tpm-reset: Reduce duplication with tpmr reset

Use common password prompt logic in tpm-reset rather than duplicating
in tpmr reset.

Use common logic in config-gui.sh to reset the TPM.

Use common logic in oem-factory-reset to reset TPM.  Fixes extra
prompts for TPM2 owner password even when choosing to use a common
password.  Fix sense of "NO TPM" check in TOTP generation (which only
happened to work because CONFIG_TPM is empty for TPM2).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-02-22 16:26:53 -05:00
parent ab57cd0b9a
commit d51993b6a9
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
4 changed files with 28 additions and 49 deletions

View File

@ -126,10 +126,8 @@ while true; do
# flash cleared ROM
/bin/flash.sh -c /tmp/config-gui.rom
# reset TPM if present
if [ "$CONFIG_TPM" = "y" ]; then
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
/bin/tpm-reset
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr reset
fi
whiptail --title 'Configuration Reset Updated Successfully' \
--msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60

View File

@ -309,7 +309,7 @@ report_integrity_measurements()
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
seconds=`date "+%s"`
half=`expr \( $seconds % 60 \) / 30`
if [ "$CONFIG_TPM" = n ]; then
if [ "$CONFIG_TPM" != "y" -a "$CONFIG_TPM2_TOOLS" != "y" ]; then
TOTP="NO TPM"
elif [ "$half" != "$last_half" ]; then
last_half=$half;
@ -418,7 +418,7 @@ fi
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
CUSTOM_PASS_AFFECTED_COMPONENTS="LUKS Disk Recovery Key passphrase"
fi
if [ "$CONFIG_TPM" = "y" ]; then
if [ "$CONFIG_TPM" = "y" ] || [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
TPM Ownership password"
fi
@ -461,7 +461,7 @@ else
; then
echo -e "\nThey must be each at least 8 characters in length.\n"
echo
if [ "$CONFIG_TPM" = "y" ]; then
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
while [[ ${#TPM_PASS} -lt 8 ]] ; do
echo -e -n "Enter desired TPM Ownership password: "
read TPM_PASS
@ -608,14 +608,12 @@ elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_K
fi
## reset TPM and set password
if [ "$CONFIG_TPM" = "y" ]; then
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
echo -e "\nResetting TPM...\n"
{
echo $TPM_PASS
echo $TPM_PASS
} | /bin/tpm-reset >/dev/null 2>/tmp/error
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr reset
fi
if [ $? -ne 0 ]; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
@ -725,7 +723,7 @@ else
$luks_new_Disk_Recovery_Key_passphrase"
fi
if [ "$CONFIG_TPM" = "y" ]; then
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpm_password_changed="
TPM Owner Password: $TPM_PASS\n"
else

View File

@ -1,7 +1,6 @@
#!/bin/bash
. /etc/functions
if [ "$CONFIG_TPM" = "y" ]; then
echo '*****'
echo '***** WARNING: This will erase all keys and secrets from the TPM'
echo '*****'
@ -21,6 +20,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
die "Key passwords do not match"
fi
if [ "$CONFIG_TPM" = "y" ]; then
# Make sure the TPM is ready to be reset
tpm physicalpresence -s
tpm physicalenable
@ -36,5 +36,5 @@ if [ "$CONFIG_TPM" = "y" ]; then
fi
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr reset
tpmr reset "$key_password"
fi

View File

@ -155,24 +155,7 @@ tpm2_unseal() {
}
tpm2_reset() {
echo '*****'
echo '***** WARNING: This will erase all keys and secrets from the TPM'
echo '*****'
read -s -p "New TPM owner password: " key_password
echo
if [ -z "$key_password" ]; then
die "Empty owner password is not allowed"
fi
read -s -p "Repeat owner password: " key_password2
echo
if [ "$key_password" != "$key_password2" ]; then
die "Key passwords do not match"
fi
key_password="$1"
mkdir -p "$SECRET_DIR"
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!"
tpm2 changeauth -c owner "$key_password"
@ -205,7 +188,7 @@ case "$subcmd" in
unseal)
tpm2_unseal "$@";;
reset)
tpm2_reset;;
tpm2_reset "$@";;
*)
echo "Command $subcmd not wrapped!"
exit 1