mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
3fb84f0b42
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password Signed-off-by: Thierry Laurion <insurgo@riseup.net>
22 lines
474 B
Bash
Executable File
22 lines
474 B
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file from the NVRAM, unseal it and compute the totp
|
|
|
|
. /etc/functions
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
|
|
TRACE "Under /bin/unseal-totp"
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
|
|
die "Unable to unseal TOTP secret"
|
|
fi
|
|
|
|
if ! totp -q <"$TOTP_SECRET"; then
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null
|
|
die 'Unable to compute TOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null
|
|
exit 0
|