Add optional parent object password prompt

5 files changed, 38 insertions, 16 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 6121344db9ff..8c2590ad02c8 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = mkinitcpio-tpm2-encrypt
 	pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile
-	pkgver = 1.2.3
+	pkgver = 1.3.0
 	pkgrel = 1
 	url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/
 	arch = any
@@ -10,9 +10,9 @@ pkgbase = mkinitcpio-tpm2-encrypt
 	source = install_tpm2
 	source = hook_tpm2
 	source = README.md
-	sha256sums = baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554
-	sha256sums = b7a27d9a2e645091b42ba430b30e9bba709129bb7fd90763be99f67d73f4bf56
-	sha256sums = 153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51
+	sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae
+	sha256sums = 6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638
+	sha256sums = 2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3
 
 pkgname = mkinitcpio-tpm2-encrypt
 
diff --git a/PKGBUILD b/PKGBUILD
index 15456fbe3b65..c67419280489 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Corey Hinshaw <coreyhinshaw(at)gmail(dot)com>
 
 pkgname=mkinitcpio-tpm2-encrypt
-pkgver=1.2.3
+pkgver=1.3.0
 pkgrel=1
 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile"
 url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/"
@@ -11,9 +11,9 @@ depends=('mkinitcpio' 'tpm2-tools')
 source=('install_tpm2'
         'hook_tpm2'
         'README.md')
-sha256sums=('baf4e8d7a5385bdc5dda1a4b8148da510c35d632f27470951ab84c8c82b2e554'
-            'b7a27d9a2e645091b42ba430b30e9bba709129bb7fd90763be99f67d73f4bf56'
-            '153e368c88f6ad45befc6593c7b00995f1656674149d8ec55659ebd6a91a1a51')
+sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae'
+            '6886463391529bd42d391cbaa4b202535c44302c6971597dcfbd9371844c3638'
+            '2342a3330b08cf4825c33bc4c26358ee6ef15bfddd9ce517b02a9538dab381a3')
 
 package() {
     install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2"
diff --git a/README.md b/README.md
index e42a6c5999ac..f04da323eea7 100644
--- a/README.md
+++ b/README.md
@@ -13,9 +13,9 @@ kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example,
 assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has
 been persisted to `0x81000001`:
 
-    # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol -T device:/dev/tpmrm0
+    # tpm2_createpolicy -P -L sha1:0,2,4,7 -f pcr.pol
     # tpm2_create -H 0x81000001 -g sha256 -G keyedhash -A 0x492 -I /root/mykey \
-      -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub -T device:/dev/tpmrm0
+      -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub
 
 After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified
 on the kernel command line.
@@ -61,6 +61,13 @@ For example, to extend PCR 8 in the sha1 bank:
 
     tpmpcr=extend:8:sha1|sha1:0,2,7
 
+If the `tpmprompt` command line parameter is set, the user will be prompted for
+the parent encryption key password during boot. This password will be used while
+loading the sealed key. This option has no effect when the key is stored in
+NVRAM.
+
+    tpmprompt=1
+
 You may also need to add the `vfat` file system driver to the `MODULES` array:
 
     MODULES=(vfat)
diff --git a/hook_tpm2 b/hook_tpm2
index 54d81a716ef4..e2dfd0c578ce 100644
--- a/hook_tpm2
+++ b/hook_tpm2
@@ -3,7 +3,7 @@
 run_hook() {
     local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize
     local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg
-    local tpmload pcrbank unseal unsealout tpmok noop
+    local tpmload parentkey pcrbank unseal unsealout tpmok noop
 
     # This file will be loaded by the encrypt hook
     ckeyfile="/crypto_keyfile.bin"
@@ -100,8 +100,20 @@ EOF
         # Load key object if stored on disk
         tpmload=0
         if [ -z "$tpmkeyindex" ]; then
-            tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1
-            tpmload=$?
+            if [ -n "$tpmprompt" ]; then
+                echo
+                read -s -p "Enter TPM object password: " parentkey
+                echo
+            fi
+
+            if [ -n "$parentkey" ]; then
+                tpm2_load -Q -H "$tpmkeyparent" -P "$parentkey" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1
+                tpmload=$?
+                parentkey=""
+            else
+                tpm2_load -Q -H "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -C /tpmobject.ctx >/dev/null 2>&1
+                tpmload=$?
+            fi
         fi
 
         # Format nvram arguments
@@ -146,9 +158,7 @@ EOF
             err "Could not unseal TPM keyfile"
         fi
 
-        if [ $tpmok -gt 0 ]; then
-            msg ":: LUKS key successfully decrypted by TPM"
-        else
+        if [ $tpmok -eq 0 ]; then
             rm -f "$ckeyfile"
             msg ":: TPM Could not decrypt LUKS key"
         fi
diff --git a/install_tpm2 b/install_tpm2
index 8d7d52c8541b..e084c41d3731 100644
--- a/install_tpm2
+++ b/install_tpm2
@@ -51,6 +51,11 @@ will be attempted with each set of banks.
 
 The first PCR bank spec may be used to indicate a PCR to extend after
 unsealing the key.
+
+If the 'tpmprompt' command line parameter is set, the user will be
+prompted for the parent encryption key password during boot. This password
+will be used while loading the sealed key. This option has no effect when
+the key is stored in NVRAM. Ex: tpmprompt=1
 HELPEOF
 }