From c62b96b4a6183d55a95a90a7d342f845087d0d94 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Wed, 8 Mar 2023 16:44:47 -0500 Subject: [PATCH] tpmr: Move tpm1_unseal next to tpm2_unseal All the other tpm2/tpm1 corresponding wrappers are next to each other, do the same for unseal. Signed-off-by: Jonathon Hall --- initrd/bin/tpmr | 63 ++++++++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 0e244875..b4c48f08 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -418,38 +418,6 @@ tpm2_unseal() { tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" -S "$HMAC_SESSION" > "$file" } - -tpm2_reset() { - TRACE "Under /bin/tpmr:tpm2_reset" - key_password="$1" - mkdir -p "$SECRET_DIR" - tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!" - tpm2 changeauth -c owner "$key_password" - tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" -c "$SECRET_DIR/primary.ctx" -P "$key_password" - tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" -P "$key_password" - shred -u "$SECRET_DIR/primary.ctx" - tpm2_startsession -} - -# Perform final cleanup before boot and lock the platform heirarchy. -tpm2_kexec_finalize() { - # Flush sessions and transient objects - tpm2 flushcontext -Q --transient-object \ - || warn "tpm2_flushcontext: unable to flush transient handles" - tpm2 flushcontext -Q --loaded-session \ - || warn "tpm2_flushcontext: unable to flush sessions" - tpm2 flushcontext -Q --saved-session \ - || warn "tpm2_flushcontext: unable to flush saved session" - - # Add a random passphrase to platform hierarchy to prevent TPM2 from - # being cleared in the OS. - # This passphrase is only effective before the next boot. - echo "Locking TPM2 platform hierarchy..." - randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p) - tpm2 changeauth -c platform "$randpass" \ - || warn "Failed to lock platform hierarchy of TPM2!" -} - tpm1_unseal() { TRACE "Under /bin/tpmr:tpm1_unseal" index="$1" @@ -485,6 +453,37 @@ tpm1_unseal() { -hk 40000000 } +tpm2_reset() { + TRACE "Under /bin/tpmr:tpm2_reset" + key_password="$1" + mkdir -p "$SECRET_DIR" + tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!" + tpm2 changeauth -c owner "$key_password" + tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" -c "$SECRET_DIR/primary.ctx" -P "$key_password" + tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" -P "$key_password" + shred -u "$SECRET_DIR/primary.ctx" + tpm2_startsession +} + +# Perform final cleanup before boot and lock the platform heirarchy. +tpm2_kexec_finalize() { + # Flush sessions and transient objects + tpm2 flushcontext -Q --transient-object \ + || warn "tpm2_flushcontext: unable to flush transient handles" + tpm2 flushcontext -Q --loaded-session \ + || warn "tpm2_flushcontext: unable to flush sessions" + tpm2 flushcontext -Q --saved-session \ + || warn "tpm2_flushcontext: unable to flush saved session" + + # Add a random passphrase to platform hierarchy to prevent TPM2 from + # being cleared in the OS. + # This passphrase is only effective before the next boot. + echo "Locking TPM2 platform hierarchy..." + randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p) + tpm2 changeauth -c platform "$randpass" \ + || warn "Failed to lock platform hierarchy of TPM2!" +} + tpm2_shutdown() { # Prepare for shutdown. # This is a "clear" shutdown (do not preserve runtime state) since we