mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
77d4be1dc6
Debug logtrace, screenshots of non-debug will be added in PR #1758 TPM1: [ 4.815559] [U] hello world [ 5.099000] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config) [ 5.122059] TRACE: Under init [ 5.165917] DEBUG: Applying panic_on_oom setting to sysctl [ 5.388757] TRACE: /bin/cbfs-init(5): main [ 5.516637] TRACE: /bin/cbfs-init(24): main [ 5.662271] DEBUG: TPM: Will extend PCR[7] with hash of filename /.gnupg/pubring.kbx [ 5.732223] TRACE: /bin/tpmr(790): main [ 5.785372] DEBUG: TPM: Extending PCR[7] with hash 7ccf4f64044946cf4e5b0efe3d959f00562227ae [ 5.838082] DEBUG: exec tpm extend -ix 7 -ic /.gnupg/pubring.kbx [ 6.081466] DEBUG: TPM: Will extend PCR[7] hash content of file /.gnupg/pubring.kbx [ 6.147455] TRACE: /bin/tpmr(790): main [ 6.196545] DEBUG: TPM: Extending PCR[7] with hash ee79223a3b9724ad1aab290a3785132805c79eae [ 6.251251] DEBUG: exec tpm extend -ix 7 -if /.gnupg/pubring.kbx [ 6.445119] TRACE: /bin/cbfs-init(24): main [ 6.585854] DEBUG: TPM: Will extend PCR[7] with hash of filename /.gnupg/trustdb.gpg [ 6.659172] TRACE: /bin/tpmr(790): main [ 6.707564] DEBUG: TPM: Extending PCR[7] with hash 7236ea8e612c1435259a8a0f8e0a8f1f5dba7042 [ 6.757645] DEBUG: exec tpm extend -ix 7 -ic /.gnupg/trustdb.gpg [ 7.013547] DEBUG: TPM: Will extend PCR[7] hash content of file /.gnupg/trustdb.gpg [ 7.082863] TRACE: /bin/tpmr(790): main [ 7.131022] DEBUG: TPM: Extending PCR[7] with hash ca8898407cacd96d6f2de90ae90825351be81c62 [ 7.183344] DEBUG: exec tpm extend -ix 7 -if /.gnupg/trustdb.gpg [ 7.413787] TRACE: /bin/key-init(6): main [ 8.718367] TRACE: Under /etc/ash_functions:combine_configs [ 8.803914] TRACE: Under /etc/ash_functions:pause_recovery !!! Hit enter to proceed to recovery shell !!! [ 9.045341] TRACE: /bin/setconsolefont.sh(6): main [ 9.096853] DEBUG: Board does not ship setfont, not checking console font [ 9.320494] TRACE: /bin/gui-init(641): main [ 9.356729] TRACE: Under /etc/ash_functions:enable_usb [ 9.445981] TRACE: /sbin/insmod(9): main [ 9.609464] TRACE: /sbin/insmod(53): main [ 9.660145] DEBUG: No module parameters, extending only with the module's content [ 9.791896] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ehci-hcd.ko [ 9.860477] TRACE: /bin/tpmr(790): main [ 9.914849] DEBUG: TPM: Extending PCR[5] with hash bc9ff28a99e314cda69695ba34b26ed0d8b1e4ed [ 9.976867] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-hcd.ko [ 10.146966] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod [ 10.184086] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 10.276564] TRACE: /sbin/insmod(9): main [ 10.433503] TRACE: /sbin/insmod(53): main [ 10.486272] DEBUG: No module parameters, extending only with the module's content [ 10.620200] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/uhci-hcd.ko [ 10.698710] TRACE: /bin/tpmr(790): main [ 10.750637] DEBUG: TPM: Extending PCR[5] with hash bcb2f15c7eb52484072a76fc8a0d7399f6cf2189 [ 10.808379] DEBUG: exec tpm extend -ix 5 -if /lib/modules/uhci-hcd.ko [ 10.996254] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod [ 11.026108] uhci_hcd: USB Universal Host Controller Interface driver [ 11.040703] uhci_hcd 0000:00:1d.0: UHCI Host Controller [ 11.053129] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1 [ 11.061568] uhci_hcd 0000:00:1d.0: detected 2 ports [ 11.070973] uhci_hcd 0000:00:1d.0: irq 16, io base 0x0000ff00 [ 11.089004] hub 1-0:1.0: USB hub found [ 11.097535] hub 1-0:1.0: 2 ports detected [ 11.114890] uhci_hcd 0000:00:1d.1: UHCI Host Controller [ 11.123848] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2 [ 11.134989] uhci_hcd 0000:00:1d.1: detected 2 ports [ 11.142404] uhci_hcd 0000:00:1d.1: irq 17, io base 0x0000fee0 [ 11.153338] hub 2-0:1.0: USB hub found [ 11.160572] hub 2-0:1.0: 2 ports detected [ 11.176481] uhci_hcd 0000:00:1d.2: UHCI Host Controller [ 11.183898] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 3 [ 11.193509] uhci_hcd 0000:00:1d.2: detected 2 ports [ 11.201574] uhci_hcd 0000:00:1d.2: irq 18, io base 0x0000fec0 [ 11.211182] hub 3-0:1.0: USB hub found [ 11.219256] hub 3-0:1.0: 2 ports detected [ 11.314467] TRACE: /sbin/insmod(9): main [ 11.468430] TRACE: /sbin/insmod(53): main [ 11.521914] DEBUG: No module parameters, extending only with the module's content [ 11.656647] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ohci-hcd.ko [ 11.726721] TRACE: /bin/tpmr(790): main [ 11.778253] DEBUG: TPM: Extending PCR[5] with hash f563e46fbbed46423a1e10219953233d310792f5 [ 11.831718] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-hcd.ko [ 12.010752] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod [ 12.044192] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 12.136462] TRACE: /sbin/insmod(9): main [ 12.293409] TRACE: /sbin/insmod(53): main [ 12.345947] DEBUG: No module parameters, extending only with the module's content [ 12.481562] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ohci-pci.ko [ 12.547754] TRACE: /bin/tpmr(790): main [ 12.604827] DEBUG: TPM: Extending PCR[5] with hash a24699fdaac9976cc9447fd0cd444a469299ad2f [ 12.661256] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-pci.ko [ 12.847247] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod [ 12.870986] ohci-pci: OHCI PCI platform driver [ 12.959387] TRACE: /sbin/insmod(9): main [ 13.112275] TRACE: /sbin/insmod(53): main [ 13.163112] DEBUG: No module parameters, extending only with the module's content [ 13.291360] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/ehci-pci.ko [ 13.364853] TRACE: /bin/tpmr(790): main [ 13.438536] DEBUG: TPM: Extending PCR[5] with hash b80a90e11a01eba40bb7e566f3374d0aad326acb [ 13.505500] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-pci.ko [ 13.679865] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod [ 13.704539] ehci-pci: EHCI PCI platform driver [ 13.725570] ehci-pci 0000:00:1d.7: EHCI Host Controller [ 13.735562] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 4 [ 13.745092] ehci-pci 0000:00:1d.7: irq 19, io mem 0xfcf80000 [ 13.773286] ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00 [ 13.783544] hub 4-0:1.0: USB hub found [ 13.791110] hub 4-0:1.0: 6 ports detected [ 13.800844] hub 1-0:1.0: USB hub found [ 13.807808] hub 1-0:1.0: 2 ports detected [ 13.823094] hub 2-0:1.0: USB hub found [ 13.829910] hub 2-0:1.0: 2 ports detected [ 13.839182] hub 3-0:1.0: USB hub found [ 13.846231] hub 3-0:1.0: 2 ports