mirror of
https://github.com/linuxboot/heads.git
synced 2025-03-15 00:36:34 +00:00
7cec25542d
Closes issue #226 Also changed to procedure to show LVM volume groups and block device ids to aid in choosing the right combination during the TPM LUKS key sealing process.
50 lines
1019 B
Bash
Executable File
50 lines
1019 B
Bash
Executable File
#!/bin/sh
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
mkdir -p /tmp/secret
|
|
|
|
sealed_file="/tmp/secret/sealed.key"
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
tpm nv_readvalue \
|
|
-in "$TPM_INDEX" \
|
|
-sz "$TPM_SIZE" \
|
|
-of "$sealed_file" \
|
|
|| die "Unable to read key from TPM NVRAM"
|
|
|
|
for tries in 1 2 3; do
|
|
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
|
echo
|
|
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
if tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-pwdd "$tpm_password" \
|
|
-hk 40000000 \
|
|
; then
|
|
# should be okay if this fails
|
|
rm -f /tmp/secret/sealed || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
|
|
die "Retry count exceeded..."
|