mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
6923fb5e20
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
86 lines
2.0 KiB
Bash
Executable File
86 lines
2.0 KiB
Bash
Executable File
#!/bin/sh
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
mkdir -p /tmp/secret
|
|
|
|
sealed_file="/tmp/secret/sealed.key"
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
|
|
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
echo "DEBUG: Show PCRs"
|
|
pcrs
|
|
|
|
if [ "$CONFIG_TPM" = "y" ];then
|
|
tpm nv_readvalue \
|
|
-in "$TPM_INDEX" \
|
|
-sz "$TPM_SIZE" \
|
|
-of "$sealed_file" \
|
|
|| die "Unable to read key from TPM NVRAM"
|
|
|
|
for tries in 1 2 3; do
|
|
if [ "$CONFIG_AUTO_UNLOCK" != y ]; then
|
|
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
|
echo
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-pwdd "$tpm_password" \
|
|
-hk 40000000
|
|
else
|
|
tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-hk 40000000
|
|
fi
|
|
|
|
if [ $? -eq 0 ]; then
|
|
# should be okay if this fails
|
|
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
|
|
echo "Bring up network for remote attestation"
|
|
network-init-recovery
|
|
fi
|
|
for tries in 1 2 3; do
|
|
if [ "$CONFIG_AUTO_UNLOCK" = "y" ]; then
|
|
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" > "$key_file"
|
|
else
|
|
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
|
|
fi
|
|
|
|
if [ $? -eq 0 ]; then
|
|
# should be okay if this fails
|
|
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
fi
|
|
|
|
die "Retry count exceeded..."
|