mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-30 08:03:55 +00:00
7b8824adf1
Provide tpmr commands pcrread, pcrsize, calcfuturepcr, and seal for both TPM1 and TPM2. Combine seal logic for TPM1/TPM2 in seal-totp, kexec-seal-key. This is essentially the TPM2 logic now that tpmr provides the same wrapped commands for both TPM1 and TPM2. Remove algorithm prefix from PCR list in tpmr unseal for consistency with tpmr seal. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
51 lines
1.2 KiB
Bash
Executable File
51 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Generate a random secret, seal it with the PCRs
|
|
# and write it to the TPM NVRAM.
|
|
#
|
|
# Pass in a hostname if you want to change it from the default string
|
|
#
|
|
|
|
. /etc/functions
|
|
|
|
TRACE "Under /bin/seal-totp"
|
|
|
|
TPM_NVRAM_SPACE=4d47
|
|
|
|
HOST="$1"
|
|
if [ -z "$HOST" ]; then
|
|
HOST="TPMTOTP"
|
|
fi
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
TOTP_SEALED="/tmp/secret/totp.sealed"
|
|
|
|
dd \
|
|
if=/dev/urandom \
|
|
of="$TOTP_SECRET" \
|
|
count=1 \
|
|
bs=20 \
|
|
2>/dev/null \
|
|
|| die "Unable to generate 20 random bytes"
|
|
|
|
secret="`base32 < $TOTP_SECRET`"
|
|
pcrf="/tmp/secret/pcrf.bin"
|
|
tpmr pcrread 0 "$pcrf"
|
|
tpmr pcrread -a 1 "$pcrf"
|
|
tpmr pcrread -a 2 "$pcrf"
|
|
tpmr pcrread -a 3 "$pcrf"
|
|
# pcr 4 is expected to be zero (boot mode: init)
|
|
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 >> "$pcrf"
|
|
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
|
|
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
|
|
# pcr 7 is containing measurements of user injected stuff in cbfs
|
|
tpmr pcrread -a 7 "$pcrf"
|
|
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 \
|
|
|| die "Unable to write sealed secret to NVRAM"
|
|
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
|
|
|
|
url="otpauth://totp/$HOST?secret=$secret"
|
|
secret=""
|
|
|
|
qrenc "$url"
|
|
echo "$url"
|