Add option to extend PCR after unseal

author: Corey Hinshaw 2018-10-07 23:45:11 -0400
committer: Corey Hinshaw 2018-10-07 23:45:11 -0400
commit: 1828f7ab7edddea75345fbe4a78942cefecd8325 (patch)
tree: a7e1a82198641d776c78b2704224ddfa10a107fc
parent: 34646d61c9a0ea7335429f48bc42f18db0025849 (diff)
download: aur-1828f7ab7edddea75345fbe4a78942cefecd8325.tar.gz
5 files changed, 77 insertions, 18 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 8da3d73e1558..ea984aa1a56c 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = mkinitcpio-tpm2-encrypt
 	pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile
-	pkgver = 1.0
+	pkgver = 1.1
 	pkgrel = 1
 	url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/
 	arch = any
@@ -10,9 +10,9 @@ pkgbase = mkinitcpio-tpm2-encrypt
 	source = install_tpm2
 	source = hook_tpm2
 	source = README.md
-	sha256sums = 43139f076c03ca147d8bf368b98bdd6b237ab927e53194feb944f58e38914901
-	sha256sums = f1cd4ec3197ec4843265e0d61518f641a0dbd650c42cf0399cace0076163fc7c
-	sha256sums = 11585844eb33ce997e55087dbec0610693bd79e3b1ffb02c9818214ce401a9fb
+	sha256sums = baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554
+	sha256sums = e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915
+	sha256sums = 153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51
 
 pkgname = mkinitcpio-tpm2-encrypt
 
diff --git a/PKGBUILD b/PKGBUILD
index d535ab895fd4..0120aa6dc27c 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com>
 
 pkgname=mkinitcpio-tpm2-encrypt
-pkgver=1.0
+pkgver=1.1
 pkgrel=1
 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile"
 url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/"
@@ -11,9 +11,9 @@ depends=('mkinitcpio' 'tpm2-tools')
 source=('install_tpm2'
         'hook_tpm2'
         'README.md')
-sha256sums=('43139f076c03ca147d8bf368b98bdd6b237ab927e53194feb944f58e38914901'
-            'f1cd4ec3197ec4843265e0d61518f641a0dbd650c42cf0399cace0076163fc7c'
-            '11585844eb33ce997e55087dbec0610693bd79e3b1ffb02c9818214ce401a9fb')
+sha256sums=('baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554'
+            'e1b8e49d6b55921762e707eedef003bb81f201e05895dfc70103aa4528714915'
+            '153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51')
 
 package() {
     install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2"
diff --git a/README.md b/README.md
index 5ad0e35d54e4..e42a6c5999ac 100644
--- a/README.md
+++ b/README.md
@@ -42,8 +42,24 @@ this case `[index]` is the NVRAM area index, `[offset]` is the offset of the key
 in bytes and `[size]` is the size of the key in bytes.
 
 The `tpmpcr` parameter should hold the TPM2 PCR bank specification that will
-unlock the sealed key. Multiple specs can be separated by a '|' and key
-decryption will be attempted with each set of banks.
+unlock the sealed key.
+
+    tpmpcr=sha1:0,2,7
+
+Multiple specs can be separated by a '|' and key decryption will be attempted
+with each set of banks.
+
+    tpmpcr=sha1:0,2,4,7|sha1:0,2,7
+
+Instead of a bank specification, the first item in the `tpmpcr` parameter may be
+used to indicate a PCR to extend _after_ the key has been unsealed.
+
+    extend:[pcrnum]:[alg]
+
+Where `[pcrnum]` is the PCR number to extend and `[alg]` is the bank algorithm.
+For example, to extend PCR 8 in the sha1 bank:
+
+    tpmpcr=extend:8:sha1|sha1:0,2,7
 
 You may also need to add the `vfat` file system driver to the `MODULES` array:
 
diff --git a/hook_tpm2 b/hook_tpm2
index a4c6b8f1d3a1..d19eb5e7e3bd 100644
--- a/hook_tpm2
+++ b/hook_tpm2
@@ -2,8 +2,8 @@
 
 run_hook() {
     local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize
-    local tkdev tkarg1 tkarg2 tkarg3 resolved
-    local tpmload pcrbank unseal unsealout tpmok
+    local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg
+    local tpmload pcrbank unseal unsealout tpmok noop
 
     # This file will be loaded by the encrypt hook
     ckeyfile="/crypto_keyfile.bin"
@@ -70,12 +70,30 @@ EOF
         fi
     fi
 
