ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-29 17:28:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b500505312
heads/initrd/bin/unseal-hotp
Jonathon Hall b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1. 
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00

79 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die()
{
TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| die "Unable to mount /boot"
fi
}
TRACE "Under /bin/unseal-hotp"
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot_or_die
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#
counter_value=$(cat $HOTP_COUNTER)
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP counter"
fi
#counter_value=$(printf "%d" 0x${counter_value})
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
tpmr unseal 0x81004d47 sha256:0,1,2,3,4,7 >> "$HOTP_SECRET"
elif [ "$CONFIG_TPM" = "y" ]; then
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
fi
shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null
if ! hotp $counter_value < "$HOTP_SECRET"; then
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die 'Unable to compute HOTP hash?'
fi
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
exit 0
Reference in New Issue View Git Blame Copy Permalink