mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-20 19:48:55 +00:00
6923fb5e20
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
49 lines
1.0 KiB
Bash
Executable File
49 lines
1.0 KiB
Bash
Executable File
#!/bin/sh
|
|
# extend a TPM PCR with a module and then load it
|
|
# any arguments will also be measured.
|
|
# The default PCR to be extended is 5, but can be
|
|
# overridden with the MODULE_PCR environment variable
|
|
|
|
die() {
|
|
echo >&2 "$@"
|
|
exit 1
|
|
}
|
|
|
|
MODULE="$1"; shift
|
|
|
|
if [ -z "$MODULE_PCR" ]; then
|
|
MODULE_PCR=5
|
|
fi
|
|
|
|
|
|
if [ -z "$MODULE" ]; then
|
|
die "Usage: $0 module [args...]"
|
|
fi
|
|
|
|
if [ ! -r "$MODULE" ]; then
|
|
die "$MODULE: not found?"
|
|
fi
|
|
|
|
if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
|
|
if [ ! -c /dev/tpmrm0 -o ! -x /bin/tpm2 ]; then
|
|
tpm_missing=1
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$tpm_missing" ]; then
|
|
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|
|
|| die "$MODULE: tpm extend failed"
|
|
fi
|
|
|
|
if [ ! -z "$*" -a -z "$tpm_missing" ]; then
|
|
TMPFILE=/tmp/insmod.$$
|
|
echo "$@" > $TMPFILE
|
|
tpmr extend -ix "$MODULE_PCR" -if $TMPFILE \
|
|
|| die "$MODULE: tpm extend on arguments failed"
|
|
fi
|
|
|
|
# Since we have replaced the real insmod, we must invoke
|
|
# the busybox insmod via the original executable
|
|
busybox insmod "$MODULE" "$@" \
|
|
|| die "$MODULE: insmod failed"
|