mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-21 12:04:57 +00:00
39cb4031f4
Issue #123: This streamline Qubes startup experience by making it possible to have a single-password decryption. Issue #29: The disk keys in `/secret.key` are passed to the systemd in initramfs through `/etc/crypttab`, which is generated on each boot. This is slow; need to look at alternate ways. Issue #110: By using LVM instead of partitions it is now possible to find the root filesystem in a consistent way. Issue #80: LVM is now included in the ROM.
120 lines
2.9 KiB
Bash
Executable File
120 lines
2.9 KiB
Bash
Executable File
#!/bin/sh
|
|
# This will generate a disk encryption key and seal / ecncrypt
|
|
# with the current PCRs and then store it in the TPM NVRAM.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
KEY_FILE=/tmp/secret.key
|
|
|
|
. /config
|
|
|
|
die() {
|
|
echo >&2 "$@";
|
|
rm -f /tmp/secret.key /tmp/recovery.key /tmp/sealed
|
|
exit 1;
|
|
}
|
|
warn() { echo >&2 "$@"; }
|
|
|
|
# Activate the LVM volume group
|
|
VOLUME_GROUP=qubes_dom0
|
|
lvm vgchange -a y $VOLUME_GROUP \
|
|
|| die "$VOLUME_GROUP: unable to activate volume group"
|
|
|
|
# Key slot 0 is the manual recovery pass phrase
|
|
# that they user entered when they installed Qubes,
|
|
# key slot 1 is the one that we've generated.
|
|
read -s -p "Enter disk recovery key: " disk_password
|
|
echo -n "$disk_password" > /tmp/recovery.key
|
|
echo
|
|
|
|
# Remove all the old keys from slot 1
|
|
for dev in /dev/$VOLUME_GROUP/*; do
|
|
echo "++++++ $dev: Removing old key slot"
|
|
cryptsetup luksKillSlot \
|
|
--key-file /tmp/recovery.key \
|
|
$dev 1 \
|
|
|| warn "$dev: ignoring problem"
|
|
done
|
|
|
|
read -s -p "New disk decryption password for booting: " key_password
|
|
echo
|
|
read -s -p "Repeat password: " key_password2
|
|
echo
|
|
|
|
if [ "$key_password" != "$key_password2" ]; then
|
|
die "Key passwords do not match"
|
|
fi
|
|
|
|
dd \
|
|
if=/dev/urandom \
|
|
of="$KEY_FILE" \
|
|
bs=1 \
|
|
count=128 \
|
|
2>/dev/null \
|
|
|| die "Unable to generate 128 random bytes"
|
|
|
|
for dev in /dev/$VOLUME_GROUP/*; do
|
|
echo "+++++ $dev: Adding key"
|
|
cryptsetup luksAddKey \
|
|
--key-file /tmp/recovery.key \
|
|
--key-slot 1 \
|
|
$dev "$KEY_FILE" \
|
|
|| die "$dev: Unable to add key"
|
|
done
|
|
|
|
# Now that we have setup the new keys, measure the PCRs
|
|
/bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \
|
|
|| die "Unable to measure the LUKS headers"
|
|
|
|
# Note that PCR 4 needs to be set with the "normal-boot"
|
|
# path value, which we do not have right now since we are
|
|
# in a recovery shell.
|
|
# PCR 5 must be all zero since no kernel modules should have
|
|
# been loaded during a normal boot, but might have been
|
|
# loaded in the recovery shell.
|
|
# Otherwise use the current values of the PCRs, which will be read
|
|
# from the TPM as part of the sealing ("X").
|
|
tpm sealfile2 \
|
|
-if "$KEY_FILE" \
|
|
-of /tmp/sealed \
|
|
-pwdd "$key_password" \
|
|
-hk 40000000 \
|
|
-ix 0 X \
|
|
-ix 1 X \
|
|
-ix 2 X \
|
|
-ix 3 X \
|
|
-ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
|
|
-ix 5 0000000000000000000000000000000000000000 \
|
|
-ix 6 X \
|
|
|| die "Unable to seal secret"
|
|
|
|
rm -f "$KEY_FILE"
|
|
|
|
|
|
# to create an nvram space we need the TPM owner password
|
|
# and the TPM physical presence must be asserted.
|
|
#
|
|
# The permissions are 0 since there is nothing special
|
|
# about the sealed file
|
|
tpm physicalpresence -s \
|
|
|| warn "Warning: Unable to assert physical presence"
|
|
|
|
read -s -p "TPM Owner password: " tpm_password
|
|
echo
|
|
|
|
tpm nv_definespace \
|
|
-in $TPM_INDEX \
|
|
-sz $TPM_SIZE \
|
|
-pwdo "$tpm_password" \
|
|
-per 0 \
|
|
|| warn "Warning: Unable to define NVRAM space; trying anyway"
|
|
|
|
|
|
tpm nv_writevalue \
|
|
-in $TPM_INDEX \
|
|
-if /tmp/sealed \
|
|
|| die "Unable to write sealed secret to NVRAM"
|
|
|
|
rm /tmp/sealed
|