ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-21 13:57:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
79e10ee135
heads/initrd/bin/kexec-unseal-key
Jonathon Hall 79e10ee135
kexec-unseal-key, tpmr: Deduplicate TPM1/2 code and always use stdin pass 
Always send password via stdin to tpm2 create, tpm2 unseal.  The password
could being with things like 'file:', 'str:', 'pcr:' that would be
interpreted by tpm2.

Deduplicate the TPM1/2 code in kexec-unseal-key.  The TPM2 code was not
actually prompting for the password or sending it to tpmr unseal.

Password is still not working yet though.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:47 -05:00

66 lines
1.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# This will unseal and unecncrypt the drive encryption key from the TPM
# The TOTP secret will be shown to the user on each encryption attempt.
# It will then need to be bundled into initrd that is booted with Qubes.
set -e -o pipefail
. /etc/functions
TPM_INDEX=3
TPM_SIZE=312
. /etc/functions
mkdir -p /tmp/secret
sealed_file="/tmp/secret/sealed.key"
key_file="$1"
if [ -z "$key_file" ]; then
key_file="/tmp/secret/secret.key"
fi
# TPM1 only - read the sealed value first manually
if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
tpm nv_readvalue \
-in "$TPM_INDEX" \
-sz "$TPM_SIZE" \
-of "$sealed_file" \
|| die "Unable to read key from TPM NVRAM"
fi
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
echo "DEBUG: Show PCRs"
pcrs
for tries in 1 2 3; do
read -s -p "Enter unlock password (blank to abort): " tpm_password
echo
if [ -z "$tpm_password" ]; then
die "Aborting unseal disk encryption key"
fi
unseal_result=1
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
unseal_result="$?"
else
tpm unsealfile \
-if "$sealed_file" \
-of "$key_file" \
-pwdd "$tpm_password" \
-hk 40000000
unseal_result="$?"
fi
if [ $? -eq 0 ]; then
# should be okay if this fails
shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
exit 0
fi
pcrs
warn "Unable to unseal disk encryption key"
done
die "Retry count exceeded..."
Reference in New Issue View Git Blame Copy Permalink