#!/bin/bash
# Generate a random secret, seal it with the PCRs
# and write it to the TPM NVRAM.
#
# Pass in a hostname if you want to change it from the default string
#

. /etc/functions

TRACE "Under /bin/seal-totp"

TPM_NVRAM_SPACE=4d47

HOST="$1"
if [ -z "$HOST" ]; then
	HOST="TPMTOTP"
fi

TOTP_SECRET="/tmp/secret/totp.key"
TOTP_SEALED="/tmp/secret/totp.sealed"

dd \
	if=/dev/urandom \
	of="$TOTP_SECRET" \
	count=1 \
	bs=20 \
	2>/dev/null \
|| die "Unable to generate 20 random bytes"

secret="`base32 < $TOTP_SECRET`"
if [ "$CONFIG_TPM" = "y" ];then
	# Use the current values of the PCRs, which will be read
	# from the TPM as part of the sealing ("X").
	# PCR4 == 0 means that we are still in the boot process and
	# not a recovery shell.
	# should this read the storage root key?
	if ! tpm sealfile2 \
	     -if "$TOTP_SECRET" \
	     -of "$TOTP_SEALED" \
	     -hk 40000000 \
	     -ix 0 X \
	     -ix 1 X \
	     -ix 2 X \
	     -ix 3 X \
	     -ix 4 0000000000000000000000000000000000000000 \
	     -ix 7 X \
	   ; then
		shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
		die "Unable to seal secret"
	fi

	shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null


	# to create an nvram space we need the TPM owner password
	# and the TPM physical presence must be asserted.
	#
	# The permissions are 0 since there is nothing special
	# about the sealed file
	tpm physicalpresence -s \
		|| warn "Warning: Unable to assert physical presence"

	# Try to write it without the password first, and then create
	# the NVRAM space using the owner password if it fails for some reason.
	if ! tpm nv_writevalue \
			-in $TPM_NVRAM_SPACE \
			-if "$TOTP_SEALED" \
	; then
		warn 'NVRAM space does not exist? Owner password is required'
		read -s -p "TPM Owner password: " tpm_password
		echo

		tpm nv_definespace \
			-in $TPM_NVRAM_SPACE \
			-sz 312 \
			-pwdo "$tpm_password" \
			-per 0 \
			|| die "Unable to define NVRAM space"

		tpm nv_writevalue \
				-in $TPM_NVRAM_SPACE \
				-if "$TOTP_SEALED" \
			|| die "Unable to write sealed secret to NVRAM"
	fi
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
	pcrf="/tmp/secret/pcrf.bin"
	tpm2 pcrread -o "$pcrf" sha256:0,1,2,3
	# pcr 4 is expected to be zero (boot mode: init)
	dd if=/dev/zero bs=32 count=1 >> "$pcrf"
	# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
	# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
	# pcr 7 is containing measurements of user injected stuff in cbfs
	tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
	tpmr seal "$TOTP_SECRET" "0x8100$TPM_NVRAM_SPACE" sha256:0,1,2,3,4,7 "$pcrf" \
		|| die "Unable to write sealed secret to NVRAM"
fi

shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null

url="otpauth://totp/$HOST?secret=$secret"
secret=""

qrenc "$url"
echo "$url"