diff options
author | Corey Hinshaw | 2020-10-06 16:55:42 -0400 |
---|---|---|
committer | Corey Hinshaw | 2020-10-06 16:55:42 -0400 |
commit | 790e4ed7bba0445bf7b5350819564a890c2ed620 (patch) | |
tree | 9a9bf92f293e511ce622bfd84e8b90db08947339 | |
parent | cd90c52740f6fd8cd9e02cbfba217b4ea7c65c81 (diff) | |
download | aur-luks-tpm.tar.gz |
Update to v1.0.0
-rw-r--r-- | .SRCINFO | 13 | ||||
-rw-r--r-- | .gitignore | 4 | ||||
-rw-r--r-- | PKGBUILD | 21 | ||||
-rw-r--r-- | README.md | 67 | ||||
-rwxr-xr-x | luks-tpm | 217 | ||||
-rw-r--r-- | luks-tpm.hook | 16 | ||||
-rw-r--r-- | luks-tpm.install | 9 |
7 files changed, 53 insertions, 294 deletions
@@ -1,17 +1,24 @@ pkgbase = luks-tpm pkgdesc = Utility to manage LUKS keyfiles sealed by the TPM - pkgver = 0.2.2 + pkgver = 1.0.0 pkgrel = 1 url = https://github.com/electrickite/luks-tpm + install = luks-tpm.install arch = any license = GPL depends = tpm-tools depends = trousers depends = cryptsetup + depends = bash depends = coreutils + depends = gawk + depends = grep depends = util-linux - source = luks-tpm - sha256sums = 45e4009da6ff8810cb38f4178a23023c0111563d2a500292459c58d6dd5e058c + backup = etc/default/luks-tpm + source = https://github.com/electrickite/luks-tpm/archive/1.0.0.tar.gz + source = luks-tpm.hook + sha256sums = ce4b48bfdcd4ecc5df672bf7264fb5abb3aef4b271eec2a24657be396332e86a + sha256sums = 3b268c5e1d874d3b80698e3cfb245cccdfb6412cc6982a112812d7e3717b3b9d pkgname = luks-tpm diff --git a/.gitignore b/.gitignore index 2b2f66f1ee18..9fae8a7b4224 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ -*.pkg.tar.xz +*.tar.xz +*.tar.gz +*.tar.zst /pkg /src @@ -1,17 +1,26 @@ -# Maintainer: Corey Hinshaw <coreyhinshaw@gmail.com> +# Maintainer: Corey Hinshaw <corey(at)electrickite(dot)org> +# Contributor: zer0def <zer0def@github> pkgname=luks-tpm -pkgver=0.2.2 +pkgver=1.0.0 pkgrel=1 pkgdesc="Utility to manage LUKS keyfiles sealed by the TPM" arch=('any') -url="https://github.com/electrickite/luks-tpm" +url="https://github.com/electrickite/${pkgname}" license=('GPL') -depends=('tpm-tools' 'trousers' 'cryptsetup' 'coreutils' 'util-linux') -source=('luks-tpm') +depends=('tpm-tools' 'trousers' 'cryptsetup' 'bash' 'coreutils' 'gawk' 'grep' 'util-linux') +install="${pkgname}.install" +backup=('etc/default/luks-tpm') -sha256sums=('45e4009da6ff8810cb38f4178a23023c0111563d2a500292459c58d6dd5e058c') +source=("https://github.com/electrickite/${pkgname}/archive/${pkgver}.tar.gz" + "${pkgname}.hook") +sha256sums=('ce4b48bfdcd4ecc5df672bf7264fb5abb3aef4b271eec2a24657be396332e86a' + '3b268c5e1d874d3b80698e3cfb245cccdfb6412cc6982a112812d7e3717b3b9d') package() { + cd "${srcdir}/${pkgname}-${pkgver}" + install -Dm755 luks-tpm "${pkgdir}/usr/bin/luks-tpm" + install -Dm644 default "${pkgdir}/etc/default/luks-tpm" + install -Dm644 "${srcdir}/luks-tpm.hook" "${pkgdir}/usr/share/libalpm/hooks/luks-tpm.hook" } diff --git a/README.md b/README.md deleted file mode 100644 index 76d2ec8cfcc9..000000000000 --- a/README.md +++ /dev/null @@ -1,67 +0,0 @@ -LUKS TPM -======== - -A small utility script to manage LUKS keyfiles sealed by a TPM. - -This script assumes you will be using a TPM-sealed keyfile during boot to unlock -the root file system. It is intended to be used as part of your kernel update -process to generate a keyfile sealed against the new kernel's PCR values. - -Update Process --------------- - -The script facilitates the following kernel update process: - - 1. Kernel is updated - 2. `luks-tpm` is called, either manually or via pacman hook, and sets a - temporary LUKS passphrase - 3. The system is rebooted into the new kernel - 4. Because the TPM PCRs have changed, the old keyfile cannot be unsealed - 5. User enters the temporary passphrase to