ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-30 09:48:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7afb1e474f
heads/initrd/bin/unseal-hotp
Jonathon Hall 0a38717e20
tpmr: Wrap TPM1 and TPM2 unseal actions so scripts can invoke either 
Provide tpmr unseal to unseal a file with TPM1 or TPM2.  For TPM1, it
wraps tpm nv_readvalue and tpm unsealfile.  For TPM2, it wraps tpm2
unseal.

kexec-unseal-key, seal-hotpkey, unseal-hotp, and unseal-totp no longer
need to differentiate TPM1/TPM2.

Fixes spurious shred errors on TPM2 that only apply to TPM1 (temporary
sealed secret file and shred are now internal to tpmr).

Fixes TPM1 disk unlock key unsealing due to logic errors relating to
exit status of tpmr unseal or tpm unsealfile (now always uses status of
tpmr unseal).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:50 -05:00

65 lines
1.7 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
. /etc/functions
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die()
{
TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| die "Unable to mount /boot"
fi
}
TRACE "Under /bin/unseal-hotp"
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot_or_die
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#
counter_value=$(cat $HOTP_COUNTER)
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP counter"
fi
#counter_value=$(printf "%d" 0x${counter_value})
if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 sha256:0,1,2,3,4,7 312 "$HOTP_SECRET"
fi
if ! hotp $counter_value < "$HOTP_SECRET"; then
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die 'Unable to compute HOTP hash?'
fi
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
exit 0
Reference in New Issue View Git Blame Copy Permalink