tpmr: Improve debug output, hide secrets, trim extend output more

Provide mask_param() function to uniformly mask secret parameters,
while still indicating whether they are empty.

Extend DO_WITH_DEBUG to allow masking a password parameter by position,
using mask_param().  Move from ash_functions to functions (isn't used
by ash scripts).

Mask password parameters in kexec-unseal-key and tpmr seal.  Use
mask_param() on existing masked params in tpmr.

Trim more troubleshooting output from tpm2_extend() in tpmr.

Clarify tpmr kexec_finalize echo; it's the TPM's platform heirarchy,
users might not know what this was referring to.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-03-07 14:00:57 -05:00
parent 93459563d0
commit 92a6b5410d
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
4 changed files with 41 additions and 17 deletions

View File

@ -32,7 +32,9 @@ for tries in 1 2 3; do
die "Aborting unseal disk encryption key" die "Aborting unseal disk encryption key"
fi fi
DO_WITH_DEBUG tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" "$key_file" "$tpm_password" DO_WITH_DEBUG --mask-position 6 \
tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" \
"$key_file" "$tpm_password"
if [ "$?" -eq 0 ]; then if [ "$?" -eq 0 ]; then
exit 0 exit 0

View File

@ -20,29 +20,23 @@ TRACE "Under /bin/tpmr"
tpm2_extend() { tpm2_extend() {
TRACE "Under /bin/tpmr:tpm2_extend" TRACE "Under /bin/tpmr:tpm2_extend"
DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6"
while true; do while true; do
case "$1" in case "$1" in
-ix) -ix)
DEBUG "case: -ix $2"
index="$2" index="$2"
shift 2;; shift 2;;
-ic) -ic)
DEBUG "case: -ic $2"
hash="`echo $2|sha256sum|cut -d' ' -f1`" hash="`echo $2|sha256sum|cut -d' ' -f1`"
shift 2;; shift 2;;
-if) -if)
DEBUG "case: -if $2"
hash="`sha256sum $2|cut -d' ' -f1`" hash="`sha256sum $2|cut -d' ' -f1`"
shift 2;; shift 2;;
*) *)
break;; break;;
esac esac
done done
DEBUG "tpm2 pcrextend $index:sha256=$hash"
tpm2 pcrextend "$index:sha256=$hash" tpm2 pcrextend "$index:sha256=$hash"
DEBUG "tpm2 pcread sha256:$index" DO_WITH_DEBUG tpm2 pcrread "sha256:$index"
tpm2 pcrread "sha256:$index"
} }
tpm2_counter_read() { tpm2_counter_read() {
@ -159,7 +153,7 @@ tpm2_seal() {
mkdir -p "$SECRET_DIR" mkdir -p "$SECRET_DIR"
bname="`basename $file`" bname="`basename $file`"
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")" DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$(mask_param "$pass")"
# Create a policy requiring both PCRs and the object's authentication # Create a policy requiring both PCRs and the object's authentication
# value using a trial session. # value using a trial session.
@ -206,7 +200,9 @@ tpm2_seal() {
echo # new line after password prompt echo # new line after password prompt
# remove possible data occupying this handle # remove possible data occupying this handle
tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
DO_WITH_DEBUG tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle" DO_WITH_DEBUG --mask-position 6 \
tpm2 evictcontrol -Q -C o -P "$key_password" \
-c "$SECRET_DIR/$bname.seal.ctx" "$handle"
} }
# Unseal a file sealed by tpm2_seal. The PCR list must be provided, the # Unseal a file sealed by tpm2_seal. The PCR list must be provided, the
@ -226,7 +222,7 @@ tpm2_unseal() {
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc. # Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)" handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")" DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$(mask_param "$pass")"
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will # If we don't have the primary handle (TPM hasn't been reset), tpm2 will
# print nonsense error messages about an unexpected handle value. We # print nonsense error messages about an unexpected handle value. We
@ -285,7 +281,7 @@ tpm2_kexec_finalize() {
# Add a random passphrase to platform hierarchy to prevent TPM2 from # Add a random passphrase to platform hierarchy to prevent TPM2 from
# being cleared in the OS. # being cleared in the OS.
# This passphrase is only effective before the next boot. # This passphrase is only effective before the next boot.
echo "Locking platform hierarchy..." echo "Locking TPM2 platform hierarchy..."
randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p) randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p)
tpm2 changeauth -c platform "$randpass" \ tpm2 changeauth -c platform "$randpass" \
|| warn "Failed to lock platform hierarchy of TPM2!" || warn "Failed to lock platform hierarchy of TPM2!"

View File

@ -20,11 +20,6 @@ DEBUG() {
fi fi
} }
DO_WITH_DEBUG() {
DEBUG "$@"
"$@"
}
TRACE() { TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
echo "TRACE: $*" | tee -a /tmp/debug.log >&2; echo "TRACE: $*" | tee -a /tmp/debug.log >&2;

View File

@ -2,6 +2,37 @@
# Shell functions for most initialization scripts # Shell functions for most initialization scripts
. /etc/ash_functions . /etc/ash_functions
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
# optional password parameter.
mask_param() {
if [ -z "$1" ]; then
echo "<empty>"
else
echo "<hidden>"
fi
}
# Trace a command with DEBUG, then execute it.
# A password parameter can be masked by passing --mask-position N before the
# command to execute, the debug trace will just indicate whether the password
# was empty or nonempty (which is important when use of a password is optional).
# N=0 is the name of the command to be executed, N=1 is its first parameter,
# etc.
DO_WITH_DEBUG() {
if [ "$1" == "--mask-position" ]; then
mask_position="$2"
shift
shift
DEBUG_ARGS=("$@")
DEBUG_ARGS[$mask_position]="$(mask_param "${DEBUG_ARGS[$mask_position]}")"
DEBUG "${DEBUG_ARGS[@]}"
else
DEBUG "$@"
fi
"$@"
}
recovery() { recovery() {
TRACE "Under /etc/functions:recovery" TRACE "Under /etc/functions:recovery"
echo >&2 "!!!!! $*" echo >&2 "!!!!! $*"