tpm-reset: Reduce duplication with tpmr reset

Use common password prompt logic in tpm-reset rather than duplicating in tpmr reset. Use common logic in config-gui.sh to reset the TPM. Use common logic in oem-factory-reset to reset TPM. Fixes extra prompts for TPM2 owner password even when choosing to use a common password. Fix sense of "NO TPM" check in TOTP generation (which only happened to work because CONFIG_TPM is empty for TPM2). Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-12-19 21:17:55 +00:00 · 2023-02-22 16:26:53 -05:00 · 2023-02-22 16:26:53 -05:00 · d51993b6a9
commit d51993b6a9
parent ab57cd0b9a
4 changed files with 28 additions and 49 deletions
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@ -126,10 +126,8 @@ while true; do
        # flash cleared ROM
        /bin/flash.sh -c /tmp/config-gui.rom
        # reset TPM if present
-        if [ "$CONFIG_TPM" = "y" ]; then
+        if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
          /bin/tpm-reset
-        elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-          tpmr reset
        fi
        whiptail --title 'Configuration Reset Updated Successfully' \
          --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -309,7 +309,7 @@ report_integrity_measurements()
        date=`date "+%Y-%m-%d %H:%M:%S %Z"`
        seconds=`date "+%s"`
        half=`expr \( $seconds % 60 \) / 30`
-        if [ "$CONFIG_TPM" = n ]; then
+        if [ "$CONFIG_TPM" != "y" -a "$CONFIG_TPM2_TOOLS" != "y" ]; then
            TOTP="NO TPM"
        elif [ "$half" != "$last_half" ]; then
            last_half=$half;
@ -418,7 +418,7 @@ fi
 if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
    CUSTOM_PASS_AFFECTED_COMPONENTS="LUKS Disk Recovery Key passphrase"
 fi
-if [ "$CONFIG_TPM" = "y" ]; then
+if [ "$CONFIG_TPM" = "y" ] || [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
  CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
 TPM Ownership password"
 fi
@ -461,7 +461,7 @@ else
  ; then
    echo -e "\nThey must be each at least 8 characters in length.\n"
    echo
-    if [ "$CONFIG_TPM" = "y" ]; then
+    if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
      while [[  ${#TPM_PASS} -lt 8 ]] ; do
        echo -e -n "Enter desired TPM Ownership password: "
        read TPM_PASS
@ -608,14 +608,12 @@ elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_K
 fi

 ## reset TPM and set password
-if [ "$CONFIG_TPM" = "y" ]; then
+if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
  echo -e "\nResetting TPM...\n"
  {
      echo $TPM_PASS
      echo $TPM_PASS
  } | /bin/tpm-reset >/dev/null 2>/tmp/error
-elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-	tpmr reset
 fi
 if [ $? -ne 0 ]; then
 	ERROR=$(tail -n 1 /tmp/error | fold -s)
@ -725,7 +723,7 @@ else
     $luks_new_Disk_Recovery_Key_passphrase"
 fi

-if [ "$CONFIG_TPM" = "y" ]; then
+if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
  tpm_password_changed="
    TPM Owner Password: $TPM_PASS\n"
 else
--- a/initrd/bin/tpm-reset
+++ b/initrd/bin/tpm-reset
@ -1,26 +1,26 @@
 #!/bin/bash
 . /etc/functions

+echo '*****'
+echo '***** WARNING: This will erase all keys and secrets from the TPM'
+echo '*****'
+
+read -s -p "New TPM owner password: " key_password
+echo
+
+if [ -z "$key_password" ]; then
+    die "Empty owner password is not allowed"
+fi
+
+read -s -p "Repeat owner password: " key_password2
+echo
+
+
+if [ "$key_password" != "$key_password2" ]; then
+    die "Key passwords do not match"
+fi
+
 if [ "$CONFIG_TPM" = "y" ]; then
-    echo '*****'
-    echo '***** WARNING: This will erase all keys and secrets from the TPM'
-    echo '*****'
-
-    read -s -p "New TPM owner password: " key_password
-    echo
-
-    if [ -z "$key_password" ]; then
-        die "Empty owner password is not allowed"
-    fi
-
-    read -s -p "Repeat owner password: " key_password2
-    echo
-
-
-    if [ "$key_password" != "$key_password2" ]; then
-        die "Key passwords do not match"
-    fi
-
    # Make sure the TPM is ready to be reset
    tpm physicalpresence -s
    tpm physicalenable
@ -36,5 +36,5 @@ if [ "$CONFIG_TPM" = "y" ]; then
 fi

 if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-	tpmr reset
+	tpmr reset "$key_password"
 fi
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -155,24 +155,7 @@ tpm2_unseal() {
 }

 tpm2_reset() {
-	echo '*****'
-	echo '***** WARNING: This will erase all keys and secrets from the TPM'
-	echo '*****'
-
-	read -s -p "New TPM owner password: " key_password
-	echo
-
-	if [ -z "$key_password" ]; then
-		die "Empty owner password is not allowed"
-	fi
-
-	read -s -p "Repeat owner password: " key_password2
-	echo
-
-
-	if [ "$key_password" != "$key_password2" ]; then
-		die "Key passwords do not match"
-	fi
+	key_password="$1"
 	mkdir -p "$SECRET_DIR"
 	tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!"
 	tpm2 changeauth -c owner "$key_password"
@ -205,7 +188,7 @@ case "$subcmd" in
 	unseal)
 		tpm2_unseal "$@";;
 	reset)
-		tpm2_reset;;
+		tpm2_reset "$@";;
 	*)
 		echo "Command $subcmd not wrapped!"
 		exit 1