diff options
author | Corey Hinshaw | 2019-09-17 23:50:41 -0400 |
---|---|---|
committer | Corey Hinshaw | 2019-09-17 23:50:41 -0400 |
commit | 07bacb2ba769c65557b86244ea95c73571045503 (patch) | |
tree | 22265567b997c79822b55c38823aa3ff0ce5c13a | |
parent | 3fc6382d3004b012e873f682d4b3e92efdcff41d (diff) | |
download | aur-07bacb2ba769c65557b86244ea95c73571045503.tar.gz |
Update to support tpm2-tools 4
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | PKGBUILD | 10 | ||||
-rw-r--r-- | README.md | 10 | ||||
-rw-r--r-- | hook_tpm2 | 25 |
4 files changed, 26 insertions, 27 deletions
@@ -1,18 +1,18 @@ pkgbase = mkinitcpio-tpm2-encrypt pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile - pkgver = 1.3.0 + pkgver = 1.4.0 pkgrel = 1 url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ arch = any license = GPL3 depends = mkinitcpio - depends = tpm2-tools + depends = tpm2-tools>=4.0 source = install_tpm2 source = hook_tpm2 source = README.md sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae - sha256sums = 6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638 - sha256sums = 2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3 + sha256sums = 2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce + sha256sums = 987bab4e47e2df53a25aaec5779b82f79bcfcb61282b7060443e726f335a6f9d pkgname = mkinitcpio-tpm2-encrypt @@ -1,19 +1,19 @@ -# Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com> +# Maintainer: Corey Hinshaw <corey(at)electrickite(dot)org> pkgname=mkinitcpio-tpm2-encrypt -pkgver=1.3.0 +pkgver=1.4.0 pkgrel=1 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile" url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/" arch=(any) license=('GPL3') -depends=('mkinitcpio' 'tpm2-tools') +depends=('mkinitcpio' 'tpm2-tools>=4.0') source=('install_tpm2' 'hook_tpm2' 'README.md') sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae' - '6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638' - '2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3') + '2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce' + '63c62e0ac9cd1bfc8c7f08b8807b6e8a0bd874c24c7337acab737f40242e594f') package() { install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2" diff --git a/README.md b/README.md index f04da323eea7..2c54834a43bc 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,8 @@ kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example, assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has been persisted to `0x81000001`: - # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol - # tpm2_create -H 0x81000001 -g sha256 -G keyedhash -A 0x492 -I /root/mykey \ + # tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L pcr.pol + # tpm2_create -C 0x81000001 -g sha256 -G keyedhash -a 0x492 -i /root/mykey \ -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified @@ -68,6 +68,12 @@ NVRAM. tpmprompt=1 +In recent kernel versions, some systems may not generate enough entropy early in +the boot process to utilize the TPM. There are several possible solutions to +this problem. On x86_64 systems, the following kernel parameter may help: + + random.trust_cpu=on + You may also need to add the `vfat` file system driver to the `MODULES` array: MODULES=(vfat) diff --git a/hook_tpm2 b/hook_tpm2 index e2dfd0c578ce..e06ea4bc20b5 100644 --- a/hook_tpm2 +++ b/hook_tpm2 @@ -3,7 +3,7 @@ run_hook() { local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg - local tpmload parentkey pcrbank unseal unsealout tpmok noop + local tpmload pcrbank unseal unsealout tpmok noop # This file will be loaded by the encrypt hook ckeyfile="/crypto_keyfile.bin" @@ -15,8 +15,6 @@ run_hook() { # TPM device [ -z $tpmdev ] && tpmdev="/dev/tpmrm0" export TPM2TOOLS_TCTI="device:${tpmdev}" - export TPM2TOOLS_TCTI_NAME="device" - export TPM2TOOLS_DEVICE_FILE="$tpmdev" # Parse tpmkey command line argument if [ -n "$tpmkey" ]; then @@ -102,23 +100,18 @@ EOF if [ -z "$tpmkeyindex" ]; then if [ -n "$tpmprompt" ]; then echo - read -s -p "Enter TPM object password: " parentkey - echo - fi - - if [ -n "$parentkey" ]; then - tpm2_load -Q -H "$tpmkeyparent" -P "$parentkey" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1 + tpm2_load -Q -C "$tpmkeyparent" -P file:- -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx 2>/dev/null tpmload=$? - parentkey="" + echo else - tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1 + tpm2_load -Q -C "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx >/dev/null 2>&1 tpmload=$? fi fi # Format nvram arguments - [ -n "$tpmkeyoffset" ] && tpmkeyoffset="-o ${tpmkeyoffset}" - [ -n "$tpmkeysize" ] && tpmkeysize="-s ${tpmkeysize}" + [ -n "$tpmkeyoffset" ] && tpmkeyoffset="--offset=${tpmkeyoffset}" + [ -n "$tpmkeysize" ] && tpmkeysize="--size=${tpmkeysize}" # Attempt to decrypt key with each PCR bank specified unseal=1 @@ -126,10 +119,10 @@ EOF IFS="|" for pcrbank in $pcrbanklist; do if [ -n "$tpmkeyindex" ]; then - unsealout=$(tpm2_nvread -Q -x "$tpmkeyindex" -a "$tpmkeyindex" $tpmkeyoffset $tpmkeysize -L "$pcrbank" -f $ckeyfile 2>&1) + unsealout=$(tpm2_nvread -Q $tpmkeyoffset $tpmkeysize -P "pcr:${pcrbank}" -o $ckeyfile "$tpmkeyindex" 2>&1) unseal=$? else - unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -L "$pcrbank" -o "$ckeyfile" 2>&1) + unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -p "pcr:${pcrbank}" -o "$ckeyfile" 2>&1) unseal=$? fi if [ $unseal -eq 0 ]; then break; fi @@ -143,7 +136,7 @@ EOF tpmok=1 elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then err "TPM communication error" - elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then + elif echo "$unsealout" | grep -sqiE 'ERROR.*0x99D'; then echo echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" echo "This is an indication that the boot configuration has been altered since" |