detected [ 13.946297] TRACE: /sbin/insmod(9): main [ 14.099143] TRACE: /sbin/insmod(53): main [ 14.149765] DEBUG: No module parameters, extending only with the module's content [ 14.291413] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/xhci-hcd.ko [ 14.372815] TRACE: /bin/tpmr(790): main [ 14.426919] DEBUG: TPM: Extending PCR[5] with hash 1fc55e846b9d5c93e58c6c8b6f867e744fa694bc [ 14.482815] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-hcd.ko [ 14.670419] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod [ 14.783374] TRACE: /sbin/insmod(9): main [ 14.939364] TRACE: /sbin/insmod(53): main [ 14.995136] DEBUG: No module parameters, extending only with the module's content [ 15.135482] DEBUG: TPM: Will extend PCR[5] hash content of file /lib/modules/xhci-pci.ko [ 15.204263] TRACE: /bin/tpmr(790): main [ 15.255478] DEBUG: TPM: Extending PCR[5] with hash bbdd85242570aa438b908420a43b8d7042db8b4f [ 15.305598] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-pci.ko [ 15.480844] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod [ 15.512476] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 15.528230] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 5 [ 15.540456] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010 [ 15.554225] hub 5-0:1.0: USB hub found [ 15.562061] hub 5-0:1.0: 4 ports detected [ 15.572058] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 15.589966] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 6 [ 15.598116] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed [ 15.606150] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM. [ 15.616354] hub 6-0:1.0: USB hub found [ 15.623767] hub 6-0:1.0: 4 ports detected [ 15.909854] usb 5-1: new high-speed USB device number 2 using xhci_hcd [ 16.193548] usb 6-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd [ 16.345381] usb 5-3: new full-speed USB device number 3 using xhci_hcd [ 17.674973] TRACE: /etc/functions(715): detect_boot_device [ 17.718114] TRACE: /etc/functions(682): mount_possible_boot_device [ 17.759829] TRACE: /etc/functions(642): is_gpt_bios_grub [ 17.833271] TRACE: /dev/vda1 is partition 1 of vda [ 17.925490] TRACE: /etc/functions(619): find_lvm_vg_name [ 18.068352] TRACE: Try mounting /dev/vda1 as /boot [ 18.114444] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null) [ 18.158648] TRACE: /bin/gui-init(319): clean_boot_check [ 18.247883] TRACE: /bin/gui-init(348): check_gpg_key [ 18.338052] TRACE: /bin/gui-init(185): update_totp [ 18.419286] TRACE: /bin/unseal-totp(8): main [ 18.511352] TRACE: /bin/tpmr(614): tpm1_unseal [ 18.624811] DEBUG: Running at_exit handlers [ 18.661992] TRACE: /bin/tpmr(390): cleanup_shred [ 18.692897] !!! ERROR: Unable to unseal TOTP secret !!! [ 21.295284] TRACE: /bin/unseal-totp(8): main [ 21.386377] TRACE: /bin/tpmr(614): tpm1_unseal [ 21.496183] DEBUG: Running at_exit handlers [ 21.527060] TRACE: /bin/tpmr(390): cleanup_shred [ 21.558625] !!! ERROR: Unable to unseal TOTP secret !!! [ 24.162881] TRACE: /bin/unseal-totp(8): main [ 24.249549] TRACE: /bin/tpmr(614): tpm1_unseal [ 24.362331] DEBUG: Running at_exit handlers [ 24.394154] TRACE: /bin/tpmr(390): cleanup_shred [ 24.427400] !!! ERROR: Unable to unseal TOTP secret !!! [ 26.475340] DEBUG: CONFIG_TPM: y [ 26.521538] DEBUG: CONFIG_TPM2_TOOLS: [ 26.578490] DEBUG: Show PCRs [ 26.730805] DEBUG: PCR-00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.751488] PCR-01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.778571] PCR-02: C0 A9 54 C8 45 5C 78 49 80 EC 1C DB D8 E8 9B CC 65 11 58 BF [ 26.808771] PCR-03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.830508] PCR-04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.849538] PCR-05: 2C 3A 40 05 70 DB 21 89 4F CD C2 F8 D6 AE 40 DA 56 E1 B6 74 [ 26.878951] PCR-06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 26.895421] PCR-07: 7A 8A 4C E6 BA B0 AA 26 22 B1 26 A2 F6 36 BD F3 86 23 50 B6 TPM2: [ 5.305235] [U] hello world [ 5.591175] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config) [ 5.615802] TRACE: Under init [ 5.657823] DEBUG: Applying panic_on_oom setting to sysctl [ 5.831457] TRACE: /bin/tpmr(349): tpm2_startsession [ 6.567984] TRACE: /bin/cbfs-init(5): main [ 6.695758] TRACE: /bin/cbfs-init(24): main [ 6.811665] TRACE: /bin/tpmr(832): main [ 6.870411] DEBUG: TPM: Extending PCR[7] with /.gnupg/pubring.kbx [ 6.907262] TRACE: /bin/tpmr(234): tpm2_extend [ 6.983504] TRACE: /bin/tpmr(247): tpm2_extend [ 7.037543] DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/pubring.kbx [ 7.192665] TRACE: /bin/tpmr(265): tpm2_extend [ 7.246318] DEBUG: TPM: Extended PCR[7] with hash 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1 [ 7.355327] TRACE: /bin/tpmr(832): main [ 7.409042] DEBUG: TPM: Extending PCR[7] with /.gnupg/pubring.kbx [ 7.446920] TRACE: /bin/tpmr(234): tpm2_extend [ 7.485782] TRACE: /bin/tpmr(252): tpm2_extend [ 7.540496] DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/pubring.kbx [ 7.759033] TRACE: /bin/tpmr(265): tpm2_extend [ 7.811693] DEBUG: TPM: Extended PCR[7] with hash f196f9cae98362568d31638e7522eee5042286b2c18627b06b30a0275207872e [ 7.903033] TRACE: /bin/cbfs-init(24): main [ 8.026099] TRACE: /bin/tpmr(832): main [ 8.077074] DEBUG: TPM: Extending PCR[7] with /.gnupg/trustdb.gpg [ 8.108061] TRACE: /bin/tpmr(234): tpm2_extend [ 8.180580] TRACE: /bin/tpmr(247): tpm2_extend [ 8.234748] DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/trustdb.gpg [ 8.412522] TRACE: /bin/tpmr(265): tpm2_extend [ 8.469868] DEBUG: TPM: Extended PCR[7] with hash 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b [ 8.596316] TRACE: /bin/tpmr(832): main [ 8.655651] DEBUG: TPM: Extending PCR[7] with /.gnupg/trustdb.gpg [ 8.690508] TRACE: /bin/tpmr(234): tpm2_extend [ 8.723206] TRACE: /bin/tpmr(252): tpm2_extend [ 8.782554] DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/trustdb.gpg [ 8.999969] TRACE: /bin/tpmr(265): tpm2_extend [ 9.066744] DEBUG: TPM: Extended PCR[7] with hash abf745ef9f960af5d8b19a1acd4bc0a19da056f607b06cce6b920eab83cbbdec [ 9.215143] TRACE: /bin/key-init(6): main [ 10.661503] TRACE: Under /etc/ash_functions:combine_configs [ 10.749050] TRACE: Under /etc/ash_functions:pause_recovery !!! Hit enter to proceed to recovery shell !!! [ 10.998267] TRACE: /bin/setconsolefont.sh(6): main [ 11.059640] DEBUG: Board does not ship setfont, not checking console font [ 11.303012] TRACE: /bin/gui-init(641): main [ 11.334099] TRACE: