ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops

Browse Source 
move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-04-08 16:22:57 -04:00
parent f6232aa70f
commit fb5cbf41a1
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
initrd/bin/kexec-insert-key
View File

@ -40,7 +40,22 @@ SECRET_CPIO=/tmp/secret/initrd.cpio
bootdir=$(dirname "$INITRD")
mkdir -p "$INITRD_DIR/etc"
# Attempt to unseal the Disk Unlok Key from the TPM
if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then
if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt >/dev/null 2>&1; then
#LUKS header hash part of detached signed hash digest under boot doesn't match qubes-measure-luks tmp file
warn "Encrypted disk keys have changed since the TPM Disk Unlock Key was sealed. If you did not make this change, the disk may be compromised"
exit 1
else
#LUKS header hash part of detached signed hash digest matches
echo "+++ Encrypted disk keys have not been changed since sealed in TPM Disk Unlock Key"
#TODO: remove "+++" with boot info helper when added, same with "!!!" currently for info.
fi
else
warn "Could not check for tampering of Encrypted disk keys"
warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)."
fi
# Attempt to unseal the Disk Unlock Key from the TPM
# should we give this some number of tries?
unseal_failed="n"
if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
@ -57,9 +72,6 @@ tpmr extend -ix 4 -ic generic ||
# Check to continue
if [ "$unseal_failed" = "y" ]; then
confirm_boot="n"
if cmp -s "$bootdir/kexec_lukshdr_hash.txt" /tmp/luksDump.txt > /dev/null 2>&1; then
echo "Encrypted disk keys(s) have not been changed since sealed in TPM Disk Unlock Key"
fi
read \
-n 1 \
-p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \

8
initrd/bin/kexec-unseal-key
View File

@ -39,14 +39,6 @@ for tries in 1 2 3; do
fi
warn "Unable to unseal LUKS Disk Unlock Key from TPM"
if [ -e /boot/kexec_lukshdr_hash.txt ] && [ -e /tmp/luksDump.txt ]; then
if ! cmp -s /boot/kexec_lukshdr_hash.txt /tmp/luksDump.txt > /dev/null 2>&1; then
warn "Encrypted disk keys(s) have changed since sealed in TPM Disk Unlock Key. You might want to investigate."
fi
else
warn "Could not check for tampering of Encrypted disk keys(s)"
warn "Re-seal the TPM Disk Unlock Key by re-selecting your default boot option to enable this check (Options -> Boot Options -> Show OS boot menu)."
fi
done
die "Retry count exceeded..."