Update to v1.0.0

7 files changed, 53 insertions, 294 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 1db40a6e76e5..6a68f37ef857 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,17 +1,24 @@
 pkgbase = luks-tpm
 	pkgdesc = Utility to manage LUKS keyfiles sealed by the TPM
-	pkgver = 0.2.2
+	pkgver = 1.0.0
 	pkgrel = 1
 	url = https://github.com/electrickite/luks-tpm
+	install = luks-tpm.install
 	arch = any
 	license = GPL
 	depends = tpm-tools
 	depends = trousers
 	depends = cryptsetup
+	depends = bash
 	depends = coreutils
+	depends = gawk
+	depends = grep
 	depends = util-linux
-	source = luks-tpm
-	sha256sums = 45e4009da6ff8810cb38f4178a23023c0111563d2a500292459c58d6dd5e058c
+	backup = etc/default/luks-tpm
+	source = https://github.com/electrickite/luks-tpm/archive/1.0.0.tar.gz
+	source = luks-tpm.hook
+	sha256sums = ce4b48bfdcd4ecc5df672bf7264fb5abb3aef4b271eec2a24657be396332e86a
+	sha256sums = 3b268c5e1d874d3b80698e3cfb245cccdfb6412cc6982a112812d7e3717b3b9d
 
 pkgname = luks-tpm
 
diff --git a/.gitignore b/.gitignore
index 2b2f66f1ee18..9fae8a7b4224 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
-*.pkg.tar.xz
+*.tar.xz
+*.tar.gz
+*.tar.zst
 /pkg
 /src
diff --git a/PKGBUILD b/PKGBUILD
index 1fde2258705a..db1298e46899 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,17 +1,26 @@
-# Maintainer: Corey Hinshaw <coreyhinshaw@gmail.com>
+# Maintainer: Corey Hinshaw <corey(at)electrickite(dot)org>
+# Contributor: zer0def <zer0def@github>
 
 pkgname=luks-tpm
-pkgver=0.2.2
+pkgver=1.0.0
 pkgrel=1
 pkgdesc="Utility to manage LUKS keyfiles sealed by the TPM"
 arch=('any')
-url="https://github.com/electrickite/luks-tpm"
+url="https://github.com/electrickite/${pkgname}"
 license=('GPL')
-depends=('tpm-tools' 'trousers' 'cryptsetup' 'coreutils' 'util-linux')
-source=('luks-tpm')
+depends=('tpm-tools' 'trousers' 'cryptsetup' 'bash' 'coreutils' 'gawk' 'grep' 'util-linux')
+install="${pkgname}.install"
+backup=('etc/default/luks-tpm')
 
-sha256sums=('45e4009da6ff8810cb38f4178a23023c0111563d2a500292459c58d6dd5e058c')
+source=("https://github.com/electrickite/${pkgname}/archive/${pkgver}.tar.gz"
+        "${pkgname}.hook")
+sha256sums=('ce4b48bfdcd4ecc5df672bf7264fb5abb3aef4b271eec2a24657be396332e86a'
+            '3b268c5e1d874d3b80698e3cfb245cccdfb6412cc6982a112812d7e3717b3b9d')
 