unlock the disk - 6. `luks-tpm` is called, generating a new keyfile sealed by the TPM and - removing the temporary passphrase - -### LUKS Key Slots - -The script requires two LUKS key slots to function: one for the sealed keyfile -and one for the temporary passphrase. You are also *strongly* encouraged to -dedicate an additional slot for a recovery passphrase not managed by `luks-tpm`. - -The default key slot layout is: - - * Slot 0: Recovery passphrase (optional) - * Slot 1: TPM keyfile - * Slot 2: Temporary passphrase - -### Replace Key - -The `replace` action allows a TPM-sealed LUKS keyfile to be replaced -(overwritten) by a new, randomly generated key. By default, LUKS slot 1 will be -replaced. This action will not prompt for a passphrase, so the current keyfile -must "unsealable" by the TPM and a valid LUKS key. - -Usage ------ - - luks-tpm [OPTION]... DEVICE ACTION - -### Actions - - * `temp`: Set a temporary LUKS passphrase - * `reset`: Regenerate the LUKS TPM key and remove the temporary passphrase - * `replace`: Replace (overwrite) a LUKS TPM key - -### Options - - -h Print help - -m PATH Mount point for the tmpfs file system used to store TPM keyfiles - Default: /root/keyfs - -k PATH Sealed TPM keyfile path - Default: /boot/keyfile.enc - -t NUMBER LUKS slot number for the TPM keyfile - Default: 1 - -r NUMBER LUKS slot number for temporary reset passphrase - Default: 2 - -p NUMBER PCRs used to seal LUKS keyfile. May be specified more than once - Default: 0-7 - -z Use the TPM SRK well-known password diff --git a/luks-tpm b/luks-tpm deleted file mode 100755 index 5b9b5e3e25fc..000000000000 --- a/luks-tpm +++ /dev/null @@ -1,217 +0,0 @@ -#!/bin/bash - -# Copyright 2017 Corey Hinshaw <coreyhinshaw@gmail.com> -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -usage () { - cat <<EOF -Usage: luks-tpm [OPTION]... DEVICE ACTION -Manage the LUKS TPM keys on DEVICE - -Actions: - temp Set a temporary LUKS passphrase - reset Reset the LUKS TPM key using a passphrase - replace Replace (overwrite) a LUKS TPM key - -Options: - -h Print this help text - -m PATH Mount point for the tmpfs file system used to store TPM keyfiles - Default: /root/keyfs - -k PATH Sealed TPM keyfile path - Default: /boot/keyfile.enc - -t NUMBER LUKS slot number for the TPM keyfile - Default: 1 - -r NUMBER LUKS slot number for temporary reset passphrase - Default: 2 - -p NUMBER PCRs used to seal LUKS keyfile. May be specified more than once - Default: 0-7 - -z Use the TPM SRK well-known password -EOF -} - -add_temp_key() { - tpm_unsealdata -i "$SEALED_KEYFILE" -o "$KEYFILE" $WELL_KNOWN - - echo "Preparing to set a temporary LUKS passphrase..." - if cryptsetup luksAddKey --key-slot $RESET_KEY_SLOT --key-file "$KEYFILE" $ROOT_DEVICE < /dev/tty; then - echo "After booting into the current kernel, run" - echo " luks-tpm $(echo $ORIGINAL_ARGS | sed 's/temp$/reset/')" - echo "to generate a new TPM keyfile and remove this temporary key" - else - echo "A temporary passphrase was not set" >&2 - RETURN_CODE=5 - fi -} - -reset_tpm_key() { - read -s -p "Enter any existing LUKS passphrase: " PASSPHRASE - echo - - echo "Generating new LUKS key..." - generate_keyfile - - echo "Removing current TPM key from slot $TPM_KEY_SLOT..." - echo $PASSPHRASE | cryptsetup luksKillSlot $ROOT_DEVICE $TPM_KEY_SLOT - - echo "Adding new key to slot $TPM_KEY_SLOT..." - echo $PASSPHRASE | cryptsetup luksAddKey $ROOT_DEVICE "$KEYFILE" --key-slot $TPM_KEY_SLOT - addkey=$? - - echo "Sealing keyfile with the TPM..." - tpm_sealdata $PCRS -i "$KEYFILE" -o "$SEALED_KEYFILE" $WELL_KNOWN - seal=$? - - if [ $addkey -eq 0 ] && [ $seal -eq 0 ]; then - echo "Removing temporary passphrase from slot $RESET_KEY_SLOT..." - cryptsetup luksKillSlot --key-file "$KEYFILE" $ROOT_DEVICE $RESET_KEY_SLOT - else - echo "There was an error resetting the TPM key in slot $TPM_KEY_SLOT!" >&2 - echo "The temporary reset ket in slot $RESET_KEY_SLOT has not been removed." >&2 - RETURN_CODE=4 - fi -} - -replace_tpm_key() { - ORIGINAL_KEYFILE="$KEYFILE.orig" - - echo "Usealing current keyfile..." - tpm_unsealdata -i "$SEALED_KEYFILE" -o "$ORIGINAL_KEYFILE" $WELL_KNOWN - - generate_keyfile - - echo "Replacing LUKS key..." - if cryptsetup luksChangeKey $ROOT_DEVICE "$KEYFILE" --key-slot $TPM_KEY_SLOT --key-file "$ORIGINAL_KEYFILE"; then - echo "Sealing new keyfile with the TPM..." - if ! tpm_sealdata $PCRS -i "$KEYFILE" -o "$SEALED_KEYFILE" $WELL_KNOWN; then - echo "There was an error sealing the new keyfile!" >&2 - RETURN_CODE=7 - fi - else - echo "There was an error replacing the TPM key in slot $TPM_KEY_SLOT!" >&2 - RETURN_CODE=6 - fi -} - -create_tmpfs() { - mkdir -p "$TMPFS_MOUNT" - if ! mount tmpfs "$TMPFS_MOUNT" -t tmpfs -o size=1m; then - echo "Could not create tmpfs. Aborting..." >&2 - exit 3 - fi - chmod 700 "$TMPFS_MOUNT" -} - -destroy_tmpfs() { - umount "$TMPFS_MOUNT" -} - -generate_keyfile() { - dd bs=512 count=4 if=/dev/urandom of="$KEYFILE" > /dev/null 2>&1 -} - -ORIGINAL_ARGS="$@" -TMPFS_MOUNT=/root/keyfs -SEALED_KEYFILE=/boot/keyfile.enc -TPM_KEY_SLOT=1 -RESET_KEY_SLOT=2 -PCRS="-p 0 -p 1 -p 2 -p 3 -p 4 -p 5 -p 6 -p 7" -WELL_KNOWN="" - -while getopts ":hm:k:t:r:p:z" opt; do - case $opt in - h) - usage - exit 0 - ;; - m) - TMPFS_MOUNT="$OPTARG" - ;; - k) - SEALED_KEYFILE="$OPTARG" - ;; - t) - if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 7 ]; then - echo "Invalid TPM key slot: $OPTARG" >&2 - exit 1 - fi - TPM_KEY_SLOT=$OPTARG - ;; - r) - if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 7 ]; then - echo "Invalid reset key slot: $OPTARG" >&2 - exit 1 - fi - RESET_KEY_SLOT=$OPTARG - ;; - p) - if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 23 ]; then - echo "Invalid PCR: $OPTARG" >&2 - exit 1 - fi - - if [ -z $pcr_option ]; then - PCRS="-p $OPTARG" - else - PCRS="$PCRS -p $OPTARG" - fi - pcr_option=1 - ;; - z) - WELL_KNOWN="-z" - ;; - \?) - echo "Invalid option: -$OPTARG" >&2 - usage >&2 - exit 1 - ;; - :) - echo "Option -$OPTARG requires an argument." >&2 - exit 1 - ;; - esac -done - -shift $((OPTIND-1)) - -ROOT_DEVICE="$1" -KEYFILE="$TMPFS_MOUNT/keyfile" -RETURN_CODE=0 - -if [ -z $ROOT_DEVICE ]; then - echo "Device not specified!" >&2 - usage >&2 - exit 1 -fi - -if [ $EUID -ne 0 ]; then - echo "Must be run as root" >&2 - exit 2 -fi - -case "$2" in - temp) ACTION=add_temp_key;; - reset) ACTION=reset_tpm_key;; - replace) ACTION=replace_tpm_key;; - *) - echo "Invalid action!" >&2 - usage >&2 - exit 1 - ;; -esac - -create_tmpfs -$ACTION -destroy_tmpfs -exit $RETURN_CODE diff --git a/luks-tpm.hook b/luks-tpm.hook new file mode 100644 index 000000000000..9176e9c3a8a5 --- /dev/null +++ b/luks-tpm.hook @@ -0,0 +1,16 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Operation = Remove +Type = File +Target = boot/vmlinuz-* +Target = boot/amd-ucode.img +Target = boot/intel-ucode.img +Target = usr/lib/initcpio/* +Target = usr/lib/systemd/boot/efi/linux*.efi.stub +Target = usr/share/refind/refind_x64.efi + +[Action] +Description = Adding temporary LUKS TPM key... +When = PostTransaction +Exec = /usr/bin/luks-tpm temp diff --git a/luks-tpm.install b/luks-tpm.install new file mode 100644 index 000000000000..50f41750f2eb --- /dev/null +++ b/luks-tpm.install @@ -0,0 +1,9 @@ +post_install() { +cat << EOF + + Configure luks-tpm by editing /etc/default/luks-tpm + A pacman hook has been installed at /usr/share/libalpm/hooks/luks-tpm.hook + Consider overriding this hook by creating /etc/pacman.d/hooks/luks-tpm.hook + +EOF +} |