From cd3ce6999c07ad1c32e20c9c9bcd16da3ed0b0cc Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 3 Nov 2023 13:53:47 -0400 Subject: [PATCH] tpmr/kexec-seal-key/functions: end refactoring of tpmr being in carge of wiping /tmp/secret/tpm_owner_password if invalid Signed-off-by: Thierry Laurion --- initrd/bin/kexec-seal-key | 15 +++++++-------- initrd/bin/tpmr | 9 +++------ initrd/etc/functions | 20 +++++++++++++------- 3 files changed, 23 insertions(+), 21 deletions(-) diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 958e836e..9c377fd6 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -137,11 +137,10 @@ tpmr pcrread -a 7 "$pcrf" DO_WITH_DEBUG --mask-position 7 \ tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ - "$TPM_SIZE" "$key_password" || / - { - DEBUG "Sealing of TPM Disk Unlock Key failed with current TPM owner password." - die "Unable to write TPM Disk Unlock Key to NVRAM" - } + "$TPM_SIZE" "$key_password" || { + shred -n 10 -z -u /tmp/secret/tpm_owner_password 2>/dev/null + die "Unable to write TPM Disk Unlock Key to NVRAM" +} # should be okay if this fails shred -n 10 -z -u "$pcrf" 2>/dev/null || @@ -149,7 +148,7 @@ shred -n 10 -z -u "$pcrf" 2>/dev/null || shred -n 10 -z -u "$KEY_FILE" 2>/dev/null || warn "Failed to delete key file - continuing" -mount -o rw,remount $paramsdir || die "Failed to remount $paramsdir in RW - continuing" +mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing" cp -f /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" || - die "Failed to copy LUKS header hashes to /boot - continuing" -mount -o ro,remount $paramsdir || die "Failed to remount $paramsdir in RO - continuing" + warn "Failed to copy LUKS header hashes to /boot - continuing" +mount -o ro,remount $paramsdir || warn "Failed to remount $paramsdir in RO - continuing" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index a4b7cab3..933bd103 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -321,7 +321,6 @@ tpm2_counter_cre() { { DEBUG "Failed to create counter from tpm2_counter_cre. Wiping /tmp/secret/tpm_owner_password" shred -n 10 -z -u /tmp/secret/tpm_owner_password - : die "Unable to create counter from tpm2_counter_cre" } echo "$rand_index: (valid after an increment)" @@ -472,7 +471,6 @@ tpm2_seal() { { DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal. Wiping /tmp/secret/tpm_owner_password" shred -n 10 -z -u /tmp/secret/tpm_owner_password - : die "Unable to write sealed secret to TPM NVRAM" } } @@ -513,7 +511,7 @@ tpm1_seal() { -hk 40000000 \ "${POLICY_ARGS[@]}" - # try it without the owner password first + # try it without the TPM Owner Password first if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then # to create an nvram space we need the TPM Owner Password # and the TPM physical presence must be asserted. @@ -527,13 +525,12 @@ tpm1_seal() { tpm nv_definespace -in "$index" -sz "$sealed_size" \ -pwdo "$tpm_password" -per 0 || - warn "Unable to define NVRAM space; trying anyway" + warn "Unable to define TPM NVRAM space; trying anyway" tpm nv_writevalue -in "$index" -if "$sealed_file" || { DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password" shred -n 10 -z -u /tmp/secret/tpm_owner_password - : die "Unable to write sealed secret to TPM NVRAM" } fi @@ -644,7 +641,7 @@ tpm2_reset() { # * --max-tries=10: Allow 10 failures before lockout. This allows the # user to quickly "burst" 10 failures without significantly impacting # the rate allowed for a dictionary attacker. - # Most TPM2 flows ask for the owner password 2-4 times, so this allows + # Most TPM2 flows ask for the TPM Owner Password 2-4 times, so this allows # a handful of mistypes and some headroom for an expected unseal # failure if firmware is updated. # Remember that an auth failure is also counted any time an unclean diff --git a/initrd/etc/functions b/initrd/etc/functions index 4fd256fe..fa142c66 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -189,9 +189,10 @@ list_usb_storage() { done } -# Prompt for an owner password if it is not already set in tpm_password. Sets -# tpm_password. Tools should optionally accept a TPM password on the command -# line, since some flows need it multiple times and only one prompt is ideal. +# Prompt for a TPM Owner Password if it is not already cached in /tmp/secret/tpm_owner_password. +# Sets tpm_owner_password variable reused in flow, and cache file used until recovery shell is accessed. +# Tools should optionally accept a TPM password on the command line, since some flows need +# it multiple times and only one prompt is ideal. prompt_tpm_owner_password() { TRACE "Under /etc/functions:prompt_tpm_owner_password" @@ -210,8 +211,9 @@ prompt_tpm_owner_password() { echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM owner_password under /tmp/secret/tpm_owner_password" } -# Prompt for a new owner password when resetting the TPM. Returned in -# key_password. The password must be 1-32 characters and must be entered twice, +# Prompt for a new TPM Owner Password when resetting the TPM. +# Returned in tpm_owner_passpword and cached under /tpm/secret/tpm_owner_password +# The password must be 1-32 characters and must be entered twice, # the script will loop until this is met. prompt_new_owner_password() { TRACE "Under /etc/functions:prompt_new_owner_password" @@ -253,8 +255,12 @@ check_tpm_counter() { -pwdo "$tpm_password" \ -pwdc '' \ -la $LABEL | - tee /tmp/counter || die "Unable to create TPM counter under check_tpm_counter" - + tee /tmp/counter || + { + DEBUG "Failed to create TPM counter. Shredding TPM Owner Password" + shred -n 10 -z -u /tmp/secret/tpm_owner_password + die "Unable to create TPM counter" + } TPM_COUNTER=$(cut -d: -f1