Split hook code from AUR repo

6 files changed, 10 insertions, 371 deletions

diff --git a/.SRCINFO b/.SRCINFO
index c22995c1d271..0dbbb52ccbfc 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,18 +1,14 @@
 pkgbase = mkinitcpio-tpm2-encrypt
 	pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile
 	pkgver = 1.4.0
-	pkgrel = 1
-	url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/
+	pkgrel = 2
+	url = https://github.com/electrickite/mkinitcpio-tpm2-encrypt
 	arch = any
 	license = GPL3
 	depends = mkinitcpio
 	depends = tpm2-tools>=4.0
-	source = install_tpm2
-	source = hook_tpm2
-	source = README.md
-	sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae
-	sha256sums = 2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce
-	sha256sums = 987bab4e47e2df53a25aaec5779b82f79bcfcb61282b7060443e726f335a6f9d
+	source = https://github.com/electrickite/mkinitcpio-tpm2-encrypt/archive/1.4.0.tar.gz
+	sha256sums = 6364f9311db3ccbc5c15e02efe3b5c81bcaeed1002cf9ee40b2a63eaa77d08c0
 
 pkgname = mkinitcpio-tpm2-encrypt
 
diff --git a/.editorconfig b/.editorconfig
deleted file mode 100644
index 26ae5ad881ee..000000000000
--- a/.editorconfig
+++ /dev/null
@@ -1,13 +0,0 @@
-root = true
-
-[*]
-indent_style = space
-indent_size = 4
-end_of_line = lf
-charset = utf-8
-trim_trailing_whitespace = true
-insert_final_newline = true
-
-[*.md]
-indent_size = 2
-trim_trailing_whitespace = false
diff --git a/PKGBUILD b/PKGBUILD
index c2758d26a409..2621f628b90e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -2,20 +2,18 @@
 
 pkgname=mkinitcpio-tpm2-encrypt
 pkgver=1.4.0
-pkgrel=1
+pkgrel=2
 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile"
-url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/"
+url="https://github.com/electrickite/mkinitcpio-tpm2-encrypt"
 arch=(any)
 license=('GPL3')
 depends=('mkinitcpio' 'tpm2-tools>=4.0')
-source=('install_tpm2'
-        'hook_tpm2'
-        'README.md')
-sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae'
-            '2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce'
-            '63c62e0ac9cd1bfc8c7f08b8807b6e8a0bd874c24c7337acab737f40242e594f')
+source=("https://github.com/electrickite/${pkgname}/archive/${pkgver}.tar.gz")
+sha256sums=('6364f9311db3ccbc5c15e02efe3b5c81bcaeed1002cf9ee40b2a63eaa77d08c0')
 
 package() {
+    cd "${srcdir}/${pkgname}-${pkgver}"
+
     install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2"
     install -Dm644 hook_tpm2 "${pkgdir}/usr/lib/initcpio/hooks/tpm2"
     install -Dm644 README.md "${pkgdir}/usr/share/doc/${pkgname}/README"
diff --git a/README.md b/README.md
deleted file mode 100644
index 2c54834a43bc..000000000000
--- a/README.md
+++ /dev/null
@@ -1,93 +0,0 @@
-mkinitcpio TPM2 hook
-====================
-
-This mkinitcpio hook allows for an encrypted root device to use a key sealed by
-a TPM 2.0. It should be placed immediately before the `encrypt` hook in
-`/etc/mkinitcpio.conf`.
-
-    HOOKS="base udev ... block tpm2 encrypt filesystems 
-
-The `tpm2` hook attempts to "unseal" a LUKS keyfile previously sealed by the
-TPM. The sealed files must reside on an unencrypted filesystem available to the
-kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example,
-assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has
-been persisted to `0x81000001`:
-
-    # tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L pcr.pol
-    # tpm2_create -C 0x81000001 -g sha256 -G keyedhash -a 0x492 -i /root/mykey \
-      -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub
-
-After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified
-on the kernel command line.
