diff options
author | Corey Hinshaw | 2019-09-18 16:17:00 -0400 |
---|---|---|
committer | Corey Hinshaw | 2019-09-18 16:17:00 -0400 |
commit | d675dc3fa533b1760a30f3d25a6f3d8a6f161872 (patch) | |
tree | cd52d7dc611d2c8f5663ba416983d7340c357c19 | |
parent | 07bacb2ba769c65557b86244ea95c73571045503 (diff) | |
download | aur-d675dc3fa533b1760a30f3d25a6f3d8a6f161872.tar.gz |
Split hook code from AUR repo
-rw-r--r-- | .SRCINFO | 12 | ||||
-rw-r--r-- | .editorconfig | 13 | ||||
-rw-r--r-- | PKGBUILD | 14 | ||||
-rw-r--r-- | README.md | 93 | ||||
-rw-r--r-- | hook_tpm2 | 187 | ||||
-rw-r--r-- | install_tpm2 | 62 |
6 files changed, 10 insertions, 371 deletions
@@ -1,18 +1,14 @@ pkgbase = mkinitcpio-tpm2-encrypt pkgdesc = mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile pkgver = 1.4.0 - pkgrel = 1 - url = https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/ + pkgrel = 2 + url = https://github.com/electrickite/mkinitcpio-tpm2-encrypt arch = any license = GPL3 depends = mkinitcpio depends = tpm2-tools>=4.0 - source = install_tpm2 - source = hook_tpm2 - source = README.md - sha256sums = cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae - sha256sums = 2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce - sha256sums = 987bab4e47e2df53a25aaec5779b82f79bcfcb61282b7060443e726f335a6f9d + source = https://github.com/electrickite/mkinitcpio-tpm2-encrypt/archive/1.4.0.tar.gz + sha256sums = 6364f9311db3ccbc5c15e02efe3b5c81bcaeed1002cf9ee40b2a63eaa77d08c0 pkgname = mkinitcpio-tpm2-encrypt diff --git a/.editorconfig b/.editorconfig deleted file mode 100644 index 26ae5ad881ee..000000000000 --- a/.editorconfig +++ /dev/null @@ -1,13 +0,0 @@ -root = true - -[*] -indent_style = space -indent_size = 4 -end_of_line = lf -charset = utf-8 -trim_trailing_whitespace = true -insert_final_newline = true - -[*.md] -indent_size = 2 -trim_trailing_whitespace = false @@ -2,20 +2,18 @@ pkgname=mkinitcpio-tpm2-encrypt pkgver=1.4.0 -pkgrel=1 +pkgrel=2 pkgdesc="mkinitcpio hook that decrypts a TPM2-sealed LUKS keyfile" -url="https://aur.archlinux.org/packages/mkinitcpio-tpm2-encrypt/" +url="https://github.com/electrickite/mkinitcpio-tpm2-encrypt" arch=(any) license=('GPL3') depends=('mkinitcpio' 'tpm2-tools>=4.0') -source=('install_tpm2' - 'hook_tpm2' - 'README.md') -sha256sums=('cb5c9acca16a5ad8d2dbee8aa70f590d57236a0e5ccd0869b770b4535018b2ae' - '2dcdcfd37ab3ba23d30e0a6bd2c5ae8f93f0e64b8d410ab6a21333bca8392cce' - '63c62e0ac9cd1bfc8c7f08b8807b6e8a0bd874c24c7337acab737f40242e594f') +source=("https://github.com/electrickite/${pkgname}/archive/${pkgver}.tar.gz") +sha256sums=('6364f9311db3ccbc5c15e02efe3b5c81bcaeed1002cf9ee40b2a63eaa77d08c0') package() { + cd "${srcdir}/${pkgname}-${pkgver}" + install -Dm644 install_tpm2 "${pkgdir}/usr/lib/initcpio/install/tpm2" install -Dm644 hook_tpm2 "${pkgdir}/usr/lib/initcpio/hooks/tpm2" install -Dm644 README.md "${pkgdir}/usr/share/doc/${pkgname}/README" diff --git a/README.md b/README.md deleted file mode 100644 index 2c54834a43bc..000000000000 --- a/README.md +++ /dev/null @@ -1,93 +0,0 @@ -mkinitcpio TPM2 hook -==================== - -This mkinitcpio hook allows for an encrypted root device to use a key sealed by -a TPM 2.0. It should be placed immediately before the `encrypt` hook in -`/etc/mkinitcpio.conf`. - - HOOKS="base udev ... block tpm2 encrypt filesystems - -The `tpm2` hook attempts to "unseal" a LUKS keyfile previously sealed by the -TPM. The sealed files must reside on an unencrypted filesystem available to the -kernel at boot or may be stored in TPM non-volatile memory (NVRAM). For