mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
tpmr: give users better error/DEBUG messages in regard of TPM errors
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
parent
84374dfbcd
commit
afb817ca48
@ -319,7 +319,7 @@ tpm2_counter_cre() {
|
|||||||
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
|
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
|
||||||
-P "$(tpm2_password_hex "$pwdo")" "0x$rand_index" >/dev/console ||
|
-P "$(tpm2_password_hex "$pwdo")" "0x$rand_index" >/dev/console ||
|
||||||
{
|
{
|
||||||
DEBUG "Failed to create counter from tpm2_counter_cre with current tpm owner password. Wiping tpm_owner_password"
|
DEBUG "Failed to create counter from tpm2_counter_cre. Wiping /tmp/secret/tpm_owner_password"
|
||||||
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
||||||
:
|
:
|
||||||
die "Unable to create counter from tpm2_counter_cre"
|
die "Unable to create counter from tpm2_counter_cre"
|
||||||
@ -382,7 +382,7 @@ tpm2_destroy() {
|
|||||||
|
|
||||||
# remove possible data occupying this handle
|
# remove possible data occupying this handle
|
||||||
tpm2 evictcontrol -Q -C p -c "$handle" 2>/dev/null ||
|
tpm2 evictcontrol -Q -C p -c "$handle" 2>/dev/null ||
|
||||||
die "Unable to evict secret"
|
die "Unable to evict secret from TPM NVRAM"
|
||||||
}
|
}
|
||||||
|
|
||||||
# tpm1_destroy: Destroy a sealed file in the TPM. The mechanism differs by
|
# tpm1_destroy: Destroy a sealed file in the TPM. The mechanism differs by
|
||||||
@ -394,7 +394,7 @@ tpm1_destroy() {
|
|||||||
|
|
||||||
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
|
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
|
||||||
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
|
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
|
||||||
die "Unable to wipe sealed secret"
|
die "Unable to wipe sealed secret from TPM NVRAM"
|
||||||
}
|
}
|
||||||
|
|
||||||
# tpm2_seal: Seal a file against PCR values and, optionally, a password.
|
# tpm2_seal: Seal a file against PCR values and, optionally, a password.
|
||||||
@ -470,10 +470,10 @@ tpm2_seal() {
|
|||||||
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
|
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
|
||||||
-c "$SECRET_DIR/$bname.seal.ctx" "$handle" ||
|
-c "$SECRET_DIR/$bname.seal.ctx" "$handle" ||
|
||||||
{
|
{
|
||||||
DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal with current tpm owner password. Wiping tpm_owner_password"
|
DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal. Wiping /tmp/secret/tpm_owner_password"
|
||||||
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
||||||
:
|
:
|
||||||
die "Unable to write sealed secret to NVRAM from tpm2_seal"
|
die "Unable to write sealed secret to TPM NVRAM"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
tpm1_seal() {
|
tpm1_seal() {
|
||||||
@ -531,10 +531,10 @@ tpm1_seal() {
|
|||||||
|
|
||||||
tpm nv_writevalue -in "$index" -if "$sealed_file" ||
|
tpm nv_writevalue -in "$index" -if "$sealed_file" ||
|
||||||
{
|
{
|
||||||
DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal with current tpm owner password. Wiping tpm_owner_password"
|
DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password"
|
||||||
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
||||||
:
|
:
|
||||||
die "Unable to write sealed secret to NVRAM from tpm1_seal"
|
die "Unable to write sealed secret to TPM NVRAM"
|
||||||
}
|
}
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@ -563,7 +563,7 @@ tpm2_unseal() {
|
|||||||
# can't do anything without a primary handle.
|
# can't do anything without a primary handle.
|
||||||
if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
|
if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
|
||||||
DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
|
DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
|
||||||
warn "No TPM primary handle. You must reset TPM to seal secret"
|
warn "No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user