-
-The `tpmkey` parameter has several formats:
-
-    tpmkey=[device]:[path]:[handle]
-    tpmkey=[device]:[publicpath]:[privatepath]:[handle]
-    tpmkey=nvram:[index]
-    tpmkey=nvram:[index]:[offset]:[size]
-
-Where `[device]` represents the raw block device on which the key exists,
-`[path]` is the absolute base path of the sealed files within the device, and
-`[handle]` is the TPM handle of the key's parent object. If only `[path]` is
-specified, '.pub' and '.priv' will be appended to the path to locate the public
-and private files, respectively. The absolute `[publicpath]` and `[privatepath]`
-can be specified separately if needed. For example, if `/dev/sda1` is an EFI
-partition mounted at `/boot`:
-
-    tpmkey=/dev/sda1:/mykey:0x81000001
-
-Setting `[device]` to 'nvram' indicates that the key is stored in TPM NVRAM. In
-this case `[index]` is the NVRAM area index, `[offset]` is the offset of the key
-in bytes and `[size]` is the size of the key in bytes.
-
-The `tpmpcr` parameter should hold the TPM2 PCR bank specification that will
-unlock the sealed key.
-
-    tpmpcr=sha1:0,2,7
-
-Multiple specs can be separated by a '|' and key decryption will be attempted
-with each set of banks.
-
-    tpmpcr=sha1:0,2,4,7|sha1:0,2,7
-
-Instead of a bank specification, the first item in the `tpmpcr` parameter may be
-used to indicate a PCR to extend _after_ the key has been unsealed.
-
-    extend:[pcrnum]:[alg]
-
-Where `[pcrnum]` is the PCR number to extend and `[alg]` is the bank algorithm.
-For example, to extend PCR 8 in the sha1 bank:
-
-    tpmpcr=extend:8:sha1|sha1:0,2,7
-
-If the `tpmprompt` command line parameter is set, the user will be prompted for
-the parent encryption key password during boot. This password will be used while
-loading the sealed key. This option has no effect when the key is stored in
-NVRAM.
-
-    tpmprompt=1
-
-In recent kernel versions, some systems may not generate enough entropy early in
-the boot process to utilize the TPM. There are several possible solutions to
-this problem. On x86_64 systems, the following kernel parameter may help:
-
-    random.trust_cpu=on
-
-You may also need to add the `vfat` file system driver to the `MODULES` array:
-
-    MODULES=(vfat)
-
-Finally, rebuild the initramfs:
-
-    # mkinitcpio -p linux
-
-During boot, the hook will initialize the TPM and attempt to unseal the key. If
-the key is successfully unsealed, it will be passed to the `encrypt` hook to
-perform the actual decryption of the root file system.
-
-Depending on the PCR banks to which the sealed key is bound, system changes such
-as kernel updates or firmware adjustments may prevent the key from being
-unsealed. If this happens, the disk must be manually unlocked with a passphrase
-and a new sealed key file needs to be generated. For this reason, it is CRUCIAL
-to add a separate "recovery" passphrase to the LUKS keys.
diff --git a/hook_tpm2 b/hook_tpm2
deleted file mode 100644
index e06ea4bc20b5..000000000000
--- a/hook_tpm2
+++ /dev/null
@@ -1,187 +0,0 @@
-#!/usr/bin/ash
-
-run_hook() {
-    local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize
-    local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg
-    local tpmload pcrbank unseal unsealout tpmok noop
-
-    # This file will be loaded by the encrypt hook
-    ckeyfile="/crypto_keyfile.bin"
-
-    # Rootfs location for sealed key files
-    tpmkeypub="/tpm_keyfile.pub"
-    tpmkeypriv="/tpm_keyfile.priv"
-
-    # TPM device
-    [ -z $tpmdev ] && tpmdev="/dev/tpmrm0"
-    export TPM2TOOLS_TCTI="device:${tpmdev}"
-
-    # Parse tpmkey command line argument
-    if [ -n "$tpmkey" ]; then
-        IFS=: read tkdev tkarg1 tkarg2 tkarg3 <<EOF
-$tpmkey
-EOF
-        unset IFS
-
-        case "$tkdev" in
-        rootfs)
-            # Key is in initcpio root filesystem. Use files in place
-            if [ -z "$tkarg3" ]; then
-                tpmkeypub="${tkarg1}.pub"
-                tpmkeypriv="${tkarg1}.priv"
-                tpmkeyparent="$tkarg2"
-            else
-                tpmkeypub="$tkarg1"
-                tpmkeypriv="$tkarg2"
