unseal-hotp: ensure /boot mounted before checking HOTP secret

If /boot isn't mounted, we can't read the HOTP secret, so no point in reading from the TPM. This speeds up getting to the main menu in the case of an inaccessible or non-existant /boot, and maintains the warning condition from not being able to validate the HOTP. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2025-01-29 15:44:07 +00:00 · 2019-05-18 20:22:11 -05:00 · 2019-05-18 20:22:11 -05:00 · f772f2d088
commit f772f2d088
parent 65d669d408
1 changed files with 5 additions and 4 deletions
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@ -16,6 +16,11 @@ mount_boot_or_die()
  fi
 }

+# Store counter in file instead of TPM for now, as it conflicts with Heads
+# config TPM counter as TPM 1.2 can only increment one counter between reboots
+# get current value of HOTP counter in TPM, create if absent
+mount_boot_or_die
+
 tpm nv_readvalue \
 	-in 4d47 \
 	-sz 312 \
@ -30,10 +35,6 @@ tpm unsealfile  \

 shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null

-# Store counter in file instead of TPM for now, as it conflicts with Heads
-# config TPM counter as TPM 1.2 can only increment one counter between reboots
-# get current value of HOTP counter in TPM, create if absent
-mount_boot_or_die

 #check_tpm_counter $HOTP_COUNTER hotp \
 #|| die "Unable to find/create TPM counter"