ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-25 23:51:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1f8eaa696e
heads/initrd/bin/qubes-update
Trammell Hudson 353a0efe6f
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) 
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
2017-04-12 06:57:58 -04:00

82 lines
1.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Update the /boot partition signatures
set -o pipefail
. /etc/functions
XEN="$1"
KERNEL="$2"
INITRD="$3"
BOOT_HASHES="/boot/boot.hashes"
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
fi
# setup the USB so we can reach the GPG card
if ! lsmod | grep -q ehci_hcd; then
insmod /lib/modules/ehci-hcd.ko \
|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q ehci_pci; then
insmod /lib/modules/ehci-pci.ko \
|| die "ehci_pci: module load failed"
fi
if ! lsmod | grep -q xhci_hcd; then
insmod /lib/modules/xhci-hcd.ko \
|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q xhci_pci; then
insmod /lib/modules/xhci-pci.ko \
|| die "ehci_pci: module load failed"
sleep 2
fi
gpg --card-status \
|| die "gpg card read failed"
# if the /boot.hashes file already exists, read the TPM counter ID
# from it.
if [ -r "$BOOT_HASHES" ]; then
TPM_COUNTER=`grep counter- "$BOOT_HASHES" | cut -d- -f2`
else
warn "$BOOT_HASHES does not exist; creating new TPM counter"
read -s -p "TPM Owner password: " tpm_password
echo
tpm counter_create \
-pwdo "$tpm_password" \
-pwdc '' \
-la 3135106223 \
| tee /tmp/counter \
|| die "Unable to create TPM counter"
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
fi
if [ -z "$TPM_COUNTER" ]; then
die "$BOOT_HASHES: TPM Counter not found?"
fi
mount -o rw,remount /boot \
|| die "Could not remount /boot"
tpm counter_increment -ix "$TPM_COUNTER" -pwdc '' \
| tee /tmp/counter-$TPM_COUNTER \
|| die "Counter increment failed"
sha256sum \
"$XEN" \
"$KERNEL" \
"$INITRD" \
"/tmp/counter-$TPM_COUNTER" \
| tee "$BOOT_HASHES"
for tries in 1 2 3; do
if gpg --detach-sign -a "$BOOT_HASHES"; then
mount -o ro,remount /boot
exit 0
fi
done
warn "$BOOT_HASHES: Unable to sign boot hashes"
mount -o ro,remount /boot
exit 1
Reference in New Issue View Git Blame Copy Permalink