mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
tpmr: Improve debug output, hide secrets, trim extend output more
Provide mask_param() function to uniformly mask secret parameters, while still indicating whether they are empty. Extend DO_WITH_DEBUG to allow masking a password parameter by position, using mask_param(). Move from ash_functions to functions (isn't used by ash scripts). Mask password parameters in kexec-unseal-key and tpmr seal. Use mask_param() on existing masked params in tpmr. Trim more troubleshooting output from tpm2_extend() in tpmr. Clarify tpmr kexec_finalize echo; it's the TPM's platform heirarchy, users might not know what this was referring to. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
parent
93459563d0
commit
92a6b5410d
@ -32,7 +32,9 @@ for tries in 1 2 3; do
|
||||
die "Aborting unseal disk encryption key"
|
||||
fi
|
||||
|
||||
DO_WITH_DEBUG tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" "$key_file" "$tpm_password"
|
||||
DO_WITH_DEBUG --mask-position 6 \
|
||||
tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" \
|
||||
"$key_file" "$tpm_password"
|
||||
|
||||
if [ "$?" -eq 0 ]; then
|
||||
exit 0
|
||||
|
@ -20,29 +20,23 @@ TRACE "Under /bin/tpmr"
|
||||
|
||||
tpm2_extend() {
|
||||
TRACE "Under /bin/tpmr:tpm2_extend"
|
||||
DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6"
|
||||
while true; do
|
||||
case "$1" in
|
||||
-ix)
|
||||
DEBUG "case: -ix $2"
|
||||
index="$2"
|
||||
shift 2;;
|
||||
-ic)
|
||||
DEBUG "case: -ic $2"
|
||||
hash="`echo $2|sha256sum|cut -d' ' -f1`"
|
||||
shift 2;;
|
||||
-if)
|
||||
DEBUG "case: -if $2"
|
||||
hash="`sha256sum $2|cut -d' ' -f1`"
|
||||
shift 2;;
|
||||
*)
|
||||
break;;
|
||||
esac
|
||||
done
|
||||
DEBUG "tpm2 pcrextend $index:sha256=$hash"
|
||||
tpm2 pcrextend "$index:sha256=$hash"
|
||||
DEBUG "tpm2 pcread sha256:$index"
|
||||
tpm2 pcrread "sha256:$index"
|
||||
DO_WITH_DEBUG tpm2 pcrread "sha256:$index"
|
||||
}
|
||||
|
||||
tpm2_counter_read() {
|
||||
@ -159,7 +153,7 @@ tpm2_seal() {
|
||||
mkdir -p "$SECRET_DIR"
|
||||
bname="`basename $file`"
|
||||
|
||||
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
|
||||
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$(mask_param "$pass")"
|
||||
|
||||
# Create a policy requiring both PCRs and the object's authentication
|
||||
# value using a trial session.
|
||||
@ -206,7 +200,9 @@ tpm2_seal() {
|
||||
echo # new line after password prompt
|
||||
# remove possible data occupying this handle
|
||||
tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
|
||||
DO_WITH_DEBUG tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle"
|
||||
DO_WITH_DEBUG --mask-position 6 \
|
||||
tpm2 evictcontrol -Q -C o -P "$key_password" \
|
||||
-c "$SECRET_DIR/$bname.seal.ctx" "$handle"
|
||||
}
|
||||
|
||||
# Unseal a file sealed by tpm2_seal. The PCR list must be provided, the
|
||||
@ -226,7 +222,7 @@ tpm2_unseal() {
|
||||
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
||||
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
||||
|
||||
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
|
||||
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$(mask_param "$pass")"
|
||||
|
||||
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
|
||||
# print nonsense error messages about an unexpected handle value. We
|
||||
@ -285,7 +281,7 @@ tpm2_kexec_finalize() {
|
||||
# Add a random passphrase to platform hierarchy to prevent TPM2 from
|
||||
# being cleared in the OS.
|
||||
# This passphrase is only effective before the next boot.
|
||||
echo "Locking platform hierarchy..."
|
||||
echo "Locking TPM2 platform hierarchy..."
|
||||
randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p)
|
||||
tpm2 changeauth -c platform "$randpass" \
|
||||
|| warn "Failed to lock platform hierarchy of TPM2!"
|
||||
|
@ -20,11 +20,6 @@ DEBUG() {
|
||||
fi
|
||||
}
|
||||
|
||||
DO_WITH_DEBUG() {
|
||||
DEBUG "$@"
|
||||
"$@"
|
||||
}
|
||||
|
||||
TRACE() {
|
||||
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
|
||||
echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
|
||||
|
@ -2,6 +2,37 @@
|
||||
# Shell functions for most initialization scripts
|
||||
. /etc/ash_functions
|
||||
|
||||
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
|
||||
# optional password parameter.
|
||||
mask_param() {
|
||||
if [ -z "$1" ]; then
|
||||
echo "<empty>"
|
||||
else
|
||||
echo "<hidden>"
|
||||
fi
|
||||
}
|
||||
|
||||
# Trace a command with DEBUG, then execute it.
|
||||
# A password parameter can be masked by passing --mask-position N before the
|
||||
# command to execute, the debug trace will just indicate whether the password
|
||||
# was empty or nonempty (which is important when use of a password is optional).
|
||||
# N=0 is the name of the command to be executed, N=1 is its first parameter,
|
||||
# etc.
|
||||
DO_WITH_DEBUG() {
|
||||
if [ "$1" == "--mask-position" ]; then
|
||||
mask_position="$2"
|
||||
shift
|
||||
shift
|
||||
DEBUG_ARGS=("$@")
|
||||
|
||||
DEBUG_ARGS[$mask_position]="$(mask_param "${DEBUG_ARGS[$mask_position]}")"
|
||||
DEBUG "${DEBUG_ARGS[@]}"
|
||||
else
|
||||
DEBUG "$@"
|
||||
fi
|
||||
"$@"
|
||||
}
|
||||
|
||||
recovery() {
|
||||
TRACE "Under /etc/functions:recovery"
|
||||
echo >&2 "!!!!! $*"
|
||||
|
Loading…
Reference in New Issue
Block a user