mirror of
https://github.com/linuxboot/heads.git
synced 2025-03-27 22:28:42 +00:00
4f2b1b68b0
Next steps on this is introspection and PCRs reconstruction helpers, which will output in DEBUG and be usable from recovery shell. We have to keep in mind that providing those tools is useful in DEBUG mode and for users having access to Recovery Shell. But currently, having access to cbmem -L output and final PCRs content is making it too easy for Evil Maid to know what needs to be hardcoded to pass measured boot. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
46 lines
1001 B
Bash
Executable File
46 lines
1001 B
Bash
Executable File
#!/bin/bash
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
|
|
TRACE "Under kexec-unseal-key"
|
|
|
|
mkdir -p /tmp/secret
|
|
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
DEBUG "CONFIG_TPM: $CONFIG_TPM"
|
|
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
DEBUG "Show PCRs"
|
|
DEBUG "$(pcrs)"
|
|
|
|
for tries in 1 2 3; do
|
|
read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password
|
|
echo
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
if DO_WITH_DEBUG --mask-position 6 \
|
|
tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
|
|
"$key_file" "$tpm_password"; then
|
|
exit 0
|
|
fi
|
|
|
|
DEBUG $(pcrs)
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
|
|
die "Retry count exceeded..."
|