+    # Parse the tpmpcr variable
+    if [ -n "$tpmpcr" ]; then
+        case "$tpmpcr" in
+        extend*)
+            IFS="|" read extendargs pcrbanklist <<EOF
+$tpmpcr
+EOF
+            IFS=: read noop pcrextendnum pcrextendalg <<EOF
+$extendargs
+EOF
+            unset IFS
+            ;;
+        *)
+            pcrbanklist="$tpmpcr"
+            ;;
+        esac
+    fi
+
     # We must have a PCR list to retrieve a key
-    [ -n "$tpmkey" ] && [ -z "$tpmpcr" ] && err "TPM PCR bank not specified"
+    [ -n "$tpmkey" ] && [ -z "$pcrbanklist" ] && err "TPM PCR bank not specified"
 
 
     # If we have a key and PCR list, decrypt it
-    if [ -n "$tpmpcr" -a -n "$tpmkeyindex" ] || [ -n "$tpmpcr" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then
+    if [ -n "$pcrbanklist" -a -n "$tpmkeyindex" ] || [ -n "$pcrbanklist" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then
         # Load key object if stored on disk
         tpmload=0
         if [ -z "$tpmkeyindex" ]; then
@@ -91,7 +109,7 @@ EOF
         unseal=1
         if [ $tpmload -eq 0 ]; then
             IFS="|"
-            for pcrbank in $tpmpcr; do
+            for pcrbank in $pcrbanklist; do
                 if [ -n "$tpmkeyindex" ]; then
                     unsealout=$(tpm2_nvread -Q -x "$tpmkeyindex" -a "$tpmkeyindex" $tpmkeyoffset $tpmkeysize -L "$pcrbank" -f $ckeyfile -T "device:${tpmdev}" 2>&1)
                     unseal=$?
@@ -133,6 +151,21 @@ EOF
         fi
     fi
 
+    # Extend specified PCR
+    if [ -n "$pcrextendnum" ] && [ -n "$pcrextendalg" ]; then
+        case "$pcrextendalg" in
+        sha1|sha224|sha256|sha384|sha512)
+            tpm2_pcrextend -T "device:${tpmdev}" ${pcrextendnum}:${pcrextendalg}=$("${pcrextendalg}sum" /hooks/tpm2 2>/dev/null | cut -f1 -d' ') 2>&1 >/dev/null
+            if [ $? -ne 0 ]; then
+                err "Could not extend TPM PCR"
+            fi
+            ;;
+        *)
+            err "Hash algorithm not supported for PCR extend"
+            ;;
+        esac
+    fi
+
     # Cleanup
     rm -f /tpmobject.ctx "$tpmkeypub" "$tpmkeypriv"
 }
diff --git a/install_tpm2 b/install_tpm2
index 5a153515d252..8d7d52c8541b 100644
--- a/install_tpm2
+++ b/install_tpm2
@@ -4,9 +4,16 @@ build() {
     add_module "tpm_tis"
     add_module "tpm_crb"
 
-    add_binary "/usr/bin/tpm2_unseal" "/usr/bin/tpm2_unseal"
-    add_binary "/usr/bin/tpm2_load" "/usr/bin/tpm2_load"
-    add_binary "/usr/bin/tpm2_nvread" "/usr/bin/tpm2_nvread"
+    add_binary "/usr/bin/tpm2_unseal"
+    add_binary "/usr/bin/tpm2_load"
+    add_binary "/usr/bin/tpm2_nvread"
+    add_binary "/usr/bin/tpm2_pcrextend"
+    add_binary "/usr/bin/sha1sum"
+    add_binary "/usr/bin/sha224sum"
+    add_binary "/usr/bin/sha256sum"
+    add_binary "/usr/bin/sha384sum"
+    add_binary "/usr/bin/sha512sum"
+
     add_binary "/usr/lib/libtss2-tcti-device.so.0"
 
     add_runscript
@@ -41,6 +48,9 @@ the key in bytes and [size] is the size of the key in bytes.
 'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the
 sealed key. Multiple specs can be separated by a '|' and key decryption
 will be attempted with each set of banks.
+
+The first PCR bank spec may be used to indicate a PCR to extend after
+unsealing the key.
 HELPEOF
 }
author	Corey Hinshaw	2018-10-07 23:45:11 -0400
committer	Corey Hinshaw	2018-10-07 23:45:11 -0400
commit	1828f7ab7edddea75345fbe4a78942cefecd8325 (patch)
tree	a7e1a82198641d776c78b2704224ddfa10a107fc
parent	34646d61c9a0ea7335429f48bc42f18db0025849 (diff)
download	aur-1828f7ab7edddea75345fbe4a78942cefecd8325.tar.gz