example, -assuming your unencrypted keyfile is at `/root/mykey` and a primary TPM key has -been persisted to `0x81000001`: - - # tpm2_createpolicy --policy-pcr -l sha1:0,2,4,7 -L pcr.pol - # tpm2_create -C 0x81000001 -g sha256 -G keyedhash -a 0x492 -i /root/mykey \ - -L pcr.pol -r /boot/mykey.priv -u /boot/mykey.pub - -After generating a TPM-sealed key, both `tpmkey` and `tpmpcr` should be specified -on the kernel command line. - -The `tpmkey` parameter has several formats: - - tpmkey=[device]:[path]:[handle] - tpmkey=[device]:[publicpath]:[privatepath]:[handle] - tpmkey=nvram:[index] - tpmkey=nvram:[index]:[offset]:[size] - -Where `[device]` represents the raw block device on which the key exists, -`[path]` is the absolute base path of the sealed files within the device, and -`[handle]` is the TPM handle of the key's parent object. If only `[path]` is -specified, '.pub' and '.priv' will be appended to the path to locate the public -and private files, respectively. The absolute `[publicpath]` and `[privatepath]` -can be specified separately if needed. For example, if `/dev/sda1` is an EFI -partition mounted at `/boot`: - - tpmkey=/dev/sda1:/mykey:0x81000001 - -Setting `[device]` to 'nvram' indicates that the key is stored in TPM NVRAM. In -this case `[index]` is the NVRAM area index, `[offset]` is the offset of the key -in bytes and `[size]` is the size of the key in bytes. - -The `tpmpcr` parameter should hold the TPM2 PCR bank specification that will -unlock the sealed key. - - tpmpcr=sha1:0,2,7 - -Multiple specs can be separated by a '|' and key decryption will be attempted -with each set of banks. - - tpmpcr=sha1:0,2,4,7|sha1:0,2,7 - -Instead of a bank specification, the first item in the `tpmpcr` parameter may be -used to indicate a PCR to extend _after_ the key has been unsealed. - - extend:[pcrnum]:[alg] - -Where `[pcrnum]` is the PCR number to extend and `[alg]` is the bank algorithm. -For example, to extend PCR 8 in the sha1 bank: - - tpmpcr=extend:8:sha1|sha1:0,2,7 - -If the `tpmprompt` command line parameter is set, the user will be prompted for -the parent encryption key password during boot. This password will be used while -loading the sealed key. This option has no effect when the key is stored in -NVRAM. - - tpmprompt=1 - -In recent kernel versions, some systems may not generate enough entropy early in -the boot process to utilize the TPM. There are several possible solutions to -this problem. On x86_64 systems, the following kernel parameter may help: - - random.trust_cpu=on - -You may also need to add the `vfat` file system driver to the `MODULES` array: - - MODULES=(vfat) - -Finally, rebuild the initramfs: - - # mkinitcpio -p linux - -During boot, the hook will initialize the TPM and attempt to unseal the key. If -the key is successfully unsealed, it will be passed to the `encrypt` hook to -perform the actual decryption of the root file system. - -Depending on the PCR banks to which the sealed key is bound, system changes such -as kernel updates or firmware adjustments may prevent the key from being -unsealed. If this happens, the disk must be manually unlocked with a passphrase -and a new sealed key file needs to be generated. For this reason, it is CRUCIAL -to add a separate "recovery" passphrase to the LUKS keys. diff --git a/hook_tpm2 b/hook_tpm2 deleted file mode 100644 index e06ea4bc20b5..000000000000 --- a/hook_tpm2 +++ /dev/null @@ -1,187 +0,0 @@ -#!