Use HOTP TPM counter instead of Heads when signing, if present

TPM v1.2 has a limitation in that only a single monotonic counter can be incremented between reboots [1]. So in the event we are using HOTP monotonic counters, we need to reference those for the Heads rollback counter when we update file signatures in /boot, otherwise the increment stage at kexec-sign-config will fail since at each boot, the HOTP monotonic counter has already been incremented. [1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
2025-01-18 10:46:44 +00:00 · 2018-06-19 16:18:10 -07:00 · 2018-06-19 16:18:10 -07:00 · c42084406d
commit c42084406d
parent 2cacb15729
1 changed files with 8 additions and 4 deletions
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -78,8 +78,15 @@ update_checksums()
    # sign and auto-roll config counter
    extparam=
    if [ "$CONFIG_TPM" = "y" ]; then
+      if [ -x /bin/libremkey_hotp_verification ]; then
+        check_tpm_counter /boot/kexec_hotp_counter hotp \
+        || die "Unable to find/create TPM counter"
+        counter="$TPM_COUNTER"
+        extparam="-c $counter"
+      else
        extparam=-u
      fi
+    fi
    kexec-sign-config -p /boot $extparam \
    || die "Failed to sign default config"

@ -241,9 +248,6 @@ while true; do
      || die "Unable to find/create tpm counter"
      counter="$TPM_COUNTER"

-      increment_tpm_counter $counter \
-      || die "Unable to increment tpm counter"
-
      sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
      || die "Unable to create rollback file"
      mount -o ro,remount /boot