#!/bin/bash # Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp . /etc/functions HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" mount_boot_or_die() { TRACE "Under /bin/unseal-hotp:mount_boot_or_die" # Mount local disk if it is not already mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ || die "Unable to mount /boot" fi } TRACE "Under /bin/unseal-hotp" # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots # get current value of HOTP counter in TPM, create if absent mount_boot_or_die #check_tpm_counter $HOTP_COUNTER hotp \ #|| die "Unable to find/create TPM counter" #counter="$TPM_COUNTER" # #counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') # counter_value=$(cat $HOTP_COUNTER) if [ "$counter_value" == "" ]; then die "Unable to read HOTP counter" fi #counter_value=$(printf "%d" 0x${counter_value}) if [ "$CONFIG_TPM" = "y" ]; then DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..." tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" else # without a TPM, generate a secret based on the SHA-256 of the ROM secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed" fi # Truncate the secret if it is longer than the maximum HOTP secret truncate_max_bytes 20 "$HOTP_SECRET" if ! hotp $counter_value < "$HOTP_SECRET"; then shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die 'Unable to compute HOTP hash?' fi shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null #increment_tpm_counter $counter > /dev/null \ #|| die "Unable to increment tpm counter" mount -o remount,rw /boot counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot exit 0