Under /etc/ash_functions:enable_usb [ 11.421487] TRACE: /sbin/insmod(9): main [ 11.578754] TRACE: /sbin/insmod(53): main [ 11.630500] DEBUG: No module parameters, extending only with the module's content [ 11.741780] TRACE: /bin/tpmr(832): main [ 11.789365] DEBUG: TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko [ 11.823496] TRACE: /bin/tpmr(234): tpm2_extend [ 11.862739] TRACE: /bin/tpmr(252): tpm2_extend [ 11.920404] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-hcd.ko [ 12.123507] TRACE: /bin/tpmr(265): tpm2_extend [ 12.175292] DEBUG: TPM: Extended PCR[5] with hash 40c5206f06702e45d8e6632632255258af433be0641c96f514ea75ac14523a30 [ 12.234130] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod [ 12.278479] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 12.371875] TRACE: /sbin/insmod(9): main [ 12.523874] TRACE: /sbin/insmod(53): main [ 12.578418] DEBUG: No module parameters, extending only with the module's content [ 12.697785] TRACE: /bin/tpmr(832): main [ 12.753607] DEBUG: TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko [ 12.786940] TRACE: /bin/tpmr(234): tpm2_extend [ 12.819199] TRACE: /bin/tpmr(252): tpm2_extend [ 12.879805] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/uhci-hcd.ko [ 13.088925] TRACE: /bin/tpmr(265): tpm2_extend [ 13.158660] DEBUG: TPM: Extended PCR[5] with hash 1877332107fb8737a5636da26d4db2c10ffe4d1db2bcbde30b47774cdf05e02f [ 13.223888] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod [ 13.253700] uhci_hcd: USB Universal Host Controller Interface driver [ 13.269580] uhci_hcd 0000:00:1d.0: UHCI Host Controller [ 13.278675] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1 [ 13.287280] uhci_hcd 0000:00:1d.0: detected 2 ports [ 13.296481] uhci_hcd 0000:00:1d.0: irq 16, io base 0x0000ff00 [ 13.314557] hub 1-0:1.0: USB hub found [ 13.332614] hub 1-0:1.0: 2 ports detected [ 13.352400] uhci_hcd 0000:00:1d.1: UHCI Host Controller [ 13.361016] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2 [ 13.368653] uhci_hcd 0000:00:1d.1: detected 2 ports [ 13.376700] uhci_hcd 0000:00:1d.1: irq 17, io base 0x0000fee0 [ 13.395046] hub 2-0:1.0: USB hub found [ 13.403107] hub 2-0:1.0: 2 ports detected [ 13.418573] uhci_hcd 0000:00:1d.2: UHCI Host Controller [ 13.426975] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 3 [ 13.434733] uhci_hcd 0000:00:1d.2: detected 2 ports [ 13.442497] uhci_hcd 0000:00:1d.2: irq 18, io base 0x0000fec0 [ 13.460237] hub 3-0:1.0: USB hub found [ 13.467466] hub 3-0:1.0: 2 ports detected [ 13.579102] TRACE: /sbin/insmod(9): main [ 13.730892] TRACE: /sbin/insmod(53): main [ 13.781345] DEBUG: No module parameters, extending only with the module's content [ 13.891152] TRACE: /bin/tpmr(832): main [ 13.954015] DEBUG: TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko [ 13.995207] TRACE: /bin/tpmr(234): tpm2_extend [ 14.031074] TRACE: /bin/tpmr(252): tpm2_extend [ 14.095694] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-hcd.ko [ 14.315253] TRACE: /bin/tpmr(265): tpm2_extend [ 14.369608] DEBUG: TPM: Extended PCR[5] with hash 8a12ce4abfc87f11a023d4f1c26c225f5cffae248f9dad1fd30e78022996df02 [ 14.425800] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod [ 14.455207] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 14.548050] TRACE: /sbin/insmod(9): main [ 14.693175] TRACE: /sbin/insmod(53): main [ 14.742761] DEBUG: No module parameters, extending only with the module's content [ 14.855233] TRACE: /bin/tpmr(832): main [ 14.908035] DEBUG: TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko [ 14.940321] TRACE: /bin/tpmr(234): tpm2_extend [ 14.970307] TRACE: /bin/tpmr(252): tpm2_extend [ 15.018421] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-pci.ko [ 15.226408] TRACE: /bin/tpmr(265): tpm2_extend [ 15.279951] DEBUG: TPM: Extended PCR[5] with hash 2065ee6544d78a5d31e67983166a9b8cf60dbe61bf0ee99c39e92816cc3a98db [ 15.335930] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod [ 15.360537] ohci-pci: OHCI PCI platform driver [ 15.446600] TRACE: /sbin/insmod(9): main [ 15.597149] TRACE: /sbin/insmod(53): main [ 15.649850] DEBUG: No module parameters, extending only with the module's content [ 15.753738] TRACE: /bin/tpmr(832): main [ 15.809086] DEBUG: TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko [ 15.847559] TRACE: /bin/tpmr(234): tpm2_extend [ 15.878030] TRACE: /bin/tpmr(252): tpm2_extend [ 15.930320] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-pci.ko [ 16.131948] TRACE: /bin/tpmr(265): tpm2_extend [ 16.190395] DEBUG: TPM: Extended PCR[5] with hash 116145df2c495dfd58354025799fe5bb9b4d8e078960e8d0d7ceda746e4f2d06 [ 16.247675] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod [ 16.275465] ehci-pci: EHCI PCI platform driver [ 16.296704] ehci-pci 0000:00:1d.7: EHCI Host Controller [ 16.306151] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 4 [ 16.316293] ehci-pci 0000:00:1d.7: irq 19, io mem 0xfcf80000 [ 16.340527] ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00 [ 16.357688] hub 4-0:1.0: USB hub found [ 16.365707] hub 4-0:1.0: 6 ports detected [ 16.376687] hub 1-0:1.0: USB hub found [ 16.384573] hub 1-0:1.0: 2 ports detected [ 16.393986] hub 2-0:1.0: USB hub found [ 16.401424] hub 2-0:1.0: 2 ports detected [ 16.410387] hub 3-0:1.0: USB hub found [ 16.418087] hub 3-0:1.0: 2 ports detected [ 16.513839] TRACE: /sbin/insmod(9): main [ 16.670778] TRACE: /sbin/insmod(53): main [ 16.721953] DEBUG: No module parameters, extending only with the module's content [ 16.835964] TRACE: /bin/tpmr(832): main [ 16.888003] DEBUG: TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko [ 16.919798] TRACE: /bin/tpmr(234): tpm2_extend [ 16.957470] TRACE: /bin/tpmr(252): tpm2_extend [ 17.013535] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-hcd.ko [ 17.225097] TRACE: /bin/tpmr(265): tpm2_extend [ 17.281099] DEBUG: TPM: Extended PCR[5] with hash 7f5a6bd0f7de6104e49374e1e5ce421e11795fcc4f53014ef9259d630d7876bc [ 17.337551] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod [ 17.448660] TRACE: /sbin/insmod(9): main [ 17.595458] TRACE: /sbin/insmod(53): main [ 17.653305] DEBUG: No module parameters, extending only with the module's content [ 17.763612] TRACE: /bin/tpmr(832): main [ 17.817350] DEBUG: TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko [ 17.849196] TRACE: /bin/tpmr(234): tpm2_extend [ 17.879069] TRACE: /bin/tpmr(252): tpm2_extend [ 17.927859] DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-pci.ko [ 18.126778] TRACE: /bin/tpmr(265): tpm2_extend [ 18.188056] DEBUG: TPM: Extended PCR[5] with hash 5502fa8c101f7e509145b9826094f06dd0e225c2311a14edc9ae9c812518a250 [ 18.247945] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod [ 18.286509] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 18.294553] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 5 [ 18.308276] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010 [ 18.320288] hub 5-0:1.0: USB hub found [ 18.328425] hub 5-0:1.0: 4 ports detected [ 18.337635] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 18.344430] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 6 [ 18.351769] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed [ 18.360900] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM. [ 18.371095] hub 6-0:1.0: USB hub found [ 18.378046] hub 6-0:1.0: 4 ports detected [ 18.673695] usb 5-1: new high-speed USB device number 2 using xhci_hcd [ 18.960744] usb 6-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd [ 19.112485] usb 5-3: new full-speed USB device number 3 using xhci_hcd [ 20.433294] TRACE: /etc/functions(715): detect_boot_device [ 20.489580] TRACE: /etc/functions(682): mount_possible_boot_device [ 20.546126] TRACE: /etc/functions(642): is_gpt_bios_grub [ 20.653417] TRACE: /dev/vda1 is partition 1 of vda [ 20.777737] TRACE: /etc/functions(619): find_lvm_vg_name [ 20.946450] TRACE: Try mounting /dev/vda1 as /boot [ 20.997145] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null) [ 21.053058] TRACE: /bin/gui-init(319): clean_boot_check [ 21.157752] TRACE: /bin/gui-init(348): check_gpg_key [ 21.260339] TRACE: /bin/gui-init(185): update_totp [ 21.376906] TRACE: /bin/unseal-totp(8): main [ 21.497372] TRACE: /bin/tpmr(569): tpm2_unseal [ 21.574501] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty> [ 22.212056] DEBUG: Running at_exit handlers [ 22.247818] TRACE: /bin/tpmr(374): cleanup_session [ 22.301292] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session [ 22.423005] !!! ERROR: Unable to unseal TOTP secret !!! [ 25.058227] TRACE: /bin/unseal-totp(8): main [ 25.205031] TRACE: /bin/tpmr(569): tpm2_unseal [ 25.284388] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty> [ 25.914243] DEBUG: Running at_exit handlers [ 25.947988] TRACE: /bin/tpmr(374): cleanup_session [ 26.001694] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session [ 26.126464] !!! ERROR: Unable to unseal TOTP secret !!! [ 28.766165] TRACE: /bin/unseal-totp(8): main [ 28.898452] TRACE: /bin/tpmr(569): tpm2_unseal [ 28.982708] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty> [ 29.609216] DEBUG: Running at_exit handlers [ 29.643372] TRACE: /bin/tpmr(374): cleanup_session [ 29.696741] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session [ 29.822748] !!! ERROR: Unable to unseal TOTP secret !!! [ 31.890980] DEBUG: CONFIG_TPM: y [ 31.945147] DEBUG: CONFIG_TPM2_TOOLS: y [ 31.999643] DEBUG: Show PCRs [ 32.157607] DEBUG: sha256: [ 32.190288] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.221302] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.251240] 2 : 0x9FC171D45D54BDD49D40E8438BCF15808427BA72B11EC2DF1ACE877CA0CF4F14 [ 32.282127] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.315382] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.345767] 5 : 0xD76470232B7C3FD7D18D4DF3B77DACAFFDB876DBF3E84C996D74F7ECFA0FF60F [ 32.379099] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.409630] 7 : 0x2E3147A8ADA1FEBEB2D32D7F50F25DC10F47D7CD48DF1D61A2D6BF958114A231 [ 32.439780] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.508514] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.537395] 10: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.583510] 11: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.622661] 12: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.651831] 13: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.687298] 14: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.721766] 15: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.751345] 16: 0x0000000000000000000000000000000000000000000000000000000000000000 [ 32.782919] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.813071] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.841994] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.869358] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.907215] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.937346] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF [ 32.967810] 23: 0x0000000000000000000000000000000000000000000000000000000000000000 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
869 lines
25 KiB
Bash
Executable File
869 lines
25 KiB
Bash
Executable File
#!/bin/bash
|
|
# TPM Wrapper - to unify tpm and tpm2 subcommands
|
|
|
|
. /etc/functions
|
|
|
|
SECRET_DIR="/tmp/secret"
|
|
PRIMARY_HANDLE="0x81000000"
|
|
ENC_SESSION_FILE="$SECRET_DIR/enc.ctx"
|
|
DEC_SESSION_FILE="$SECRET_DIR/dec.ctx"
|
|
PRIMARY_HANDLE_FILE="$SECRET_DIR/primary.handle"
|
|
|
|
# PCR size in bytes. Set when we determine what TPM version is in use.
|
|
# TPM1 PCRs are always 20 bytes. TPM2 is allowed to provide multiple PCR banks
|
|
# with different algorithms - we always use SHA-256, so they are 32 bytes.
|
|
PCR_SIZE=
|
|
|
|
# Export CONFIG_TPM2_CAPTURE_PCAP=y from your board config to capture tpm2 pcaps to
|
|
# /tmp/tpm0.pcap; Wireshark can inspect these. (This must be enabled at build
|
|
# time so the pcap TCTI driver is included.)
|
|
if [ -n "$CONFIG_TPM2_CAPTURE_PCAP" ]; then
|
|
export TPM2TOOLS_TCTI="pcap:device:/dev/tpmrm0"
|
|
export TCTI_PCAP_FILE="/tmp/tpm0.pcap"
|
|
fi
|
|
|
|
set -e -o pipefail
|
|
if [ -r "/tmp/config" ]; then
|
|
. /tmp/config
|
|
else
|
|
. /etc/config
|
|
fi
|
|
|
|
|
|
# Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts
|
|
# a hex dump to binary data using sed and printf
|
|
hex2bin() {
|
|
TRACE_FUNC
|
|
sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf
|
|
}
|
|
|
|
# Render a password as 'hex:<hexdump>' for use with tpm2-tools. Passwords
|
|
# should always be passed this way to avoid ambiguity. (Passing with no prefix
|
|
# would choke if the password happened to start with 'file:' or 'hex:'. Passing
|
|
# as a file still chokes if the password begins with 'hex:', oddly tpm2-tools
|
|
# accepts 'hex:' in the file content.)
|
|
tpm2_password_hex() {
|
|
TRACE_FUNC
|
|
echo "hex:$(echo -n "$1" | xxd -p | tr -d ' \n')"
