command to be executed, N=1 is its first parameter,
|
||||||
|
# etc.
|
||||||
|
DO_WITH_DEBUG() {
|
||||||
|
if [ "$1" == "--mask-position" ]; then
|
||||||
|
mask_position="$2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
DEBUG_ARGS=("$@")
|
||||||
|
|
||||||
|
DEBUG_ARGS[$mask_position]="$(mask_param "${DEBUG_ARGS[$mask_position]}")"
|
||||||
|
DEBUG "${DEBUG_ARGS[@]}"
|
||||||
|
else
|
||||||
|
DEBUG "$@"
|
||||||
|
fi
|
||||||
|
"$@"
|
||||||
|
}
|
||||||
|
|
||||||
recovery() {
|
recovery() {
|
||||||
TRACE "Under /etc/functions:recovery"
|
TRACE "Under /etc/functions:recovery"
|
||||||
echo >&2 "!!!!! $*"
|
echo >&2 "!!!!! $*"
|
||||||
|
Loading…
Reference in New Issue
Block a user