 package() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+
   install -Dm755 luks-tpm "${pkgdir}/usr/bin/luks-tpm"
+  install -Dm644 default "${pkgdir}/etc/default/luks-tpm"
+  install -Dm644 "${srcdir}/luks-tpm.hook" "${pkgdir}/usr/share/libalpm/hooks/luks-tpm.hook"
 }
diff --git a/README.md b/README.md
deleted file mode 100644
index 76d2ec8cfcc9..000000000000
--- a/README.md
+++ /dev/null
@@ -1,67 +0,0 @@
-LUKS TPM
-========
-
-A small utility script to manage LUKS keyfiles sealed by a TPM.
-
-This script assumes you will be using a TPM-sealed keyfile during boot to unlock
-the root file system. It is intended to be used as part of your kernel update
-process to generate a keyfile sealed against the new kernel's PCR values.
-
-Update Process
---------------
-
-The script facilitates the following kernel update process:
-
-  1. Kernel is updated
-  2. `luks-tpm` is called, either manually or via pacman hook, and sets a
-     temporary LUKS passphrase
-  3. The system is rebooted into the new kernel
-  4. Because the TPM PCRs have changed, the old keyfile cannot be unsealed
-  5. User enters the temporary passphrase to unlock the disk
-  6. `luks-tpm` is called, generating a new keyfile sealed by the TPM and
-     removing the temporary passphrase
-
-### LUKS Key Slots
-
-The script requires two LUKS key slots to function: one for the sealed keyfile
-and one for the temporary passphrase. You are also *strongly* encouraged to
-dedicate an additional slot for a recovery passphrase not managed by `luks-tpm`.
-
-The default key slot layout is:
-
-  * Slot 0: Recovery passphrase (optional)
-  * Slot 1: TPM keyfile
-  * Slot 2: Temporary passphrase
-
-### Replace Key
-
-The `replace` action allows a TPM-sealed LUKS keyfile to be replaced
-(overwritten) by a new, randomly generated key. By default, LUKS slot 1 will be
-replaced. This action will not prompt for a passphrase, so the current keyfile
-must "unsealable" by the TPM and a valid LUKS key.
-
-Usage
------
-
-    luks-tpm [OPTION]... DEVICE ACTION
-
-### Actions
-
-  * `temp`: Set a temporary LUKS passphrase
-  * `reset`: Regenerate the LUKS TPM key and remove the temporary passphrase
-  * `replace`: Replace (overwrite) a LUKS TPM key
-
-### Options
-
-    -h         Print help
-    -m PATH    Mount point for the tmpfs file system used to store TPM keyfiles
-               Default: /root/keyfs
-    -k PATH    Sealed TPM keyfile path
-               Default: /boot/keyfile.enc
-    -t NUMBER  LUKS slot number for the TPM keyfile
-               Default: 1
-    -r NUMBER  LUKS slot number for temporary reset passphrase
-               Default: 2
-    -p NUMBER  PCRs used to seal LUKS keyfile. May be specified more than once
-               Default: 0-7
-    -z         Use the TPM SRK well-known password
diff --git a/luks-tpm b/luks-tpm
deleted file mode 100755
index 5b9b5e3e25fc..000000000000
--- a/luks-tpm
+++ /dev/null
@@ -1,217 +0,0 @@
-#!/bin/bash
-
-# Copyright 2017 Corey Hinshaw <coreyhinshaw@gmail.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-usage () {
-  cat <<EOF
-Usage: luks-tpm [OPTION]... DEVICE ACTION
-Manage the LUKS TPM keys on DEVICE
-
-Actions:
-  temp       Set a temporary LUKS passphrase
-  reset      Reset the LUKS TPM key using a passphrase
-  replace    Replace (overwrite) a LUKS TPM key
-
-Options:
-  -h         Print this help text
-  -m PATH    Mount point for the tmpfs file system used to store TPM keyfiles
-             Default: /root/keyfs
-  -k PATH    Sealed TPM keyfile path
-             Default: /boot/keyfile.enc
-  -t NUMBER  LUKS slot number for the TPM keyfile
-             Default: 1
-  -r NUMBER  LUKS slot number for temporary reset passphrase
-             Default: 2
-  -p NUMBER  PCRs used to seal LUKS keyfile. May be specified more than once
-             Default: 0-7
-  -z         Use the TPM SRK well-known password
-EOF
-}
-
-add_temp_key() {
-  tpm_unsealdata -i "$SEALED_KEYFILE" -o "$KEYFILE" $WELL_KNOWN
-
-  echo "Preparing to set a temporary LUKS passphrase..."
-  if cryptsetup luksAddKey --key-slot $RESET_KEY_SLOT --key-file "$KEYFILE" $ROOT_DEVICE < /dev/tty; then
-    echo "After booting into the current kernel, run"
-    echo "  luks-tpm $(echo $ORIGINAL_ARGS | sed 's/temp$/reset/')"
-    echo "to generate a new TPM keyfile and remove this temporary key"
-  else
-    echo "A temporary passphrase was not set" >&2
-    RETURN_CODE=5
-  fi
-}
-
-reset_tpm_key() {
-  read -s -p "Enter any existing LUKS passphrase: " PASSPHRASE
-  echo
-
-  echo "Generating new LUKS key..."
-  generate_keyfile
-
