mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
a0272270fe
These were still writing some debugging output containing flags and PCRs even when debug was not enabled. Use DEBUG. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
48 lines
989 B
Bash
Executable File
48 lines
989 B
Bash
Executable File
#!/bin/bash
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
|
|
TRACE "Under kexec-unseal-key"
|
|
|
|
mkdir -p /tmp/secret
|
|
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
DEBUG "CONFIG_TPM: $CONFIG_TPM"
|
|
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
DEBUG "Show PCRs"
|
|
DEBUG "$(pcrs)"
|
|
|
|
for tries in 1 2 3; do
|
|
read -s -p "Enter unlock password (blank to abort): " tpm_password
|
|
echo
|
|
if [ -z "$tpm_password" ]; then
|
|
die "Aborting unseal disk encryption key"
|
|
fi
|
|
|
|
DO_WITH_DEBUG --mask-position 6 \
|
|
tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
|
|
"$key_file" "$tpm_password"
|
|
|
|
if [ "$?" -eq 0 ]; then
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
|
|
die "Retry count exceeded..."
|