mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-18 18:57:04 +00:00
b500505312
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and shouldn't, the differences should be localized). Some checks were incorrect and are fixed by this change. Most checks are now unchanged relative to master. There are not that many places outside of tpmr that need to differentiate TPM1 and TPM2. Some of those are duplicate code that should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and some more are probably good candidates for abstracting in tpmr so the business logic doesn't have to know TPM1 vs. TPM2. Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it is always 'y' or 'n', and 'y' means "any TPM". Board configs are unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this doesn't have to be duplicated and can't be mistakenly mismatched. There were a few checks for CONFIG_TPM = n that only coincidentally worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is now OK, but the checks were also cleaned up to '!= "y"' for robustness. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
86 lines
2.0 KiB
Bash
Executable File
86 lines
2.0 KiB
Bash
Executable File
#!/bin/bash
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
mkdir -p /tmp/secret
|
|
|
|
sealed_file="/tmp/secret/sealed.key"
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
|
|
echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
echo "DEBUG: Show PCRs"
|
|
pcrs
|
|
|
|
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
if [ "$CONFIG_ATTEST_TOOLS" = "y" ]; then
|
|
echo "Bring up network for remote attestation"
|
|
network-init-recovery
|
|
fi
|
|
for tries in 1 2 3; do
|
|
if [ "$CONFIG_AUTO_UNLOCK" = "y" ]; then
|
|
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" > "$key_file"
|
|
else
|
|
tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
|
|
fi
|
|
|
|
if [ $? -eq 0 ]; then
|
|
# should be okay if this fails
|
|
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
elif [ "$CONFIG_TPM" = "y" ]; then
|
|
tpm nv_readvalue \
|
|
-in "$TPM_INDEX" \
|
|
-sz "$TPM_SIZE" \
|
|
-of "$sealed_file" \
|
|
|| die "Unable to read key from TPM NVRAM"
|
|
|
|
for tries in 1 2 3; do
|
|
if [ "$CONFIG_AUTO_UNLOCK" != y ]; then
|
|
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
|
echo
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-pwdd "$tpm_password" \
|
|
-hk 40000000
|
|
else
|
|
tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-hk 40000000
|
|
fi
|
|
|
|
if [ $? -eq 0 ]; then
|
|
# should be okay if this fails
|
|
shred -n 10 -z -u /tmp/secret/sealed 2> /dev/null || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
fi
|
|
|
|
die "Retry count exceeded..."
|