mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-30 09:48:56 +00:00
e6acaad215
When sealing/unsealing with a password, use a policy including both the specified PCRs and the object password. Fixes sealing and unsealing disk unlock key. tpm2 seems to have a bug in parameter decryption when using a policy session and password in this way, disable encryption in the policy session as a workaround. Flags still need to be set on the sealed object correctly, as the password is normally allowed on its own as an alternative to policy auth. Add -Q to some tpm2 invocations to silence diagnostics on stdout. Pass filename for unsealed secret rather than capturing from stdout for robustness against tpm2 diagnostics on stdout. Fix unseal result check in kexec-unseal-key. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
131 lines
3.6 KiB
Bash
Executable File
131 lines
3.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SEALED="/tmp/secret/hotp.sealed"
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
HOTP_KEY="/boot/kexec_hotp_key"
|
|
|
|
mount_boot()
|
|
{
|
|
TRACE "Under /bin/seal-htopkey:mount_boot"
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
mount -o ro /boot \
|
|
|| recovery "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
TRACE "Under /bin/seal-hotpkey"
|
|
|
|
# Use stored HOTP key branding (this might be useful after OEM reset)
|
|
if [ -r /boot/kexec_hotp_key ]; then
|
|
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
|
|
else
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
|
fi
|
|
|
|
if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
|
tpm nv_readvalue \
|
|
-in 4d47 \
|
|
-sz 312 \
|
|
-of "$HOTP_SEALED" \
|
|
|| die "Unable to retrieve sealed file from TPM NV"
|
|
|
|
tpm unsealfile \
|
|
-hk 40000000 \
|
|
-if "$HOTP_SEALED" \
|
|
-of "$HOTP_SECRET" \
|
|
|| die "Unable to unseal HOTP secret"
|
|
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
tpmr unseal 0x81004d47 sha256:0,1,2,3,4,7 "$HOTP_SECRET" \
|
|
|| die "Unable to unseal HOTP secret"
|
|
fi
|
|
|
|
|
|
shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#if [ "$counter_value" == "" ]; then
|
|
# die "Unable to read HOTP counter"
|
|
#fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
|
|
counter_value=1
|
|
|
|
enable_usb
|
|
if ! hotp_verification info ; then
|
|
echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
|
|
read
|
|
if ! hotp_verification info ; then
|
|
# don't leak key on failure
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
die "Unable to find $HOTPKEY_BRANDING"
|
|
fi
|
|
fi
|
|
|
|
# Set HOTP USB Security Dongle branding based on VID
|
|
if lsusb | grep -q "20a0:" ; then
|
|
HOTPKEY_BRANDING="Nitrokey"
|
|
elif lsusb | grep -q "316d:" ; then
|
|
HOTPKEY_BRANDING="Librem Key"
|
|
else
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
|
fi
|
|
|
|
echo -e ""
|
|
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
|
|
echo -e "\n"
|
|
|
|
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "\n"
|
|
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
|
|
echo -e "\n"
|
|
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
|
|
# don't leak key on failure
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
die "Setting HOTP secret failed"
|
|
fi
|
|
fi
|
|
|
|
# HOTP key no longer needed
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
|
|
# Make sure our counter is incremented ahead of the next check
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
mount -o remount,rw /boot
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
echo $counter_value > $HOTP_COUNTER \
|
|
|| die "Unable to create hotp counter file"
|
|
|
|
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
|
|
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|
|
|| die "Unable to store hotp key file"
|
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
#|| die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
|
|
read
|
|
|
|
exit 0
|