/usr/bin/ash - -run_hook() { - local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize - local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg - local tpmload pcrbank unseal unsealout tpmok noop - - # This file will be loaded by the encrypt hook - ckeyfile="/crypto_keyfile.bin" - - # Rootfs location for sealed key files - tpmkeypub="/tpm_keyfile.pub" - tpmkeypriv="/tpm_keyfile.priv" - - # TPM device - [ -z $tpmdev ] && tpmdev="/dev/tpmrm0" - export TPM2TOOLS_TCTI="device:${tpmdev}" - - # Parse tpmkey command line argument - if [ -n "$tpmkey" ]; then - IFS=: read tkdev tkarg1 tkarg2 tkarg3 <<EOF -$tpmkey -EOF - unset IFS - - case "$tkdev" in - rootfs) - # Key is in initcpio root filesystem. Use files in place - if [ -z "$tkarg3" ]; then - tpmkeypub="${tkarg1}.pub" - tpmkeypriv="${tkarg1}.priv" - tpmkeyparent="$tkarg2" - else - tpmkeypub="$tkarg1" - tpmkeypriv="$tkarg2" - tpmkeyparent="$tkarg3" - fi - ;; - nvram) - # Key is in NVRAM. Populate NVRAM variables - tpmkeyindex="$tkarg1" - tpmkeyoffset="$tkarg2" - tpmkeysize="$tkarg3" - ;; - *) - # Key is on block device - # Locate, mount, and copy the key files - if resolved=$(resolve_device "${tkdev}" ${rootdelay}); then - mkdir /tpmkey - mount -r -t auto "$resolved" /tpmkey - - if [ -z "$tkarg3" ]; then - dd if="/tpmkey/${tkarg1}.pub" of="$tpmkeypub" >/dev/null 2>&1 - dd if="/tpmkey/${tkarg1}.priv" of="$tpmkeypriv" >/dev/null 2>&1 - tpmkeyparent="$tkarg2" - else - dd if="/tpmkey/${tkarg1}" of="$tpmkeypub" >/dev/null 2>&1 - dd if="/tpmkey/${tkarg2}" of="$tpmkeypriv" >/dev/null 2>&1 - tpmkeyparent="$tkarg3" - fi - - umount /tpmkey - rmdir /tpmkey - fi - ;; - esac - - # If there is no NVRAM index and no sealed files, print an error - if [ -z "$tpmkeyindex" ] && [ ! -f "$tpmkeypub" -o ! -f "$tpmkeypriv" ]; then - err "TPM keyfiles could not be opened" - fi - fi - - # Parse the tpmpcr variable - if [ -n "$tpmpcr" ]; then - case "$tpmpcr" in - extend*) - IFS="|" read extendargs pcrbanklist <<EOF -$tpmpcr -EOF - IFS=: read noop pcrextendnum pcrextendalg <<EOF -$extendargs -EOF - unset IFS - ;; - *) - pcrbanklist="$tpmpcr" - ;; - esac - fi - - # We must have a PCR list to retrieve a key - [ -n "$tpmkey" ] && [ -z "$pcrbanklist" ] && err "TPM PCR bank not specified" - - - # If we have a key and PCR list, decrypt it - if [ -n "$pcrbanklist" -a -n "$tpmkeyindex" ] || [ -n "$pcrbanklist" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then - # Load key object if stored on disk - tpmload=0 - if [ -z "$tpmkeyindex" ]; then - if [ -n "$tpmprompt" ]; then - echo - tpm2_load -Q -C "$tpmkeyparent" -P file:- -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx 2>/dev/null - tpmload=$? - echo - else - tpm2_load -Q -C "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx >/dev/null 2>&1 - tpmload=$? - fi - fi - - # Format nvram arguments - [ -n "$tpmkeyoffset" ] && tpmkeyoffset="--offset=${tpmkeyoffset}" - [ -n "$tpmkeysize" ] && tpmkeysize="--size=${tpmkeysize}" - - # Attempt to decrypt key with each PCR bank specified - unseal=1 - if [ $tpmload -eq 0 ]; then - IFS="|" - for pcrbank in $pcrbanklist; do - if [ -n "$tpmkeyindex" ]; then - unsealout=$(tpm2_nvread -Q $tpmkeyoffset $tpmkeysize -P "pcr:${pcrbank}" -o $ckeyfile "$tpmkeyindex" 2>&1) - unseal=$? - else - unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -p "pcr:${pcrbank}" -o "$ckeyfile" 2>&1) - unseal=$? - fi - if [ $unseal -eq 0 ]; then break; fi - done - unset IFS - fi - - # Check decryption resuts and report - tpmok=0 - if [ $unseal -eq 0 ]; then - tpmok=1 - elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then - err "TPM communication error" - elif echo "$unsealout" | grep -sqiE 'ERROR.