|
|
}
|
|
|
|
# usage: tpmr pcrread [-a] <index> <file>
|
|
# Reads PCR binary data and writes to file.
|
|
# -a: Append to file. Default is to overwrite.
|
|
tpm2_pcrread() {
|
|
TRACE_FUNC
|
|
if [ "$1" = "-a" ]; then
|
|
APPEND=y
|
|
shift
|
|
fi
|
|
|
|
index="$1"
|
|
file="$2"
|
|
|
|
if [ -z "$APPEND" ]; then
|
|
# Don't append - truncate file now so real command always
|
|
# overwrites
|
|
true >"$file"
|
|
fi
|
|
|
|
DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
|
|
}
|
|
tpm1_pcrread() {
|
|
TRACE_FUNC
|
|
if [ "$1" = "-a" ]; then
|
|
APPEND=y
|
|
shift
|
|
fi
|
|
|
|
index="$1"
|
|
file="$2"
|
|
|
|
if [ -z "$APPEND" ]; then
|
|
# Don't append - truncate file now so real command always
|
|
# overwrites
|
|
true >"$file"
|
|
fi
|
|
|
|
DO_WITH_DEBUG tpm pcrread -ix "$index" | hex2bin >>"$file"
|
|
}
|
|
|
|
# is_hash - Check if a value is a valid hash of a given type
|
|
# usage: is_hash <alg> <value>
|
|
is_hash() {
|
|
# Must only contain 0-9a-fA-F
|
|
if [ "$(echo -n "$2" | tr -d '0-9a-fA-F' | wc -c)" -ne 0 ]; then return 1; fi
|
|
# SHA-1 hashes are 40 chars
|
|
if [ "$1" = "sha1" ] && [ "${#2}" -eq 40 ]; then return 0; fi
|
|
# SHA-256 hashes are 64 chars
|
|
if [ "$1" = "sha256" ] && [ "${#2}" -eq 64 ]; then return 0; fi
|
|
return 1
|
|
}
|
|
|
|
# extend_pcr_state - extend a PCR state value with more hashes or raw data (which is hashed)
|
|
# usage:
|
|
# extend_pcr_state <alg> <state> <files/hashes...>
|
|
# alg - either 'sha1' or 'sha256' to specify algorithm
|
|
# state - a hash value setting the initial state
|
|
# files/hashes... - any number of files or hashes, state is extended once for each item
|
|
extend_pcr_state() {
|
|
TRACE_FUNC
|
|
local alg="$1"
|
|
local state="$2"
|
|
local next extend
|
|
shift 2
|
|
|
|
while [ "$#" -gt 0 ]; do
|
|
next="$1"
|
|
shift
|
|
if is_hash "$alg" "$next"; then
|
|
extend="$next"
|
|
else
|
|
extend="$("${alg}sum" <"$next" | cut -d' ' -f1)"
|
|
fi
|
|
state="$(echo "$state$extend" | hex2bin | "${alg}sum" | cut -d' ' -f1)"
|
|
done
|
|
echo "$state"
|
|
}
|
|
|
|
# There are 3 (and a half) possible formats of event log, each of them requires
|
|
# different arguments for grep. Those formats are shown below as heredocs to
|
|
# keep all the data, including whitespaces:
|
|
# 1) TPM2 log, which can hold multiple hash algorithms at once:
|
|
: <<'EOF'
|
|
TPM2 log:
|
|
Specification: 2.00
|
|
Platform class: PC Client
|
|
TPM2 log entry 1:
|
|
PCR: 2
|
|
Event type: Action
|
|
Digests:
|
|
SHA256: de73053377e1ae5ba5d2b637a4f5bfaeb410137722f11ef135e7a1be524e3092
|
|
SHA1: 27c4f1fa214480c8626397a15981ef3a9323717f
|
|
Event data: FMAP: FMAP
|
|
EOF
|
|
# 2) TPM1.2 log (aka TCPA), digest is always SHA1:
|
|
: <<'EOF'
|
|
TCPA log:
|
|
Specification: 1.21
|
|
Platform class: PC Client
|
|
TCPA log entry 1:
|
|
PCR: 2
|
|
Event type: Action
|
|
Digest: 27c4f1fa214480c8626397a15981ef3a9323717f
|
|
Event data: FMAP: FMAP
|
|
EOF
|
|
# 3) coreboot-specific format:
|
|
# 3.5) older versions printed 'coreboot TCPA log', even though it isn't TCPA
|
|
: <<'EOF'
|
|
coreboot TPM log:
|
|
|
|
PCR-2 27c4f1fa214480c8626397a15981ef3a9323717f SHA1 [FMAP: FMAP]
|
|
EOF
|
|
|
|
# awk script to handle all of the above. Note this gets squashed to one line so
|
|
# semicolons are required.
|
|
AWK_PROG='
|
|
BEGIN {
|
|
getline;
|
|
hash_regex="([a-fA-F0-9]{40,})";
|
|
if ($0 == "TPM2 log:") {
|
|
RS="\n[^[:space:]]";
|
|
pcr="PCR: " pcr;
|
|
alg=toupper(alg) ": " hash_regex;
|
|
} else if ($0 == "TCPA log:") {
|
|
RS="\n[^[:space:]]";
|
|
pcr="PCR: " pcr;
|
|
alg="Digest: " hash_regex;
|
|
} else if ($0 ~ /^coreboot (TCPA|TPM) log:$/) {
|
|
pcr="PCR-" pcr;
|
|
alg=hash_regex " " toupper(alg) " ";
|
|
} else {
|
|
print "Unknown TPM event log format:", $0 > "/dev/stderr";
|
|
exit -1;
|
|
}
|
|
}
|
|
$0 ~ pcr {
|
|
match($0, alg);
|
|
print gensub(alg, "\\1", "g", substr($0, RSTART, RLENGTH));
|
|
}
|
|
'
|
|
|
|
# usage: replay_pcr <alg> <pcr_num> [ <input_file>|<input_hash> ... ]
|
|
# Replays PCR value from CBMEM event log. Note that this contains only the
|
|
# measurements performed by firmware, without those performed by Heads (USB
|
|
# modules, LUKS header etc). First argument is PCR number, followed by optional
|
|
# hashes and/or files extended to given PCR after firmware. Resulting PCR value
|
|
# is returned in binary form.
|
|
replay_pcr() {
|
|
TRACE_FUNC
|
|
if [ -z "$2" ]; then
|
|
echo >&2 "No PCR number passed"
|
|
return
|
|
fi
|
|
if [ "$2" -ge 8 ]; then
|
|
echo >&2 "Illegal PCR number ($2)"
|
|
return
|
|
fi
|
|
local log=$(cbmem -L)
|
|
local alg="$1"
|
|
local pcr="$2"
|
|
local alg_digits=0
|
|
# SHA-1 hashes are 40 chars
|
|
if [ "$alg" = "sha1" ]; then alg_digits=40; fi
|
|
# SHA-256 hashes are 64 chars
|
|
if [ "$alg" = "sha256" ]; then alg_digits=64; fi
|
|
shift 2
|
|
replayed_pcr=$(extend_pcr_state $alg $(printf "%.${alg_digits}d" 0) \
|
|
$(echo "$log" | awk -v alg=$alg -v pcr=$pcr -f <(echo $AWK_PROG)) $@)
|
|
echo $replayed_pcr | hex2bin
|
|
DEBUG "Replayed cbmem -L clean boot state of PCR=$pcr ALG=$alg : $replayed_pcr"
|
|
# To manually introspect current PCR values:
|
|
# PCR-2:
|
|
# tpmr calcfuturepcr 2 | xxd -p
|
|
# PCR-4, in case of recovery shell (bash used for process substitution):
|
|
# bash -c "tpmr calcfuturepcr 4 <(echo -n recovery)" | xxd -p
|
|
# PCR-4, in case of normal boot passing through kexec-select-boot:
|
|
# bash -c "tpmr calcfuturepcr 4 <(echo -n generic)" | xxd -p
|
|
# PCR-5, depending on which modules are loaded for given board:
|
|
# tpmr calcfuturepcr 5 module0.ko module1.ko module2.ko | xxd -p
|
|
# PCR-6 and PCR-7: similar to 5, but with different files passed
|
|
# (6: LUKS header, 7: user related cbfs files loaded from cbfs-init)
|
|
}
|
|
|
|
tpm2_extend() {
|
|
TRACE_FUNC
|
|
while true; do
|
|
case "$1" in
|
|
-ix)
|
|
# store index and shift so -ic and -if can be processed
|
|
index="$2"
|
|
shift 2
|
|
;;
|
|
-ic)
|
|
string=$(echo -n "$2")
|
|
hash="$(echo -n "$2" | sha256sum | cut -d' ' -f1)"
|
|
TRACE_FUNC
|
|
DEBUG "TPM: Will extend PCR[$index] with hash of string $string"
|
|
shift 2
|
|
;;
|
|
-if)
|
|
TRACE_FUNC
|
|
DEBUG "TPM: Will extend PCR[$index] with hash of file content $2"
|
|
hash="$(sha256sum "$2" | cut -d' ' -f1)"
|
|
shift 2
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
tpm2 pcrextend "$index:sha256=$hash"
|
|
tpm2 pcrread "sha256:$index"
|
|
|
|
TRACE_FUNC
|
|
DEBUG "TPM: Extended PCR[$index] with hash $hash"
|
|
}
|
|
|
|
tpm2_counter_read() {
|
|
TRACE_FUNC
|
|
while true; do
|
|
case "$1" in
|
|
-ix)
|
|
index="$2"
|
|
shift 2
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)"
|
|
}
|
|
|
|
tpm2_counter_inc() {
|
|
TRACE_FUNC
|
|
while true; do
|
|
case "$1" in
|
|
-ix)
|
|
index="$2"
|
|
shift 2
|
|
;;
|
|
-pwdc)
|
|
pwd="$2"
|
|
shift 2
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
tpm2 nvincrement "0x$index" >/dev/console
|
|
echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)"
