Update to support tpm2-tools 4

4 files changed, 26 insertions, 27 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 8c2590ad02c8..c22995c1d271 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,18 +1,18 @@
 pkgbase = mkinitcpio-tpm2-encrypt
 	pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile
-	pkgver = 1.3.0
+	pkgver = 1.4.0
 	pkgrel = 1
 	url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/
 	arch = any
 	license = GPL3
 	depends = mkinitcpio
-	depends = tpm2-tools
+	depends = tpm2-tools>=4.0
 	source = install_tpm2
 	source = hook_tpm2
 	source = README.md
 	sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae
-	sha256sums = 6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638
-	sha256sums = 2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3
+	sha256sums = 2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce
+	sha256sums = 987bab4e47e2df53a25aaec5779b82f79bcfcb61282b7060443e726f335a6f9d
 
 pkgname = mkinitcpio-tpm2-encrypt
 
diff --git a/PKGBUILD b/PKGBUILD
index c67419280489..c2758d26a409 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,19 +1,19 @@
-# Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com>
+# Maintainer: Corey Hinshaw <corey(at)electrickite(dot)org>
 
 pkgname=mkinitcpio-tpm2-encrypt
-pkgver=1.3.0
+pkgver=1.4.0
 pkgrel=1
 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile"
 url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/"
 arch=(any)
 license=('GPL3')
-depends=('mkinitcpio' 'tpm2-tools')
+depends=('mkinitcpio' 'tpm2-tools>=4.0')
 source=('install_tpm2'
         'hook_tpm2'
         'README.md')
 sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae'
-            '6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638'
-            '2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3')
+            '2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce'
+            '63c62e0ac9cd1bfc8c7f08b8807b6e8a0bd874c24c7337acab737f40242e594f')
 
 package() {
     install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2"
diff --git a/README.md b/README.md
index f04da323eea7..2c54834a43bc 100644
--- a/README.md
+++ b/README.md
@@ -13,8 +13,8 @@ kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example,
 assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has
 been persisted to `0x81000001`:
 
-    # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol
-    # tpm2_create -H 0x81000001 -g sha256 -G keyedhash -A 0x492 -I /root/mykey \
+    # tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L pcr.pol
+    # tpm2_create -C 0x81000001 -g sha256 -G keyedhash -a 0x492 -i /root/mykey \
       -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub
 
 After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified
@@ -68,6 +68,12 @@ NVRAM.
 
     tpmprompt=1
 
+In recent kernel versions, some systems may not generate enough entropy early in
+the boot process to utilize the TPM. There are several possible solutions to
+this problem. On x86_64 systems, the following kernel parameter may help:
+
+    random.trust_cpu=on
+
 You may also need to add the `vfat` file system driver to the `MODULES` array:
 
     MODULES=(vfat)
diff --git a/hook_tpm2 b/hook_tpm2
index e2dfd0c578ce..e06ea4bc20b5 100644
--- a/hook_tpm2
+++ b/hook_tpm2
@@ -3,7 +3,7 @@
 run_hook() {
     local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize
     local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg
-    local tpmload parentkey pcrbank unseal unsealout tpmok noop
+    local tpmload pcrbank unseal unsealout tpmok noop
 
     # This file will be loaded by the encrypt hook
     ckeyfile="/crypto_keyfile.bin"
@@ -15,8 +15,6 @@ run_hook() {
     # TPM device
     [ -z $tpmdev ] && tpmdev="/dev/tpmrm0"
     export TPM2TOOLS_TCTI="device:${tpmdev}"
-    export TPM2TOOLS_TCTI_NAME="device"
-    export TPM2TOOLS_DEVICE_FILE="$tpmdev"
 
     # Parse tpmkey command line argument
     if [ -n "$tpmkey" ]; then
@@ -102,23 +100,18 @@ EOF
         if [ -z "$tpmkeyindex" ]; then
             if [ -n "$tpmprompt" ]; then
                 echo
-                read -s -p "Enter TPM object password: " parentkey
-                echo
-            fi
-
-            if [ -n "$parentkey" ]; then
-                tpm2_load -Q -H "$tpmkeyparent" -P "$parentkey" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1
+                tpm2_load -Q -C "$tpmkeyparent" -P file:- -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx 2>/dev/null
                 tpmload=$?
-                parentkey=""
+                echo
             else
-                tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1
+                tpm2_load -Q -C "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx >/dev/null 2>&1
                 tpmload=$?
             fi
         fi
 
         # Format nvram arguments
-        [ -n "$tpmkeyoffset" ] && tpmkeyoffset="-o ${tpmkeyoffset}"
-        [ -n "$tpmkeysize" ] && tpmkeysize="-s ${tpmkeysize}"
+        [ -n "$tpmkeyoffset" ] && tpmkeyoffset="--offset=${tpmkeyoffset}"
+        [ -n "$tpmkeysize" ] && tpmkeysize="--size=${tpmkeysize}"
 
         # Attempt to decrypt key with each PCR bank specified
         unseal=1
@@ -126,10 +119,10 @@ EOF
             IFS="|"
             for pcrbank in $pcrbanklist; do
                 if [ -n "$tpmkeyindex" ]; then
-                    unsealout=$(tpm2_nvread -Q -x "$tpmkeyindex" -a "$tpmkeyindex" $tpmkeyoffset $tpmkeysize -L "$pcrbank" -f $ckeyfile 2>&1)
+                    unsealout=$(tpm2_nvread -Q $tpmkeyoffset $tpmkeysize -P "pcr:${pcrbank}" -o $ckeyfile "$tpmkeyindex" 2>&1)
                     unseal=$?
                 else
-                    unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -L "$pcrbank" -o "$ckeyfile" 2>&1)
+                    unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -p "pcr:${pcrbank}" -o "$ckeyfile" 2>&1)
                     unseal=$?
                 fi
                 if [ $unseal -eq 0 ]; then break; fi
@@ -143,7 +136,7 @@ EOF
             tpmok=1
         elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
             err "TPM communication error"
-        elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
+        elif echo "$unsealout" | grep -sqiE 'ERROR.*0x99D'; then
             echo
             echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
             echo "This is an indication that the boot configuration has been altered since"