*0x99D'; then - echo - echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" - echo "This is an indication that the boot configuration has been altered since" - echo "the TPM key was generated. This is normal after kernel updates or firmware" - echo "changes, however this could also indicate a malicious change to your system." - echo - elif [ -n "$tpmkeyindex" ]; then - err "Could not read key from TPM NVRAM" - elif [ $tpmload -ne 0 ]; then - err "Could not load TPM keyfile" - else - err "Could not unseal TPM keyfile" - fi - - if [ $tpmok -eq 0 ]; then - rm -f "$ckeyfile" - msg ":: TPM Could not decrypt LUKS key" - fi - fi - - # Extend specified PCR - if [ -n "$pcrextendnum" ] && [ -n "$pcrextendalg" ]; then - case "$pcrextendalg" in - sha1|sha224|sha256|sha384|sha512) - tpm2_pcrextend ${pcrextendnum}:${pcrextendalg}=$("${pcrextendalg}sum" /hooks/tpm2 2>/dev/null | cut -f1 -d' ') >/dev/null 2>&1 - if [ $? -ne 0 ]; then - err "Could not extend TPM PCR" - fi - ;; - *) - err "Hash algorithm not supported for PCR extend" - ;; - esac - fi - - # Cleanup - rm -f /tpmobject.ctx "$tpmkeypub" "$tpmkeypriv" -} - -run_cleanuphook() { - # Securely delete key if still present - if [ -f "$ckeyfile" ]; then - dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc >/dev/null 2>&1 - rm -f "$ckeyfile" - fi -} - -# vim: set ft=sh ts=4 sw=4 et: diff --git a/install_tpm2 b/install_tpm2 deleted file mode 100644 index e084c41d3731..000000000000 --- a/install_tpm2 +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash - -build() { - add_module "tpm_tis" - add_module "tpm_crb" - - add_binary "/usr/bin/tpm2_unseal" - add_binary "/usr/bin/tpm2_load" - add_binary "/usr/bin/tpm2_nvread" - add_binary "/usr/bin/tpm2_pcrextend" - add_binary "/usr/bin/sha1sum" - add_binary "/usr/bin/sha224sum" - add_binary "/usr/bin/sha256sum" - add_binary "/usr/bin/sha384sum" - add_binary "/usr/bin/sha512sum" - - add_binary "/usr/lib/libtss2-tcti-device.so.0" - - add_runscript -} - - -help() { - cat <<HELPEOF -This hook allows for an encrypted root device to use a key sealed by a -TPM 2.0. It should be placed immediately before the 'encrypt' hook. After -generating a TPM-sealed key, both 'tpmkey' and 'tpmpcr' should be -specified on the kernel command line. - -'tpmkey' has several formats: - - tpmkey=[device]:[path]:[handle] - tpmkey=[device]:[publicpath]:[privatepath]:[handle] - tpmkey=nvram:[index] - tpmkey=nvram:[index]:[offset]:[size] - -Where [device] represents the raw block device on which the key exists, -[path] is the absolute base path of the keyfiles within the device, and -[handle] is the TPM handle of the key's parent object. If only [path] is -specified, '.pub' and '.priv' will be appended to the path to locate the -public and private files, respectively. The absolute [publicpath] and -[privatepath] can be specified separately if needed. - -Setting [device] to 'nvram' indicates that the key is stored in TPM NVRAM. -In this case [index] is the NVRAM area index, [offset] is the offset of -the key in bytes and [size] is the size of the key in bytes. - -'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the -sealed key. Multiple specs can be separated by a '|' and key decryption -will be attempted with each set of banks. - -The first PCR bank spec may be used to indicate a PCR to extend after -unsealing the key. - -If the 'tpmprompt' command line parameter is set, the user will be -prompted for the parent encryption key password during boot. This password -will be used while loading the sealed key. This option has no effect when -the key is stored in NVRAM. Ex: tpmprompt=1 -HELPEOF -} - -# vim: set ft=sh ts=4 sw=4 et: |