ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-21 05:53:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7afb1e474f
heads/initrd/bin/seal-totp
Jonathon Hall b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1. 
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00

105 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Generate a random secret, seal it with the PCRs
# and write it to the TPM NVRAM.
#
# Pass in a hostname if you want to change it from the default string
#
. /etc/functions
TRACE "Under /bin/seal-totp"
TPM_NVRAM_SPACE=4d47
HOST="$1"
if [ -z "$HOST" ]; then
HOST="TPMTOTP"
fi
TOTP_SECRET="/tmp/secret/totp.key"
TOTP_SEALED="/tmp/secret/totp.sealed"
dd \
if=/dev/urandom \
of="$TOTP_SECRET" \
count=1 \
bs=20 \
2>/dev/null \
|| die "Unable to generate 20 random bytes"
secret="`base32 < $TOTP_SECRET`"
if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
# Use the current values of the PCRs, which will be read
# from the TPM as part of the sealing ("X").
# PCR4 == 0 means that we are still in the boot process and
# not a recovery shell.
# should this read the storage root key?
if ! tpm sealfile2 \
-if "$TOTP_SECRET" \
-of "$TOTP_SEALED" \
-hk 40000000 \
-ix 0 X \
-ix 1 X \
-ix 2 X \
-ix 3 X \
-ix 4 0000000000000000000000000000000000000000 \
-ix 7 X \
; then
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
die "Unable to seal secret"
fi
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
# to create an nvram space we need the TPM owner password
# and the TPM physical presence must be asserted.
#
# The permissions are 0 since there is nothing special
# about the sealed file
tpm physicalpresence -s \
|| warn "Warning: Unable to assert physical presence"
# Try to write it without the password first, and then create
# the NVRAM space using the owner password if it fails for some reason.
if ! tpm nv_writevalue \
-in $TPM_NVRAM_SPACE \
-if "$TOTP_SEALED" \
; then
warn 'NVRAM space does not exist? Owner password is required'
read -s -p "TPM Owner password: " tpm_password
echo
tpm nv_definespace \
-in $TPM_NVRAM_SPACE \
-sz 312 \
-pwdo "$tpm_password" \
-per 0 \
|| die "Unable to define NVRAM space"
tpm nv_writevalue \
-in $TPM_NVRAM_SPACE \
-if "$TOTP_SEALED" \
|| die "Unable to write sealed secret to NVRAM"
fi
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
pcrf="/tmp/secret/pcrf.bin"
tpm2 pcrread -o "$pcrf" sha256:0,1,2,3
# pcr 4 is expected to be zero (boot mode: init)
dd if=/dev/zero bs=32 count=1 >> "$pcrf"
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
# pcr 7 is containing measurements of user injected stuff in cbfs
tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
tpmr seal "$TOTP_SECRET" "0x8100$TPM_NVRAM_SPACE" sha256:0,1,2,3,4,7 "$pcrf" \
|| die "Unable to write sealed secret to NVRAM"
fi
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
url="otpauth://totp/$HOST?secret=$secret"
secret=""
qrenc "$url"
echo "$url"
Reference in New Issue View Git Blame Copy Permalink