mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-30 09:48:56 +00:00
e6acaad215
When sealing/unsealing with a password, use a policy including both the specified PCRs and the object password. Fixes sealing and unsealing disk unlock key. tpm2 seems to have a bug in parameter decryption when using a policy session and password in this way, disable encryption in the policy session as a workaround. Flags still need to be set on the sealed object correctly, as the password is normally allowed on its own as an alternative to policy auth. Add -Q to some tpm2 invocations to silence diagnostics on stdout. Pass filename for unsealed secret rather than capturing from stdout for robustness against tpm2 diagnostics on stdout. Fix unseal result check in kexec-unseal-key. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
79 lines
2.0 KiB
Bash
Executable File
79 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SEALED="/tmp/secret/hotp.sealed"
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
|
|
mount_boot_or_die()
|
|
{
|
|
TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
mount -o ro /boot \
|
|
|| die "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
TRACE "Under /bin/unseal-hotp"
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot_or_die
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#
|
|
|
|
counter_value=$(cat $HOTP_COUNTER)
|
|
|
|
if [ "$counter_value" == "" ]; then
|
|
die "Unable to read HOTP counter"
|
|
fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
tpmr unseal 0x81004d47 sha256:0,1,2,3,4,7 "$HOTP_SECRET"
|
|
elif [ "$CONFIG_TPM" = "y" ]; then
|
|
tpm nv_readvalue \
|
|
-in 4d47 \
|
|
-sz 312 \
|
|
-of "$HOTP_SEALED" \
|
|
|| die "Unable to retrieve sealed file from TPM NV"
|
|
|
|
tpm unsealfile \
|
|
-hk 40000000 \
|
|
-if "$HOTP_SEALED" \
|
|
-of "$HOTP_SECRET" \
|
|
|| die "Unable to unseal HOTP secret"
|
|
fi
|
|
shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
|
|
|
|
if ! hotp $counter_value < "$HOTP_SECRET"; then
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
die 'Unable to compute HOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
mount -o remount,rw /boot
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
echo $counter_value > $HOTP_COUNTER \
|
|
|| die "Unable to create hotp counter file"
|
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
#|| die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
exit 0
|