-  echo "Removing current TPM key from slot $TPM_KEY_SLOT..."
-  echo $PASSPHRASE | cryptsetup luksKillSlot $ROOT_DEVICE $TPM_KEY_SLOT
-
-  echo "Adding new key to slot $TPM_KEY_SLOT..."
-  echo $PASSPHRASE | cryptsetup luksAddKey $ROOT_DEVICE "$KEYFILE" --key-slot $TPM_KEY_SLOT
-  addkey=$?
-
-  echo "Sealing keyfile with the TPM..."
-  tpm_sealdata $PCRS -i "$KEYFILE" -o "$SEALED_KEYFILE" $WELL_KNOWN
-  seal=$?
-
-  if [ $addkey -eq 0 ] && [ $seal -eq 0 ]; then
-    echo "Removing temporary passphrase from slot $RESET_KEY_SLOT..."
-    cryptsetup luksKillSlot --key-file "$KEYFILE" $ROOT_DEVICE $RESET_KEY_SLOT
-  else
-    echo "There was an error resetting the TPM key in slot $TPM_KEY_SLOT!" >&2
-    echo "The temporary reset ket in slot $RESET_KEY_SLOT has not been removed." >&2
-    RETURN_CODE=4
-  fi
-}
-
-replace_tpm_key() {
-  ORIGINAL_KEYFILE="$KEYFILE.orig"
-
-  echo "Usealing current keyfile..."
-  tpm_unsealdata -i "$SEALED_KEYFILE" -o "$ORIGINAL_KEYFILE" $WELL_KNOWN
-
-  generate_keyfile
-
-  echo "Replacing LUKS key..."
-  if cryptsetup luksChangeKey $ROOT_DEVICE "$KEYFILE" --key-slot $TPM_KEY_SLOT --key-file "$ORIGINAL_KEYFILE"; then
-    echo "Sealing new keyfile with the TPM..."
-    if ! tpm_sealdata $PCRS -i "$KEYFILE" -o "$SEALED_KEYFILE" $WELL_KNOWN; then
-      echo "There was an error sealing the new keyfile!" >&2
-      RETURN_CODE=7
-    fi
-  else
-    echo "There was an error replacing the TPM key in slot $TPM_KEY_SLOT!" >&2
-    RETURN_CODE=6
-  fi
-}
-
-create_tmpfs() {
-  mkdir -p "$TMPFS_MOUNT"
-  if ! mount tmpfs "$TMPFS_MOUNT" -t tmpfs -o size=1m; then
-    echo "Could not create tmpfs. Aborting..." >&2
-    exit 3
-  fi
-  chmod 700 "$TMPFS_MOUNT"
-}
-
-destroy_tmpfs() {
-  umount "$TMPFS_MOUNT"
-}
-
-generate_keyfile() {
-  dd bs=512 count=4 if=/dev/urandom of="$KEYFILE" > /dev/null 2>&1
-}
-
-ORIGINAL_ARGS="$@"
-TMPFS_MOUNT=/root/keyfs
-SEALED_KEYFILE=/boot/keyfile.enc
-TPM_KEY_SLOT=1
-RESET_KEY_SLOT=2
-PCRS="-p 0 -p 1 -p 2 -p 3 -p 4 -p 5 -p 6 -p 7"
-WELL_KNOWN=""
-
-while getopts ":hm:k:t:r:p:z" opt; do
-  case $opt in
-    h)
-      usage
-      exit 0
-      ;;
-    m)
-      TMPFS_MOUNT="$OPTARG"
-      ;;
-    k)
-      SEALED_KEYFILE="$OPTARG"
-      ;;
-    t)
-      if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 7 ]; then
-        echo "Invalid TPM key slot: $OPTARG" >&2
-	exit 1
-      fi
-      TPM_KEY_SLOT=$OPTARG
-      ;;
-    r)
-      if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 7 ]; then
-        echo "Invalid reset key slot: $OPTARG" >&2
-	exit 1
-      fi
-      RESET_KEY_SLOT=$OPTARG
-      ;;
-    p)
-      if [[ ! $OPTARG =~ ^-?[0-9]+$ ]] || [ $OPTARG -lt 0 ] || [ $OPTARG -gt 23 ]; then
-        echo "Invalid PCR: $OPTARG" >&2
-	exit 1
-      fi
-
-      if [ -z $pcr_option ]; then
-        PCRS="-p $OPTARG"
-      else
-        PCRS="$PCRS -p $OPTARG"
-      fi
-      pcr_option=1
-      ;;
-    z)
-      WELL_KNOWN="-z"
-      ;;
-    \?)
-      echo "Invalid option: -$OPTARG" >&2
-      usage >&2
-      exit 1
-      ;;
-    :)
-      echo "Option -$OPTARG requires an argument." >&2
-      exit 1
-      ;;
-  esac
-done
-
-shift $((OPTIND-1))
-
-ROOT_DEVICE="$1"
-KEYFILE="$TMPFS_MOUNT/keyfile"
-RETURN_CODE=0
-
-if [ -z $ROOT_DEVICE ]; then
-  echo "Device not specified!" >&2
-  usage >&2
-  exit 1
-fi
-
-if [ $EUID -ne 0 ]; then
-  echo "Must be run as root" >&2
-  exit 2
-fi
-
-case "$2" in
-  temp) ACTION=add_temp_key;;
-  reset) ACTION=reset_tpm_key;;
-  replace) ACTION=replace_tpm_key;;
-  *)
-    echo "Invalid action!" >&2
-    usage >&2
-    exit 1
-    ;;
-esac
-
-create_tmpfs
-$ACTION
-destroy_tmpfs
-exit $RETURN_CODE
diff --git a/luks-tpm.hook b/luks-tpm.hook
new file mode 100644
index 000000000000..9176e9c3a8a5
--- /dev/null
+++ b/luks-tpm.hook
@@ -0,0 +1,16 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = File
+Target = boot/vmlinuz-*
+Target = boot/amd-ucode.img
+Target = boot/intel-ucode.img
+Target = usr/lib/initcpio/*
+Target = usr/lib/systemd/boot/efi/linux*.efi.stub
+Target = usr/share/refind/refind_x64.efi
+
+[Action]
+Description = Adding temporary LUKS TPM key...
+When = PostTransaction
+Exec = /usr/bin/luks-tpm temp
diff --git a/luks-tpm.install b/luks-tpm.install
new file mode 100644
index 000000000000..50f41750f2eb
--- /dev/null
+++ b/luks-tpm.install
@@ -0,0 +1,9 @@
+post_install() {
+cat << EOF
+
+  Configure luks-tpm by editing /etc/default/luks-tpm
+  A pacman hook has been installed at /usr/share/libalpm/hooks/luks-tpm.hook
+  Consider overriding this hook by creating /etc/pacman.d/hooks/luks-tpm.hook
+
+EOF
+}