mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 20:47:55 +00:00
e6acaad215
When sealing/unsealing with a password, use a policy including both the specified PCRs and the object password. Fixes sealing and unsealing disk unlock key. tpm2 seems to have a bug in parameter decryption when using a policy session and password in this way, disable encryption in the policy session as a workaround. Flags still need to be set on the sealed object correctly, as the password is normally allowed on its own as an alternative to policy auth. Add -Q to some tpm2 invocations to silence diagnostics on stdout. Pass filename for unsealed secret rather than capturing from stdout for robustness against tpm2 diagnostics on stdout. Fix unseal result check in kexec-unseal-key. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
37 lines
858 B
Bash
Executable File
37 lines
858 B
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed file from the NVRAM, unseal it and compute the totp
|
|
|
|
. /etc/functions
|
|
|
|
TOTP_SEALED="/tmp/secret/totp.sealed"
|
|
TOTP_SECRET="/tmp/secret/totp.key"
|
|
|
|
TRACE "Under /bin/unseal-totp"
|
|
|
|
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
|
|
tpmr unseal 0x81004d47 sha256:0,1,2,3,4,7 "$TOTP_SECRET" \
|
|
|| die "Unable to unseal totp secret"
|
|
elif [ "$CONFIG_TPM" = "y" ]; then
|
|
tpm nv_readvalue \
|
|
-in 4d47 \
|
|
-sz 312 \
|
|
-of "$TOTP_SEALED" \
|
|
|| die "Unable to retrieve sealed file from TPM NV"
|
|
|
|
tpm unsealfile \
|
|
-hk 40000000 \
|
|
-if "$TOTP_SEALED" \
|
|
-of "$TOTP_SECRET" \
|
|
|| die "Unable to unseal totp secret"
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
|
|
|
|
if ! totp -q < "$TOTP_SECRET"; then
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
die 'Unable to compute TOTP hash?'
|
|
fi
|
|
|
|
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
|
|
exit 0
|