diff options
author | Corey Hinshaw | 2019-05-01 23:28:37 -0400 |
---|---|---|
committer | Corey Hinshaw | 2019-05-01 23:28:37 -0400 |
commit | 3fc6382d3004b012e873f682d4b3e92efdcff41d (patch) | |
tree | 1a69f928c1939be992e830ae9d72fa42ba7caf6f | |
parent | bd4b0819a58131e263a3f6a1bd4a6145f6feee88 (diff) | |
download | aur-3fc6382d3004b012e873f682d4b3e92efdcff41d.tar.gz |
Add optional parent object password prompt
-rw-r--r-- | .SRCINFO | 8 | ||||
-rw-r--r-- | PKGBUILD | 8 | ||||
-rw-r--r-- | README.md | 11 | ||||
-rw-r--r-- | hook_tpm2 | 22 | ||||
-rw-r--r-- | install_tpm2 | 5 |
5 files changed, 38 insertions, 16 deletions
@@ -1,6 +1,6 @@ pkgbase = mkinitcpio-tpm2-encrypt pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile - pkgver = 1.2.3 + pkgver = 1.3.0 pkgrel = 1 url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ arch = any @@ -10,9 +10,9 @@ pkgbase = mkinitcpio-tpm2-encrypt source = install_tpm2 source = hook_tpm2 source = README.md - sha256sums = baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554 - sha256sums = b7a27d9a2e645091b42ba430b30e9bba709129bb7fd90763be99f67d73f4bf56 - sha256sums = 153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51 + sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae + sha256sums = 6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638 + sha256sums = 2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3 pkgname = mkinitcpio-tpm2-encrypt @@ -1,7 +1,7 @@ # Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com> pkgname=mkinitcpio-tpm2-encrypt -pkgver=1.2.3 +pkgver=1.3.0 pkgrel=1 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile" url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/" @@ -11,9 +11,9 @@ depends=('mkinitcpio' 'tpm2-tools') source=('install_tpm2' 'hook_tpm2' 'README.md') -sha256sums=('baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554' - 'b7a27d9a2e645091b42ba430b30e9bba709129bb7fd90763be99f67d73f4bf56' - '153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51') +sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae' + '6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638' + '2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3') package() { install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2" diff --git a/README.md b/README.md index e42a6c5999ac..f04da323eea7 100644 --- a/README.md +++ b/README.md @@ -13,9 +13,9 @@ kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example, assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has been persisted to `0x81000001`: - # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol -T device:/dev/tpmrm0 + # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol # tpm2_create -H 0x81000001 -g sha256 -G keyedhash -A 0x492 -I /root/mykey \ - -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub -T device:/dev/tpmrm0 + -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified on the kernel command line. @@ -61,6 +61,13 @@ For example, to extend PCR 8 in the sha1 bank: tpmpcr=extend:8:sha1|sha1:0,2,7 +If the `tpmprompt` command line parameter is set, the user will be prompted for +the parent encryption key password during boot. This password will be used while +loading the sealed key. This option has no effect when the key is stored in +NVRAM. + + tpmprompt=1 + You may also need to add the `vfat` file system driver to the `MODULES` array: MODULES=(vfat) diff --git a/hook_tpm2 b/hook_tpm2 index 54d81a716ef4..e2dfd0c578ce 100644 --- a/hook_tpm2 +++ b/hook_tpm2 @@ -3,7 +3,7 @@ run_hook() { local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg - local tpmload pcrbank unseal unsealout tpmok noop + local tpmload parentkey pcrbank unseal unsealout tpmok noop # This file will be loaded by the encrypt hook ckeyfile="/crypto_keyfile.bin" @@ -100,8 +100,20 @@ EOF # Load key object if stored on disk tpmload=0 if [ -z "$tpmkeyindex" ]; then - tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1 - tpmload=$? + if [ -n "$tpmprompt" ]; then + echo + read -s -p "Enter TPM object password: " parentkey + echo + fi + + if [ -n "$parentkey" ]; then + tpm2_load -Q -H "$tpmkeyparent" -P "$parentkey" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1 + tpmload=$? + parentkey="" + else + tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1 + tpmload=$? + fi fi # Format nvram arguments @@ -146,9 +158,7 @@ EOF err "Could not unseal TPM keyfile" fi - if [ $tpmok -gt 0 ]; then - msg ":: LUKS key successfully decrypted by TPM" - else + if [ $tpmok -eq 0 ]; then rm -f "$ckeyfile" msg ":: TPM Could not decrypt LUKS key" fi diff --git a/install_tpm2 b/install_tpm2 index 8d7d52c8541b..e084c41d3731 100644 --- a/install_tpm2 +++ b/install_tpm2 @@ -51,6 +51,11 @@ will be attempted with each set of banks. The first PCR bank spec may be used to indicate a PCR to extend after unsealing the key. + +If the 'tpmprompt' command line parameter is set, the user will be +prompted for the parent encryption key password during boot. This password +will be used while loading the sealed key. This option has no effect when +the key is stored in NVRAM. Ex: tpmprompt=1 HELPEOF } |