mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
b6bd682cb3
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
72 lines
2.3 KiB
Bash
Executable File
72 lines
2.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
|
|
mount_boot_or_die() {
|
|
TRACE_FUNC
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts; then
|
|
mount -o ro /boot ||
|
|
die "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
TRACE_FUNC
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot_or_die
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#
|
|
|
|
counter_value=$(cat $HOTP_COUNTER)
|
|
|
|
if [ "$counter_value" == "" ]; then
|
|
die "Unable to read HOTP counter"
|
|
fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
|
|
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret"
|
|
else
|
|
# without a TPM, generate a secret based on the SHA-256 of the ROM
|
|
secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed"
|
|
fi
|
|
|
|
# Truncate the secret if it is longer than the maximum HOTP secret
|
|
truncate_max_bytes 20 "$HOTP_SECRET"
|
|
|
|
if ! hotp $counter_value <"$HOTP_SECRET"; then
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
|
|
die 'Unable to compute HOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
|
|
|
|
#Incrementing counter under $HOTP_COUNTER
|
|
#
|
|
# If for whatever reason, this counter is 5 counts different then on HOTP USB Security dongle, HOTP unseal fails.
|
|
#Note: HOTP_COUNTER="/boot/kexec_hotp_counter" is not detached signed under kexec.sig since it changes
|
|
#
|
|
# TODO: figure out a better alternative then a counter that can be modified on disk
|
|
# As of now, this counter isincreased only in the validated presence of the HOTP dongle being connected per callers
|
|
mount -o remount,rw /boot
|
|
DEBUG "Incrementing HOTP counter under $HOTP_COUNTER"
|
|
counter_value=$(expr $counter_value + 1)
|
|
echo $counter_value >$HOTP_COUNTER ||
|
|
die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
exit 0
|