mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 15:16:42 +00:00
b500505312
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and shouldn't, the differences should be localized). Some checks were incorrect and are fixed by this change. Most checks are now unchanged relative to master. There are not that many places outside of tpmr that need to differentiate TPM1 and TPM2. Some of those are duplicate code that should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and some more are probably good candidates for abstracting in tpmr so the business logic doesn't have to know TPM1 vs. TPM2. Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it is always 'y' or 'n', and 'y' means "any TPM". Board configs are unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this doesn't have to be duplicated and can't be mistakenly mismatched. There were a few checks for CONFIG_TPM = n that only coincidentally worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is now OK, but the checks were also cleaned up to '!= "y"' for robustness. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
105 lines
2.8 KiB
Bash
Executable File
105 lines
2.8 KiB
Bash
Executable File
#!/bin/bash
|
|
# Generate a random secret, seal it with the PCRs
|
|
# and write it to the TPM NVRAM.
|
|
#
|
|
# Pass in a hostname if you want to change it from the default string
|
|
#
|
|
|
|
. /etc/functions
|
|
|
|
TRACE "Under /bin/seal-totp"
|
|
|
|
TPM_NVRAM_SPACE=4d47
|
|
|
|
HOST="$1"
|
|
if [ -z "$HOST" ]; then
|
|
HOST="TPMTOTP"
|
|
fi
|
|
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
TOTP_SEALED="/tmp/secret/totp.sealed"
|
|
|
|
dd \
|
|
if=/dev/urandom \
|
|
of="$TOTP_SECRET" \
|
|
count=1 \
|
|
bs=20 \
|
|
2>/dev/null \
|
|
|| die "Unable to generate 20 random bytes"
|
|
|
|
secret="`base32 < $TOTP_SECRET`"
|
|
if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
|
# Use the current values of the PCRs, which will be read
|
|
# from the TPM as part of the sealing ("X").
|
|
# PCR4 == 0 means that we are still in the boot process and
|
|
# not a recovery shell.
|
|
# should this read the storage root key?
|
|
if ! tpm sealfile2 \
|
|
-if "$TOTP_SECRET" \
|
|
-of "$TOTP_SEALED" \
|
|
-hk 40000000 \
|
|
-ix 0 X \
|
|
-ix 1 X \
|
|
-ix 2 X \
|
|
-ix 3 X \
|
|
-ix 4 0000000000000000000000000000000000000000 \
|
|
-ix 7 X \
|
|
; then
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
die "Unable to seal secret"
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
|
|
|
|
# to create an nvram space we need the TPM owner password
|
|
# and the TPM physical presence must be asserted.
|
|
#
|
|
# The permissions are 0 since there is nothing special
|
|
# about the sealed file
|
|
tpm physicalpresence -s \
|
|
|| warn "Warning: Unable to assert physical presence"
|
|
|
|
# Try to write it without the password first, and then create
|
|
# the NVRAM space using the owner password if it fails for some reason.
|
|
if ! tpm nv_writevalue \
|
|
-in $TPM_NVRAM_SPACE \
|
|
-if "$TOTP_SEALED" \
|
|
; then
|
|
warn 'NVRAM space does not exist? Owner password is required'
|
|
read -s -p "TPM Owner password: " tpm_password
|
|
echo
|
|
|
|
tpm nv_definespace \
|
|
-in $TPM_NVRAM_SPACE \
|
|
-sz 312 \
|
|
-pwdo "$tpm_password" \
|
|
-per 0 \
|
|
|| die "Unable to define NVRAM space"
|
|
|
|
tpm nv_writevalue \
|
|
-in $TPM_NVRAM_SPACE \
|
|
-if "$TOTP_SEALED" \
|
|
|| die "Unable to write sealed secret to NVRAM"
|
|
fi
|
|
elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
pcrf="/tmp/secret/pcrf.bin"
|
|
tpm2 pcrread -o "$pcrf" sha256:0,1,2,3
|
|
# pcr 4 is expected to be zero (boot mode: init)
|
|
dd if=/dev/zero bs=32 count=1 >> "$pcrf"
|
|
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
|
|
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
|
|
# pcr 7 is containing measurements of user injected stuff in cbfs
|
|
tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
|
|
tpmr seal "$TOTP_SECRET" "0x8100$TPM_NVRAM_SPACE" sha256:0,1,2,3,4,7 "$pcrf" \
|
|
|| die "Unable to write sealed secret to NVRAM"
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
|
|
|
|
url="otpauth://totp/$HOST?secret=$secret"
|
|
secret=""
|
|
|
|
qrenc "$url"
|
|
echo "$url"
|