From c42084406d47409ccce5ac6ddd717b576b693eb3 Mon Sep 17 00:00:00 2001
From: Kyle Rankin <kyle.rankin@puri.sm>
Date: Tue, 19 Jun 2018 16:18:10 -0700
Subject: [PATCH] Use HOTP TPM counter instead of Heads when signing, if
 present

TPM v1.2 has a limitation in that only a single monotonic counter can be
incremented between reboots [1]. So in the event we are using HOTP
monotonic counters, we need to reference those for the Heads rollback
counter when we update file signatures in /boot, otherwise the increment
stage at kexec-sign-config will fail since at each boot, the HOTP
monotonic counter has already been incremented.

[1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
---
 initrd/bin/gui-init | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index aaa47da8..1f4e3dcf 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -78,7 +78,14 @@ update_checksums()
     # sign and auto-roll config counter
     extparam=
     if [ "$CONFIG_TPM" = "y" ]; then
-      extparam=-u
+      if [ -x /bin/libremkey_hotp_verification ]; then
+        check_tpm_counter /boot/kexec_hotp_counter hotp \
+        || die "Unable to find/create TPM counter"
+        counter="$TPM_COUNTER"
+        extparam="-c $counter"
+      else
+        extparam=-u
+      fi
     fi
     kexec-sign-config -p /boot $extparam \
     || die "Failed to sign default config"
@@ -241,9 +248,6 @@ while true; do
       || die "Unable to find/create tpm counter"
       counter="$TPM_COUNTER"
 
-      increment_tpm_counter $counter \
-      || die "Unable to increment tpm counter"
-
       sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
       || die "Unable to create rollback file"
       mount -o ro,remount /boot