|
|
}
|
|
|
|
tpm1_counter_create() {
|
|
TRACE_FUNC
|
|
# tpmr handles the TPM owner password (from cache or prompt), but all
|
|
# other parameters for TPM1 are passed directly, and TPM2 mimics the
|
|
# TPM1 interface.
|
|
prompt_tpm_owner_password
|
|
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@"; then
|
|
DEBUG "Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password"
|
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
|
die "Unable to create counter from tpm1_counter_create"
|
|
fi
|
|
}
|
|
|
|
tpm2_counter_create() {
|
|
TRACE_FUNC
|
|
while true; do
|
|
case "$1" in
|
|
-pwdc)
|
|
pwd="$2"
|
|
shift 2
|
|
;;
|
|
-la)
|
|
label="$2"
|
|
shift 2
|
|
;;
|
|
*)
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
prompt_tpm_owner_password
|
|
rand_index="1$(dd if=/dev/urandom bs=1 count=3 | xxd -pc3)"
|
|
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
|
|
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/console ||
|
|
{
|
|
DEBUG "Failed to create counter from tpm2_counter_create. Wiping /tmp/secret/tpm_owner_password"
|
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
|
die "Unable to create counter from tpm2_counter_create"
|
|
}
|
|
echo "$rand_index: (valid after an increment)"
|
|
}
|
|
|
|
tpm2_startsession() {
|
|
TRACE_FUNC
|
|
mkdir -p "$SECRET_DIR"
|
|
tpm2 flushcontext -Q \
|
|
--transient-object ||
|
|
die "tpm2_flushcontext: unable to flush transient handles"
|
|
|
|
tpm2 flushcontext -Q \
|
|
--loaded-session ||
|
|
die "tpm2_flushcontext: unable to flush sessions"
|
|
|
|
tpm2 flushcontext -Q \
|
|
--saved-session ||
|
|
die "tpm2_flushcontext: unable to flush saved session"
|
|
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
|
|
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
|
|
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
|
|
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
|
|
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
|
|
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
|
|
}
|
|
|
|
# Use cleanup_session() with at_exit to release a TPM2 session and delete the
|
|
# session file. E.g.:
|
|
# at_exit cleanup_session "$SESSION_FILE"
|
|
cleanup_session() {
|
|
TRACE_FUNC
|
|
session_file="$1"
|
|
if [ -f "$session_file" ]; then
|
|
DEBUG "Clean up session: $session_file"
|
|
# Nothing else we can do if this fails, still remove the file
|
|
tpm2 flushcontext -Q "$session_file" || DEBUG "Flush failed for session $session_file"
|
|
rm -f "$session_file"
|
|
else
|
|
DEBUG "No need to clean up session: $session_file"
|
|
fi
|
|
}
|
|
|
|
# Clean up a file by shredding it. No-op if the file wasn't created. Use with
|
|
# at_exit, e.g.:
|
|
# at_exit cleanup_shred "$FILE"
|
|
cleanup_shred() {
|
|
TRACE_FUNC
|
|
shred -n 10 -z -u "$1" 2>/dev/null || true
|
|
}
|
|
|
|
# tpm2_destroy: Destroy a sealed file in the TPM. The mechanism differs by
|
|
# TPM version - TPM2 evicts the file object, so it no longer exists.
|
|
tpm2_destroy() {
|
|
TRACE_FUNC
|
|
index="$1" # Index of the sealed file
|
|
size="$2" # Size of zeroes to overwrite for TPM1 (unused in TPM2)
|
|
|
|
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
|
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
|
|
|
# remove possible data occupying this handle
|
|
tpm2 evictcontrol -Q -C p -c "$handle" 2>/dev/null ||
|
|
die "Unable to evict secret from TPM NVRAM"
|
|
}
|
|
|
|
# tpm1_destroy: Destroy a sealed file in the TPM. The mechanism differs by
|
|
# TPM version - TPM1 overwrites the file with zeroes, since this can be done
|
|
# without authorization. (Deletion requires authorization.)
|
|
tpm1_destroy() {
|
|
TRACE_FUNC
|
|
index="$1" # Index of the sealed file
|
|
size="$2" # Size of zeroes to overwrite for TPM1
|
|
|
|
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
|
|
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
|
|
die "Unable to wipe sealed secret from TPM NVRAM"
|
|
}
|
|
|
|
# tpm2_seal: Seal a file against PCR values and, optionally, a password.
|
|
# If a password is given, both the PCRs and password are required to unseal the
|
|
# file. PCRs are provided as a PCR list and data file. PCR data must be
|
|
# provided - TPM2 allows the TPM to fall back to current PCR values, but it is
|
|
# not required to support this.
|
|
tpm2_seal() {
|
|
TRACE_FUNC
|
|
file="$1" #$KEY_FILE
|
|
index="$2"
|
|
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
|
|
pcrf="$4"
|
|
sealed_size="$5" # Not used for TPM2
|
|
pass="$6" # May be empty to seal with no password
|
|
tpm_password="$7" # Owner password - will prompt if needed and not empty
|
|
# TPM Owner Password is always needed for TPM2.
|
|
|
|
mkdir -p "$SECRET_DIR"
|
|
bname="$(basename $file)"
|
|
|
|
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
|
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
|
|
|
DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$(mask_param "$pass")"
|
|
|
|
# Create a policy requiring both PCRs and the object's authentication
|
|
# value using a trial session.
|
|
TRIAL_SESSION="$SECRET_DIR/sealfile_trial.session"
|
|
AUTH_POLICY="$SECRET_DIR/sealfile_auth.policy"
|
|
rm -f "$TRIAL_SESSION" "$AUTH_POLICY"
|
|
tpm2 startauthsession -g sha256 -S "$TRIAL_SESSION"
|
|
# We have to clean up the session
|
|
at_exit cleanup_session "$TRIAL_SESSION"
|
|
# Save the policy hash in case the password policy is not used (we have
|
|
# to get this from the last step, whichever it is).
|
|
tpm2 policypcr -Q -l "sha256:$pcrl" -f "$pcrf" -S "$TRIAL_SESSION" -L "$AUTH_POLICY"
|
|
CREATE_PASS_ARGS=()
|
|
if [ "$pass" ]; then
|
|
# Add an object authorization policy (the object authorization
|
|
# will be the password). Save the digest, this is the resulting
|
|
# policy.
|
|
tpm2 policypassword -Q -S "$TRIAL_SESSION" -L "$AUTH_POLICY"
|
|
# Pass the password to create later. Pass the sha256sum of the
|
|
# password to the TPM so the password is not limited to 32 chars
|
|
# in length.
|
|
CREATE_PASS_ARGS=(-p "$(tpm2_password_hex "$pass")")
