diff options
author | Corey Hinshaw | 2018-10-07 23:45:11 -0400 |
---|---|---|
committer | Corey Hinshaw | 2018-10-07 23:45:11 -0400 |
commit | 1828f7ab7edddea75345fbe4a78942cefecd8325 (patch) | |
tree | a7e1a82198641d776c78b2704224ddfa10a107fc | |
parent | 34646d61c9a0ea7335429f48bc42f18db0025849 (diff) | |
download | aur-1828f7ab7edddea75345fbe4a78942cefecd8325.tar.gz |
Add option to extend PCR after unseal
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | PKGBUILD | 8 | ||||
-rw-r--r-- | README.md | 20 | ||||
-rw-r--r-- | hook_tpm2 | 43 | ||||
-rw-r--r-- | install_tpm2 | 16 |
5 files changed, 77 insertions, 18 deletions
@@ -1,6 +1,6 @@ pkgbase = mkinitcpio-tpm2-encrypt pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile - pkgver = 1.0 + pkgver = 1.1 pkgrel = 1 url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ arch = any @@ -10,9 +10,9 @@ pkgbase = mkinitcpio-tpm2-encrypt source = install_tpm2 source = hook_tpm2 source = README.md - sha256sums = 43139f076c03ca147d8bf368b98bdd6b237ab927e53194feb944f58e38914901 - sha256sums = f1cd4ec3197ec4843265e0d61518f641a0dbd650c42cf0399cace0076163fc7c - sha256sums = 11585844eb33ce997e55087dbec0610693bd79e3b1ffb02c9818214ce401a9fb + sha256sums = baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554 + sha256sums = e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915 + sha256sums = 153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51 pkgname = mkinitcpio-tpm2-encrypt @@ -1,7 +1,7 @@ # Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com> pkgname=mkinitcpio-tpm2-encrypt -pkgver=1.0 +pkgver=1.1 pkgrel=1 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile" url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/" @@ -11,9 +11,9 @@ depends=('mkinitcpio' 'tpm2-tools') source=('install_tpm2' 'hook_tpm2' 'README.md') -sha256sums=('43139f076c03ca147d8bf368b98bdd6b237ab927e53194feb944f58e38914901' - 'f1cd4ec3197ec4843265e0d61518f641a0dbd650c42cf0399cace0076163fc7c' - '11585844eb33ce997e55087dbec0610693bd79e3b1ffb02c9818214ce401a9fb') +sha256sums=('baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554' + 'e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915' + '153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51') package() { install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2" diff --git a/README.md b/README.md index 5ad0e35d54e4..e42a6c5999ac 100644 --- a/README.md +++ b/README.md @@ -42,8 +42,24 @@ this case `[index]` is the NVRAM area index, `[offset]` is the offset of the key in bytes and `[size]` is the size of the key in bytes. The `tpmpcr` parameter should hold the TPM2 PCR bank specification that will -unlock the sealed key. Multiple specs can be separated by a '|' and key -decryption will be attempted with each set of banks. +unlock the sealed key. + + tpmpcr=sha1:0,2,7 + +Multiple specs can be separated by a '|' and key decryption will be attempted +with each set of banks. + + tpmpcr=sha1:0,2,4,7|sha1:0,2,7 + +Instead of a bank specification, the first item in the `tpmpcr` parameter may be +used to indicate a PCR to extend _after_ the key has been unsealed. + + extend:[pcrnum]:[alg] + +Where `[pcrnum]` is the PCR number to extend and `[alg]` is the bank algorithm. +For example, to extend PCR 8 in the sha1 bank: + + tpmpcr=extend:8:sha1|sha1:0,2,7 You may also need to add the `vfat` file system driver to the `MODULES` array: diff --git a/hook_tpm2 b/hook_tpm2 index a4c6b8f1d3a1..d19eb5e7e3bd 100644 --- a/hook_tpm2 +++ b/hook_tpm2 @@ -2,8 +2,8 @@ run_hook() { local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize - local tkdev tkarg1 tkarg2 tkarg3 resolved - local tpmload pcrbank unseal unsealout tpmok + local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg + local tpmload pcrbank unseal unsealout tpmok noop # This file will be loaded by the encrypt hook ckeyfile="/crypto_keyfile.bin" @@ -70,12 +70,30 @@ EOF fi fi + # Parse the tpmpcr variable + if [ -n "$tpmpcr" ]; then + case "$tpmpcr" in + extend*) + IFS="|" read extendargs pcrbanklist <<EOF +$tpmpcr +EOF + IFS=: read noop pcrextendnum pcrextendalg <<EOF +$extendargs +EOF + unset IFS + ;; + *) + pcrbanklist="$tpmpcr" + ;; + esac + fi + # We must have a PCR list to retrieve a key - [ -n "$tpmkey" ] && [ -z "$tpmpcr" ] && err "TPM PCR bank not specified" + [ -n "$tpmkey" ] && [ -z "$pcrbanklist" ] && err "TPM PCR bank not specified" # If we have a key and PCR list, decrypt it - if [ -n "$tpmpcr" -a -n "$tpmkeyindex" ] || [ -n "$tpmpcr" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then + if [ -n "$pcrbanklist" -a -n "$tpmkeyindex" ] || [ -n "$pcrbanklist" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then # Load key object if stored on disk tpmload=0 if [ -z "$tpmkeyindex" ]; then @@ -91,7 +109,7 @@ EOF unseal=1 if [ $tpmload -eq 0 ]; then IFS="|" - for pcrbank in $tpmpcr; do + for pcrbank in $pcrbanklist; do if [ -n "$tpmkeyindex" ]; then unsealout=$(tpm2_nvread -Q -x "$tpmkeyindex" -a "$tpmkeyindex" $tpmkeyoffset $tpmkeysize -L "$pcrbank" -f $ckeyfile -T "device:${tpmdev}" 2>&1) unseal=$? @@ -133,6 +151,21 @@ EOF fi fi + # Extend specified PCR + if [ -n "$pcrextendnum" ] && [ -n "$pcrextendalg" ]; then + case "$pcrextendalg" in + sha1|sha224|sha256|sha384|sha512) + tpm2_pcrextend -T "device:${tpmdev}" ${pcrextendnum}:${pcrextendalg}=$("${pcrextendalg}sum" /hooks/tpm2 2>/dev/null | cut -f1 -d' ') 2>&1 >/dev/null + if [ $? -ne 0 ]; then + err "Could not extend TPM PCR" + fi + ;; + *) + err "Hash algorithm not supported for PCR extend" + ;; + esac + fi + # Cleanup rm -f /tpmobject.ctx "$tpmkeypub" "$tpmkeypriv" } diff --git a/install_tpm2 b/install_tpm2 index 5a153515d252..8d7d52c8541b 100644 --- a/install_tpm2 +++ b/install_tpm2 @@ -4,9 +4,16 @@ build() { add_module "tpm_tis" add_module "tpm_crb" - add_binary "/usr/bin/tpm2_unseal" "/usr/bin/tpm2_unseal" - add_binary "/usr/bin/tpm2_load" "/usr/bin/tpm2_load" - add_binary "/usr/bin/tpm2_nvread" "/usr/bin/tpm2_nvread" + add_binary "/usr/bin/tpm2_unseal" + add_binary "/usr/bin/tpm2_load" + add_binary "/usr/bin/tpm2_nvread" + add_binary "/usr/bin/tpm2_pcrextend" + add_binary "/usr/bin/sha1sum" + add_binary "/usr/bin/sha224sum" + add_binary "/usr/bin/sha256sum" + add_binary "/usr/bin/sha384sum" + add_binary "/usr/bin/sha512sum" + add_binary "/usr/lib/libtss2-tcti-device.so.0" add_runscript @@ -41,6 +48,9 @@ the key in bytes and [size] is the size of the key in bytes. 'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the sealed key. Multiple specs can be separated by a '|' and key decryption will be attempted with each set of banks. + +The first PCR bank spec may be used to indicate a PCR to extend after +unsealing the key. HELPEOF } |