mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-21 22:07:52 +00:00
22a52ec4b8
Also cleaned up error handling and boot parsing edge cases
46 lines
920 B
Bash
Executable File
46 lines
920 B
Bash
Executable File
#!/bin/sh
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
set -e -o pipefail
|
|
|
|
TPM_INDEX=3
|
|
TPM_SIZE=312
|
|
|
|
. /etc/functions
|
|
mkdir -p /tmp/secret
|
|
|
|
sealed_file="/tmp/secret/sealed.key"
|
|
key_file="$1"
|
|
|
|
if [ -z "$key_file" ]; then
|
|
key_file="/tmp/secret/secret.key"
|
|
fi
|
|
|
|
tpm nv_readvalue \
|
|
-in "$TPM_INDEX" \
|
|
-sz "$TPM_SIZE" \
|
|
-of "$sealed_file" \
|
|
|| die "Unable to read key from TPM NVRAM"
|
|
|
|
for tries in 1 2 3; do
|
|
read -s -p "Enter unlock password: " tpm_password
|
|
echo
|
|
|
|
if tpm unsealfile \
|
|
-if "$sealed_file" \
|
|
-of "$key_file" \
|
|
-pwdd "$tpm_password" \
|
|
-hk 40000000 \
|
|
; then
|
|
# should be okay if this fails
|
|
rm -f /tmp/secret/sealed || true
|
|
exit 0
|
|
fi
|
|
|
|
pcrs
|
|
warn "Unable to unseal disk encryption key"
|
|
done
|
|
|
|
die "Retry count exceeded..."
|