|
|
fi
|
|
|
|
# Create the object with this policy and the auth value.
|
|
# NOTE: We disable USERWITHAUTH and enable ADMINWITHPOLICY so the
|
|
# password cannot be used on its own, the PCRs are also required.
|
|
# (The default is to allow either policy auth _or_ password auth. In
|
|
# this case the policy includes the password, and we don't want to allow
|
|
# the password on its own.)
|
|
tpm2 create -Q -C "$PRIMARY_HANDLE_FILE" \
|
|
-i "$file" \
|
|
-u "$SECRET_DIR/$bname.priv" \
|
|
-r "$SECRET_DIR/$bname.pub" \
|
|
-L "$AUTH_POLICY" \
|
|
-S "$DEC_SESSION_FILE" \
|
|
-a "fixedtpm|fixedparent|adminwithpolicy" \
|
|
"${CREATE_PASS_ARGS[@]}"
|
|
|
|
tpm2 load -Q -C "$PRIMARY_HANDLE_FILE" \
|
|
-u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" \
|
|
-c "$SECRET_DIR/$bname.seal.ctx"
|
|
prompt_tpm_owner_password
|
|
# remove possible data occupying this handle
|
|
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
|
|
-c "$handle" 2>/dev/null || true
|
|
DO_WITH_DEBUG --mask-position 6 \
|
|
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
|
|
-c "$SECRET_DIR/$bname.seal.ctx" "$handle" ||
|
|
{
|
|
DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal. Wiping /tmp/secret/tpm_owner_password"
|
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
|
die "Unable to write sealed secret to TPM NVRAM"
|
|
}
|
|
}
|
|
tpm1_seal() {
|
|
TRACE_FUNC
|
|
file="$1"
|
|
index="$2"
|
|
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
|
|
pcrf="$4"
|
|
sealed_size="$5"
|
|
pass="$6" # May be empty to seal with no password
|
|
tpm_owner_password="$7" # Owner password - will prompt if needed and not empty
|
|
|
|
sealed_file="$SECRET_DIR/tpm1_seal_sealed.bin"
|
|
at_exit cleanup_shred "$sealed_file"
|
|
|
|
POLICY_ARGS=()
|
|
|
|
DEBUG "tpm1_seal arguments: file=$file index=$index pcrl=$pcrl pcrf=$pcrf sealed_size=$sealed_size pass=$(mask_param "$pass") tpm_password=$(mask_param "$tpm_password")"
|
|
|
|
|
|
# If a password was given, add it to the policy arguments
|
|
if [ "$pass" ]; then
|
|
POLICY_ARGS+=(-pwdd "$pass")
|
|
fi
|
|
|
|
# Transform the PCR list and PCR file to discrete arguments
|
|
IFS=',' read -r -a PCR_LIST <<<"$pcrl"
|
|
pcr_file_index=0
|
|
for pcr in "${PCR_LIST[@]}"; do
|
|
# Read each PCR_SIZE block from the file and pass as hex
|
|
POLICY_ARGS+=(-ix "$pcr"
|
|
"$(dd if="$pcrf" skip="$pcr_file_index" bs="$PCR_SIZE" count=1 status=none | xxd -p | tr -d ' ')"
|
|
)
|
|
pcr_file_index=$((pcr_file_index + 1))
|
|
done
|
|
|
|
tpm sealfile2 \
|
|
-if "$file" \
|
|
-of "$sealed_file" \
|
|
-hk 40000000 \
|
|
"${POLICY_ARGS[@]}"
|
|
|
|
# try it without the TPM Owner Password first
|
|
if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then
|
|
# to create an nvram space we need the TPM Owner Password
|
|
# and the TPM physical presence must be asserted.
|
|
#
|
|
# The permissions are 0 since there is nothing special
|
|
# about the sealed file
|
|
tpm physicalpresence -s ||
|
|
warn "Unable to assert physical presence"
|
|
|
|
prompt_tpm_owner_password
|
|
|
|
tpm nv_definespace -in "$index" -sz "$sealed_size" \
|
|
-pwdo "$tpm_owner_password" -per 0 ||
|
|
warn "Unable to define TPM NVRAM space; trying anyway"
|
|
|
|
tpm nv_writevalue -in "$index" -if "$sealed_file" ||
|
|
{
|
|
DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password"
|
|
shred -n 10 -z -u /tmp/secret/tpm_owner_password
|
|
die "Unable to write sealed secret to TPM NVRAM"
|
|
}
|
|
fi
|
|
}
|
|
|
|
# Unseal a file sealed by tpm2_seal. The PCR list must be provided, the
|
|
# password must be provided if one was used to seal (and cannot be provided if
|
|
# no password was used to seal).
|
|
tpm2_unseal() {
|
|
TRACE_FUNC
|
|
index="$1"
|
|
pcrl="$2" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
|
|
sealed_size="$3"
|
|
file="$4"
|
|
pass="$5"
|
|
|
|
# TPM2 doesn't care about sealed_size, only TPM1 needs that. We don't
|
|
# have to separately read the sealed file on TPM2.
|
|
|
|
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
|
|
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
|
|
|
|
DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$(mask_param "$pass")"
|
|
|
|
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
|
|
# print nonsense error messages about an unexpected handle value. We
|
|
# can't do anything without a primary handle.
|
|
if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
|
|
DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
|
|
warn "No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM"
|
|
exit 1
|
|
fi
|
|
|
|
POLICY_SESSION="$SECRET_DIR/unsealfile_policy.session"
|
|
rm -f "$POLICY_SESSION"
|
|
tpm2 startauthsession -Q -g sha256 -S "$POLICY_SESSION" --policy-session
|
|
at_exit cleanup_session "$POLICY_SESSION"
|
|
# Check the PCR policy
|
|
tpm2 policypcr -Q -l "sha256:$pcrl" -S "$POLICY_SESSION"
|
|
UNSEAL_PASS_SUFFIX=""
|
|
|
|
if [ "$pass" ]; then
|
|
# Add the object authorization policy (the actual password is
|
|
# provided later, but we must include this so the policy we
|
|
# attempt to use is correct).
|
|
tpm2 policypassword -Q -S "$POLICY_SESSION"
|
|
# When unsealing, include the password with the auth session
|
|
UNSEAL_PASS_SUFFIX="+$(tpm2_password_hex "$pass")"
|
|
fi
|
|
|
|
tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
|
|
-S "$ENC_SESSION_FILE" >"$file"
|
|
}
|
|
tpm1_unseal() {
|
|
TRACE_FUNC
|
|
index="$1"
|
|
pcrl="$2"
|
|
sealed_size="$3"
|
|
file="$4"
|
|
pass="$5"
|
|
|
|
# pcrl (the PCR list) is unused in TPM1. The TPM itself knows which
|
|
# PCRs were used to seal and checks them. We can't verify that it's
|
|
# correct either, so just ignore it in TPM1.
|
|
|
|
sealed_file="$SECRET_DIR/tpm1_unseal_sealed.bin"
|
|
at_exit cleanup_shred "$sealed_file"
|
|
|
|
rm -f "$sealed_file"
|
|
|
|
tpm nv_readvalue \
|
|
-in "$index" \
|
|
-sz "$sealed_size" \
|
|
-of "$sealed_file" ||
|
|
die "Unable to read sealed file from TPM NVRAM"
|
|
|
|
PASS_ARGS=()
|
|
if [ "$pass" ]; then
|
|
PASS_ARGS=(-pwdd "$pass")
|
|
fi
|
|
|
|
tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$file" \
|
|
"${PASS_ARGS[@]}" \
|
|
-hk 40000000
|
|
}
|
|
|
|
tpm2_reset() {
|
|
TRACE_FUNC
|
|
tpm_owner_password="$1"
|
|
mkdir -p "$SECRET_DIR"
|
|
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
|
|
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
|
|
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
|
|
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
|
|
tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")"
|
|
tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")"
|
|
tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
|
|
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")"
|
|
tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
|
|
-P "$(tpm2_password_hex "$tpm_owner_password")"
|
|
shred -u "$SECRET_DIR/primary.ctx"
