#!/bin/bash
# This will unseal and unecncrypt the drive encryption key from the TPM
# The TOTP secret will be shown to the user on each encryption attempt.
# It will then need to be bundled into initrd that is booted with Qubes.
set -e -o pipefail
. /etc/functions

TPM_INDEX=3
TPM_SIZE=312

. /etc/functions

TRACE_FUNC

mkdir -p /tmp/secret

key_file="$1"

if [ -z "$key_file" ]; then
	key_file="/tmp/secret/secret.key"
fi

DEBUG "CONFIG_TPM: $CONFIG_TPM"
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
DEBUG "Show PCRs"
DEBUG "$(pcrs)"

for tries in 1 2 3; do
	read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password
	echo
	if [ -z "$tpm_password" ]; then
		die "Aborting unseal disk encryption key"
	fi

	if DO_WITH_DEBUG --mask-position 6 \
		tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
		"$key_file" "$tpm_password"; then
		exit 0
	fi

	DEBUG $(pcrs)
	warn "Unable to unseal disk encryption key"
done

die "Retry count exceeded..."