ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 04:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b4eb8df71
heads/initrd/bin/kexec-unseal-key
Thierry Laurion 4910c1188f
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically when resealing TOTP) 
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
  - Regenerating checksums and signing them
  - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
  - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
  - The above, plus
    - Detection of LUKS containers,suggesting only relevant partitions

- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
  - Were missing under TPM Disk Unlock Key setup codepaths

- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
  - Also shows in DEBUG traces now

Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
2023-08-30 18:06:29 -04:00

48 lines
1005 B
Bash
Executable File
Raw Blame History

#!/bin/bash
# This will unseal and unecncrypt the drive encryption key from the TPM
# The TOTP secret will be shown to the user on each encryption attempt.
# It will then need to be bundled into initrd that is booted with Qubes.
set -e -o pipefail
. /etc/functions
TPM_INDEX=3
TPM_SIZE=312
. /etc/functions
TRACE "Under kexec-unseal-key"
mkdir -p /tmp/secret
key_file="$1"
if [ -z "$key_file" ]; then
key_file="/tmp/secret/secret.key"
fi
DEBUG "CONFIG_TPM: $CONFIG_TPM"
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
DEBUG "Show PCRs"
DEBUG "$(pcrs)"
for tries in 1 2 3; do
read -s -p "Enter LUKS Disk Unlock Key passphrase (blank to abort): " tpm_password
echo
if [ -z "$tpm_password" ]; then
die "Aborting unseal disk encryption key"
fi
DO_WITH_DEBUG --mask-position 6 \
tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
"$key_file" "$tpm_password"
if [ "$?" -eq 0 ]; then
exit 0
fi
pcrs
warn "Unable to unseal disk encryption key"
done
die "Retry count exceeded..."
Reference in New Issue View Git Blame Copy Permalink