mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
fb5cbf41a1
move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes Signed-off-by: Thierry Laurion <insurgo@riseup.net>
45 lines
976 B
Bash
Executable File
45 lines
976 B
Bash
Executable File
#!/bin/bash
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
|
|
TRACE_FUNC
|
|
|
|
mkdir -p /tmp/secret
|
|
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
DEBUG "CONFIG_TPM: $CONFIG_TPM"
|
|
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
DEBUG "Show PCRs"
|
|
DEBUG "$(pcrs)"
|
|
|
|
for tries in 1 2 3; do
|
|
read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password
|
|
echo
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
if DO_WITH_DEBUG --mask-position 6 \
|
|
tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
|
|
"$key_file" "$tpm_password"; then
|
|
exit 0
|
|
fi
|
|
|
|
warn "Unable to unseal LUKS Disk Unlock Key from TPM"
|
|
done
|
|
|
|
die "Retry count exceeded..."
|