mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
tpm-reset: Reduce duplication with tpmr reset
Use common password prompt logic in tpm-reset rather than duplicating in tpmr reset. Use common logic in config-gui.sh to reset the TPM. Use common logic in oem-factory-reset to reset TPM. Fixes extra prompts for TPM2 owner password even when choosing to use a common password. Fix sense of "NO TPM" check in TOTP generation (which only happened to work because CONFIG_TPM is empty for TPM2). Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
parent
ab57cd0b9a
commit
d51993b6a9
@ -126,10 +126,8 @@ while true; do
|
||||
# flash cleared ROM
|
||||
/bin/flash.sh -c /tmp/config-gui.rom
|
||||
# reset TPM if present
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
/bin/tpm-reset
|
||||
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
tpmr reset
|
||||
fi
|
||||
whiptail --title 'Configuration Reset Updated Successfully' \
|
||||
--msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60
|
||||
|
@ -309,7 +309,7 @@ report_integrity_measurements()
|
||||
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
|
||||
seconds=`date "+%s"`
|
||||
half=`expr \( $seconds % 60 \) / 30`
|
||||
if [ "$CONFIG_TPM" = n ]; then
|
||||
if [ "$CONFIG_TPM" != "y" -a "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
||||
TOTP="NO TPM"
|
||||
elif [ "$half" != "$last_half" ]; then
|
||||
last_half=$half;
|
||||
@ -418,7 +418,7 @@ fi
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="LUKS Disk Recovery Key passphrase"
|
||||
fi
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
if [ "$CONFIG_TPM" = "y" ] || [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
|
||||
TPM Ownership password"
|
||||
fi
|
||||
@ -461,7 +461,7 @@ else
|
||||
; then
|
||||
echo -e "\nThey must be each at least 8 characters in length.\n"
|
||||
echo
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
while [[ ${#TPM_PASS} -lt 8 ]] ; do
|
||||
echo -e -n "Enter desired TPM Ownership password: "
|
||||
read TPM_PASS
|
||||
@ -608,14 +608,12 @@ elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_K
|
||||
fi
|
||||
|
||||
## reset TPM and set password
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
echo -e "\nResetting TPM...\n"
|
||||
{
|
||||
echo $TPM_PASS
|
||||
echo $TPM_PASS
|
||||
} | /bin/tpm-reset >/dev/null 2>/tmp/error
|
||||
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
tpmr reset
|
||||
fi
|
||||
if [ $? -ne 0 ]; then
|
||||
ERROR=$(tail -n 1 /tmp/error | fold -s)
|
||||
@ -725,7 +723,7 @@ else
|
||||
$luks_new_Disk_Recovery_Key_passphrase"
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
if [ "$CONFIG_TPM" = "y" -o "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
tpm_password_changed="
|
||||
TPM Owner Password: $TPM_PASS\n"
|
||||
else
|
||||
|
@ -1,7 +1,6 @@
|
||||
#!/bin/bash
|
||||
. /etc/functions
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
echo '*****'
|
||||
echo '***** WARNING: This will erase all keys and secrets from the TPM'
|
||||
echo '*****'
|
||||
@ -21,6 +20,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
|
||||
die "Key passwords do not match"
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
# Make sure the TPM is ready to be reset
|
||||
tpm physicalpresence -s
|
||||
tpm physicalenable
|
||||
@ -36,5 +36,5 @@ if [ "$CONFIG_TPM" = "y" ]; then
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
||||
tpmr reset
|
||||
tpmr reset "$key_password"
|
||||
fi
|
||||
|
@ -155,24 +155,7 @@ tpm2_unseal() {
|
||||
}
|
||||
|
||||
tpm2_reset() {
|
||||
echo '*****'
|
||||
echo '***** WARNING: This will erase all keys and secrets from the TPM'
|
||||
echo '*****'
|
||||
|
||||
read -s -p "New TPM owner password: " key_password
|
||||
echo
|
||||
|
||||
if [ -z "$key_password" ]; then
|
||||
die "Empty owner password is not allowed"
|
||||
fi
|
||||
|
||||
read -s -p "Repeat owner password: " key_password2
|
||||
echo
|
||||
|
||||
|
||||
if [ "$key_password" != "$key_password2" ]; then
|
||||
die "Key passwords do not match"
|
||||
fi
|
||||
key_password="$1"
|
||||
mkdir -p "$SECRET_DIR"
|
||||
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!"
|
||||
tpm2 changeauth -c owner "$key_password"
|
||||
@ -205,7 +188,7 @@ case "$subcmd" in
|
||||
unseal)
|
||||
tpm2_unseal "$@";;
|
||||
reset)
|
||||
tpm2_reset;;
|
||||
tpm2_reset "$@";;
|
||||
*)
|
||||
echo "Command $subcmd not wrapped!"
|
||||
exit 1
|
||||
|
Loading…
Reference in New Issue
Block a user