-                tpmkeyparent="$tkarg3"
-            fi
-            ;;
-        nvram)
-            # Key is in NVRAM. Populate NVRAM variables
-            tpmkeyindex="$tkarg1"
-            tpmkeyoffset="$tkarg2"
-            tpmkeysize="$tkarg3"
-            ;;
-        *)
-            # Key is on block device
-            # Locate, mount, and copy the key files
-            if resolved=$(resolve_device "${tkdev}" ${rootdelay}); then
-                mkdir /tpmkey
-                mount -r -t auto "$resolved" /tpmkey
-
-                if [ -z "$tkarg3" ]; then
-                    dd if="/tpmkey/${tkarg1}.pub" of="$tpmkeypub" >/dev/null 2>&1
-                    dd if="/tpmkey/${tkarg1}.priv" of="$tpmkeypriv" >/dev/null 2>&1
-                    tpmkeyparent="$tkarg2"
-                else
-                    dd if="/tpmkey/${tkarg1}" of="$tpmkeypub" >/dev/null 2>&1
-                    dd if="/tpmkey/${tkarg2}" of="$tpmkeypriv" >/dev/null 2>&1
-                    tpmkeyparent="$tkarg3"
-                fi
-
-                umount /tpmkey
-                rmdir /tpmkey
-            fi
-            ;;
-        esac
-
-        # If there is no NVRAM index and no sealed files, print an error
-        if [ -z "$tpmkeyindex" ] && [ ! -f "$tpmkeypub" -o ! -f "$tpmkeypriv" ]; then
-            err "TPM keyfiles could not be opened"
-        fi
-    fi
-
-    # Parse the tpmpcr variable
-    if [ -n "$tpmpcr" ]; then
-        case "$tpmpcr" in
-        extend*)
-            IFS="|" read extendargs pcrbanklist <<EOF
-$tpmpcr
-EOF
-            IFS=: read noop pcrextendnum pcrextendalg <<EOF
-$extendargs
-EOF
-            unset IFS
-            ;;
-        *)
-            pcrbanklist="$tpmpcr"
-            ;;
-        esac
-    fi
-
-    # We must have a PCR list to retrieve a key
-    [ -n "$tpmkey" ] && [ -z "$pcrbanklist" ] && err "TPM PCR bank not specified"
-
-
-    # If we have a key and PCR list, decrypt it
-    if [ -n "$pcrbanklist" -a -n "$tpmkeyindex" ] || [ -n "$pcrbanklist" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then
-        # Load key object if stored on disk
-        tpmload=0
-        if [ -z "$tpmkeyindex" ]; then
-            if [ -n "$tpmprompt" ]; then
-                echo
-                tpm2_load -Q -C "$tpmkeyparent" -P file:- -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx 2>/dev/null
-                tpmload=$?
-                echo
-            else
-                tpm2_load -Q -C "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx >/dev/null 2>&1
-                tpmload=$?
-            fi
-        fi
-
-        # Format nvram arguments
-        [ -n "$tpmkeyoffset" ] && tpmkeyoffset="--offset=${tpmkeyoffset}"
-        [ -n "$tpmkeysize" ] && tpmkeysize="--size=${tpmkeysize}"
-
-        # Attempt to decrypt key with each PCR bank specified
-        unseal=1
-        if [ $tpmload -eq 0 ]; then
-            IFS="|"
-            for pcrbank in $pcrbanklist; do
-                if [ -n "$tpmkeyindex" ]; then
-                    unsealout=$(tpm2_nvread -Q $tpmkeyoffset $tpmkeysize -P "pcr:${pcrbank}" -o $ckeyfile "$tpmkeyindex" 2>&1)
-                    unseal=$?
-                else
-                    unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -p "pcr:${pcrbank}" -o "$ckeyfile" 2>&1)
-                    unseal=$?
-                fi
-                if [ $unseal -eq 0 ]; then break; fi
-            done
-            unset IFS
-        fi
-
-        # Check decryption resuts and report
-        tpmok=0
-        if [ $unseal -eq 0 ]; then
-            tpmok=1
-        elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
-            err "TPM communication error"
-        elif echo "$unsealout" | grep -sqiE 'ERROR.*0x99D'; then
-            echo
-            echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
-            echo "This is an indication that the boot configuration has been altered since"
-            echo "the TPM key was generated. This is normal after kernel updates or firmware"
-            echo "changes, however this could also indicate a malicious change to your system."
