mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
0a38717e20
Provide tpmr unseal to unseal a file with TPM1 or TPM2. For TPM1, it wraps tpm nv_readvalue and tpm unsealfile. For TPM2, it wraps tpm2 unseal. kexec-unseal-key, seal-hotpkey, unseal-hotp, and unseal-totp no longer need to differentiate TPM1/TPM2. Fixes spurious shred errors on TPM2 that only apply to TPM1 (temporary sealed secret file and shred are now internal to tpmr). Fixes TPM1 disk unlock key unsealing due to logic errors relating to exit status of tpmr unseal or tpm unsealfile (now always uses status of tpmr unseal). Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
22 lines
484 B
Bash
Executable File
22 lines
484 B
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file from the NVRAM, unseal it and compute the totp
|
|
|
|
. /etc/functions
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
|
|
TRACE "Under /bin/unseal-totp"
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
tpmr unseal 4d47 sha256:0,1,2,3,4,7 312 "$TOTP_SECRET" \
|
|
|| die "Unable to unseal totp secret"
|
|
fi
|
|
|
|
if ! totp -q < "$TOTP_SECRET"; then
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
die 'Unable to compute TOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
exit 0
|