|
|
tpm2_startsession
|
|
|
|
# Set the dictionary attack parameters. TPM2 defaults vary widely, we
|
|
# want consistent behavior on any TPM.
|
|
# * --max-tries=10: Allow 10 failures before lockout. This allows the
|
|
# user to quickly "burst" 10 failures without significantly impacting
|
|
# the rate allowed for a dictionary attacker.
|
|
# Most TPM2 flows ask for the TPM Owner Password 2-4 times, so this allows
|
|
# a handful of mistypes and some headroom for an expected unseal
|
|
# failure if firmware is updated.
|
|
# Remember that an auth failure is also counted any time an unclean
|
|
# shutdown occurs (see TPM2 spec part 1, section 19.8.6, "Non-orderly
|
|
# Shutdown").
|
|
# * --recovery-time=3600: Forget an auth failure every 1 hour.
|
|
# * --lockout-recovery-time: After a failed lockout recovery auth, the
|
|
# TPM must be reset to try again.
|
|
#
|
|
# Heads does not offer a way to reset dictionary attack lockout, instead
|
|
# the TPM can be reset and new secrets sealed.
|
|
tpm2 dictionarylockout -Q --setup-parameters \
|
|
--max-tries=10 \
|
|
--recovery-time=3600 \
|
|
--lockout-recovery-time=0 \
|
|
--auth="session:$ENC_SESSION_FILE"
|
|
|
|
# Set a random DA lockout password, so the DA lockout can't be cleared
|
|
# with a password. Heads doesn't offer dictionary attach reset, instead
|
|
# the TPM can be reset and new secrets sealed.
|
|
#
|
|
# The default lockout password is empty, so we must set this, and we
|
|
# don't need to provide any auth (use the default empty password).
|
|
tpm2 changeauth -Q -c lockout \
|
|
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')"
|
|
}
|
|
tpm1_reset() {
|
|
TRACE_FUNC
|
|
tpm_owner_password="$1"
|
|
mkdir -p "$SECRET_DIR"
|
|
# output tpm_owner_password to a file to be reused in this boot session until recovery shell/reboot
|
|
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
|
|
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
|
|
# Make sure the TPM is ready to be reset
|
|
tpm physicalpresence -s
|
|
tpm physicalenable
|
|
tpm physicalsetdeactivated -c
|
|
tpm forceclear
|
|
tpm physicalenable
|
|
tpm takeown -pwdo "$tpm_owner_password"
|
|
|
|
# And now turn it all back on
|
|
tpm physicalpresence -s
|
|
tpm physicalenable
|
|
tpm physicalsetdeactivated -c
|
|
}
|
|
|
|
# Perform final cleanup before boot and lock the platform heirarchy.
|
|
tpm2_kexec_finalize() {
|
|
TRACE_FUNC
|
|
|
|
# Flush sessions and transient objects
|
|
tpm2 flushcontext -Q --transient-object ||
|
|
warn "tpm2_flushcontext: unable to flush transient handles"
|
|
tpm2 flushcontext -Q --loaded-session ||
|
|
warn "tpm2_flushcontext: unable to flush sessions"
|
|
tpm2 flushcontext -Q --saved-session ||
|
|
warn "tpm2_flushcontext: unable to flush saved session"
|
|
|
|
# Add a random passphrase to platform hierarchy to prevent TPM2 from
|
|
# being cleared in the OS.
|
|
# This passphrase is only effective before the next boot.
|
|
echo "Locking TPM2 platform hierarchy..."
|
|
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p)
|
|
tpm2 changeauth -c platform "$randpass" ||
|
|
warn "Failed to lock platform hierarchy of TPM2"
|
|
}
|
|
|
|
tpm2_shutdown() {
|
|
TRACE_FUNC
|
|
|
|
# Prepare for shutdown.
|
|
# This is a "clear" shutdown (do not preserve runtime state) since we
|
|
# are not going to resume later, we are powering off (or rebooting).
|
|
tpm2 shutdown -Q --clear
|
|
}
|
|
|
|
if [ "$CONFIG_TPM" != "y" ]; then
|
|
echo >&2 "No TPM!"
|
|
exit 1
|
|
fi
|
|
|
|
# TPM1 - most commands forward directly to tpm, but some are still wrapped for
|
|
# consistency with tpm2.
|
|
if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
|
PCR_SIZE=20 # TPM1 PCRs are always SHA-1
|
|
subcmd="$1"
|
|
# Don't shift yet, for most commands we will just forward to tpm.
|
|
case "$subcmd" in
|
|
pcrread)
|
|
shift
|
|
tpm1_pcrread "$@"
|
|
;;
|
|
pcrsize)
|
|
echo "$PCR_SIZE"
|
|
;;
|
|
calcfuturepcr)
|
|
shift
|
|
replay_pcr "sha1" "$@"
|
|
;;
|
|
counter_create)
|
|
shift
|
|
tpm1_counter_create "$@"
|
|
;;
|
|
destroy)
|
|
shift
|
|
tpm1_destroy "$@"
|
|
;;
|
|
extend)
|
|
#check if we extend with a hash or a file
|
|
if [ "$4" = "-if" ]; then
|
|
DEBUG "TPM: Will extend PCR[$3] hash content of file $5"
|
|
hash="$(sha1sum "$5" | cut -d' ' -f1)"
|
|
elif [ "$4" = "-ic" ]; then
|
|
string=$(echo -n "$5")
|
|
DEBUG "TPM: Will extend PCR[$3] with hash of filename $string"
|
|
hash="$(echo -n "$5" | sha1sum | cut -d' ' -f1)"
|
|
fi
|
|
|
|
TRACE_FUNC
|
|
DEBUG "TPM: Extending PCR[$3] with hash $hash"
|
|
DO_WITH_DEBUG exec tpm "$@"
|
|
;;
|
|
seal)
|
|
shift
|
|
tpm1_seal "$@"
|
|
;;
|
|
startsession) ;; # Nothing on TPM1.
|
|
unseal)
|
|
shift
|
|
tpm1_unseal "$@"
|
|
;;
|
|
reset)
|
|
shift
|
|
tpm1_reset "$@"
|
|
;;
|
|
kexec_finalize) ;; # Nothing on TPM1.
|
|
shutdown) ;; # Nothing on TPM1.
|
|
*)
|
|
DEBUG "Direct translation from tpmr to tpm1 call"
|
|
DO_WITH_DEBUG exec tpm "$@"
|
|
;;
|
|
esac
|
|
exit 0
|
|
fi
|
|
|
|
# TPM2 - all commands implemented as wrappers around tpm2
|
|
PCR_SIZE=32 # We use the SHA-256 PCRs
|
|
subcmd="$1"
|
|
shift 1
|
|
case "$subcmd" in
|
|
pcrread)
|
|
tpm2_pcrread "$@"
|
|
;;
|
|
pcrsize)
|
|
echo "$PCR_SIZE"
|
|
;;
|
|
calcfuturepcr)
|
|
replay_pcr "sha256" "$@"
|
|
;;
|
|
extend)
|
|
TRACE_FUNC
|
|
DEBUG "TPM: Extending PCR[$2] with $4"
|
|
tpm2_extend "$@"
|
|
;;
|
|
counter_read)
|
|
tpm2_counter_read "$@"
|
|
;;
|
|
counter_increment)
|
|
tpm2_counter_inc "$@"
|
|
;;
|
|
counter_create)
|
|
tpm2_counter_create "$@"
|
|
;;
|
|
destroy)
|
|
tpm2_destroy "$@"
|
|
;;
|
|
seal)
|
|
tpm2_seal "$@"
|
|
;;
|
|
startsession)
|
|
tpm2_startsession "$@"
|
|
;;
|
|
unseal)
|
|
tpm2_unseal "$@"
|
|
;;
|
|
reset)
|
|
tpm2_reset "$@"
|
|
;;
|
|
kexec_finalize)
|
|
tpm2_kexec_finalize "$@"
|
|
;;
|
|
shutdown)
|
|
tpm2_shutdown "$@"
|
|
;;
|
|
*)
|
|
echo "Command $subcmd not wrapped!"
|
|
exit 1
|
|
;;
|
|
esac
|