tpmr/kexec-seal-key/functions: end refactoring of tpmr being in carge of wiping /tmp/secret/tpm_owner_password if invalid

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-04-07 19:34:26 +00:00 · 2023-11-03 13:53:47 -04:00 · 2023-11-03 13:53:47 -04:00 · cd3ce6999c
commit cd3ce6999c
parent afb817ca48
3 changed files with 23 additions and 21 deletions
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -137,11 +137,10 @@ tpmr pcrread -a 7 "$pcrf"

 DO_WITH_DEBUG --mask-position 7 \
 	tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
-	"$TPM_SIZE" "$key_password" || /
-	{
-		DEBUG "Sealing of TPM Disk Unlock Key failed with current TPM owner password."
-		die "Unable to write TPM Disk Unlock Key to NVRAM"
-	}
+	"$TPM_SIZE" "$key_password" || {
+	shred -n 10 -z -u /tmp/secret/tpm_owner_password 2>/dev/null
+	die "Unable to write TPM Disk Unlock Key to NVRAM"
+}

 # should be okay if this fails
 shred -n 10 -z -u "$pcrf" 2>/dev/null ||
@ -149,7 +148,7 @@ shred -n 10 -z -u "$pcrf" 2>/dev/null ||
 shred -n 10 -z -u "$KEY_FILE" 2>/dev/null ||
 	warn "Failed to delete key file - continuing"

-mount -o rw,remount $paramsdir || die "Failed to remount $paramsdir in RW - continuing"
+mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing"
 cp -f /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" ||
-	die "Failed to copy LUKS header hashes to /boot - continuing"
-mount -o ro,remount $paramsdir || die "Failed to remount $paramsdir in RO - continuing"
+	warn "Failed to copy LUKS header hashes to /boot - continuing"
+mount -o ro,remount $paramsdir || warn "Failed to remount $paramsdir in RO - continuing"
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -321,7 +321,6 @@ tpm2_counter_cre() {
 		{
 			DEBUG "Failed to create counter from tpm2_counter_cre. Wiping /tmp/secret/tpm_owner_password"
 			shred -n 10 -z -u /tmp/secret/tpm_owner_password
-			:
 			die "Unable to create counter from tpm2_counter_cre"
 		}
 	echo "$rand_index: (valid after an increment)"
@ -472,7 +471,6 @@ tpm2_seal() {
 		{
 			DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal. Wiping /tmp/secret/tpm_owner_password"
 			shred -n 10 -z -u /tmp/secret/tpm_owner_password
-			:
 			die "Unable to write sealed secret to TPM NVRAM"
 		}
 }
@ -513,7 +511,7 @@ tpm1_seal() {
 		-hk 40000000 \
 		"${POLICY_ARGS[@]}"

-	# try it without the owner password first
+	# try it without the TPM Owner Password first
 	if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then
 		# to create an nvram space we need the TPM Owner Password
 		# and the TPM physical presence must be asserted.
@ -527,13 +525,12 @@ tpm1_seal() {

 		tpm nv_definespace -in "$index" -sz "$sealed_size" \
 			-pwdo "$tpm_password" -per 0 ||
-			warn "Unable to define NVRAM space; trying anyway"
+			warn "Unable to define TPM NVRAM space; trying anyway"

 		tpm nv_writevalue -in "$index" -if "$sealed_file" ||
 			{
 				DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password"
 				shred -n 10 -z -u /tmp/secret/tpm_owner_password
-				:
 				die "Unable to write sealed secret to TPM NVRAM"
 			}
 	fi
@ -644,7 +641,7 @@ tpm2_reset() {
 	# * --max-tries=10: Allow 10 failures before lockout.  This allows the
 	#   user to quickly "burst" 10 failures without significantly impacting
 	#   the rate allowed for a dictionary attacker.
-	#   Most TPM2 flows ask for the owner password 2-4 times, so this allows
+	#   Most TPM2 flows ask for the TPM Owner Password 2-4 times, so this allows
 	#   a handful of mistypes and some headroom for an expected unseal
 	#   failure if firmware is updated.
 	#   Remember that an auth failure is also counted any time an unclean
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -189,9 +189,10 @@ list_usb_storage() {
 		done
 }

-# Prompt for an owner password if it is not already set in tpm_password.  Sets
-# tpm_password.  Tools should optionally accept a TPM password on the command
-# line, since some flows need it multiple times and only one prompt is ideal.
+# Prompt for a TPM Owner Password if it is not already cached in /tmp/secret/tpm_owner_password.  
+# Sets tpm_owner_password variable reused in flow, and cache file used until recovery shell is accessed. 
+# Tools should optionally accept a TPM password on the command line, since some flows need 
+# it multiple times and only one prompt is ideal.
 prompt_tpm_owner_password() {
 	TRACE "Under /etc/functions:prompt_tpm_owner_password"

@ -210,8 +211,9 @@ prompt_tpm_owner_password() {
 	echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM owner_password under /tmp/secret/tpm_owner_password"
 }

-# Prompt for a new owner password when resetting the TPM.  Returned in
-# key_password.  The password must be 1-32 characters and must be entered twice,
+# Prompt for a new TPM Owner Password when resetting the TPM.  
+# Returned in tpm_owner_passpword and cached under /tpm/secret/tpm_owner_password
+# The password must be 1-32 characters and must be entered twice,
 # the script will loop until this is met.
 prompt_new_owner_password() {
 	TRACE "Under /etc/functions:prompt_new_owner_password"
@ -253,8 +255,12 @@ check_tpm_counter() {
 			-pwdo "$tpm_password" \
 			-pwdc '' \
 			-la $LABEL |
-			tee /tmp/counter || die "Unable to create TPM counter under check_tpm_counter"
-
+			tee /tmp/counter ||
+			{
+				DEBUG "Failed to create TPM counter. Shredding TPM Owner Password"
+				shred -n 10 -z -u /tmp/secret/tpm_owner_password
+				die "Unable to create TPM counter"
+			}
 		TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
 	fi