mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
698fc83046
We just set the TPM owner password, so there's no need to make the user enter it again. Eliminates some failure modes if the user mistypes it or enters the wrong password. Allow optionally passing in the TPM owner password in tpmr seal, check_tpm_counter(), seal-totp, and generate_totp_htop(). The user is still prompted if the password is needed but was not provided, so existing uses in other contexts continue to work unchanged. Prompt for the password in reset_tpm() and pass it down to each of the above. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
54 lines
1.5 KiB
Bash
Executable File
54 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# Generate a random secret, seal it with the PCRs
|
|
# and write it to the TPM NVRAM.
|
|
#
|
|
# Pass in a hostname if you want to change it from the default string
|
|
#
|
|
|
|
. /etc/functions
|
|
|
|
TRACE "Under /bin/seal-totp"
|
|
|
|
TPM_NVRAM_SPACE=4d47
|
|
|
|
HOST="$1"
|
|
if [ -z "$HOST" ]; then
|
|
HOST="TPMTOTP"
|
|
fi
|
|
TPM_PASSWORD="$2"
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
TOTP_SEALED="/tmp/secret/totp.sealed"
|
|
|
|
dd \
|
|
if=/dev/urandom \
|
|
of="$TOTP_SECRET" \
|
|
count=1 \
|
|
bs=20 \
|
|
2>/dev/null \
|
|
|| die "Unable to generate 20 random bytes"
|
|
|
|
secret="`base32 < $TOTP_SECRET`"
|
|
pcrf="/tmp/secret/pcrf.bin"
|
|
tpmr pcrread 0 "$pcrf"
|
|
tpmr pcrread -a 1 "$pcrf"
|
|
tpmr pcrread -a 2 "$pcrf"
|
|
tpmr pcrread -a 3 "$pcrf"
|
|
# pcr 4 is expected to be zero (boot mode: init)
|
|
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
|
|
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
|
|
DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
|
|
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
|
|
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
|
|
# pcr 7 is containing measurements of user injected stuff in cbfs
|
|
tpmr pcrread -a 7 "$pcrf"
|
|
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" \
|
|
|| die "Unable to write sealed secret to NVRAM"
|
|
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
|
|
|
|
url="otpauth://totp/$HOST?secret=$secret"
|
|
secret=""
|
|
|
|
qrenc "$url"
|
|
echo "$url"
|