-            echo
-        elif [ -n "$tpmkeyindex" ]; then
-            err "Could not read key from TPM NVRAM"
-        elif [ $tpmload -ne 0 ]; then
-            err "Could not load TPM keyfile"
-        else
-            err "Could not unseal TPM keyfile"
-        fi
-
-        if [ $tpmok -eq 0 ]; then
-            rm -f "$ckeyfile"
-            msg ":: TPM Could not decrypt LUKS key"
-        fi
-    fi
-
-    # Extend specified PCR
-    if [ -n "$pcrextendnum" ] && [ -n "$pcrextendalg" ]; then
-        case "$pcrextendalg" in
-        sha1|sha224|sha256|sha384|sha512)
-            tpm2_pcrextend ${pcrextendnum}:${pcrextendalg}=$("${pcrextendalg}sum" /hooks/tpm2 2>/dev/null | cut -f1 -d' ') >/dev/null 2>&1
-            if [ $? -ne 0 ]; then
-                err "Could not extend TPM PCR"
-            fi
-            ;;
-        *)
-            err "Hash algorithm not supported for PCR extend"
-            ;;
-        esac
-    fi
-
-    # Cleanup
-    rm -f /tpmobject.ctx "$tpmkeypub" "$tpmkeypriv"
-}
-
-run_cleanuphook() {
-    # Securely delete key if still present
-    if [ -f "$ckeyfile" ]; then
-        dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc >/dev/null 2>&1
-        rm -f "$ckeyfile"
-    fi
-}
-
-# vim: set ft=sh ts=4 sw=4 et:
diff --git a/install_tpm2 b/install_tpm2
deleted file mode 100644
index e084c41d3731..000000000000
--- a/install_tpm2
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/bash
-
-build() {
-    add_module "tpm_tis"
-    add_module "tpm_crb"
-
-    add_binary "/usr/bin/tpm2_unseal"
-    add_binary "/usr/bin/tpm2_load"
-    add_binary "/usr/bin/tpm2_nvread"
-    add_binary "/usr/bin/tpm2_pcrextend"
-    add_binary "/usr/bin/sha1sum"
-    add_binary "/usr/bin/sha224sum"
-    add_binary "/usr/bin/sha256sum"
-    add_binary "/usr/bin/sha384sum"
-    add_binary "/usr/bin/sha512sum"
-
-    add_binary "/usr/lib/libtss2-tcti-device.so.0"
-
-    add_runscript
-}
-
-
-help() {
-    cat <<HELPEOF
-This hook allows for an encrypted root device to use a key sealed by a
-TPM 2.0. It should be placed immediately before the 'encrypt' hook. After
-generating a TPM-sealed key, both 'tpmkey' and 'tpmpcr' should be
-specified on the kernel command line.
-
-'tpmkey' has several formats:
-
-  tpmkey=[device]:[path]:[handle]
-  tpmkey=[device]:[publicpath]:[privatepath]:[handle]
-  tpmkey=nvram:[index]
-  tpmkey=nvram:[index]:[offset]:[size]
-
-Where [device] represents the raw block device on which the key exists,
-[path] is the absolute base path of the keyfiles within the device, and
-[handle] is the TPM handle of the key's parent object. If only [path] is
-specified, '.pub' and '.priv' will be appended to the path to locate the
-public and private files, respectively. The absolute [publicpath] and
-[privatepath] can be specified separately if needed.
-
-Setting [device] to 'nvram' indicates that the key is stored in TPM NVRAM.
-In this case [index] is the NVRAM area index, [offset] is the offset of
-the key in bytes and [size] is the size of the key in bytes.
-
-'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the
-sealed key. Multiple specs can be separated by a '|' and key decryption
-will be attempted with each set of banks.
-
-The first PCR bank spec may be used to indicate a PCR to extend after
-unsealing the key.
-
-If the 'tpmprompt' command line parameter is set, the user will be
-prompted for the parent encryption key password during boot. This password
-will be used while loading the sealed key. This option has no effect when
-the key is stored in NVRAM. Ex: tpmprompt=1
-HELPEOF
-}
-
-# vim: set ft=sh ts=4 sw=4 et: