diff options
| author | Jonas Witschel | 2018-12-19 19:53:20 +0100 |
|---|---|---|
| committer | Jonas Witschel | 2018-12-19 19:53:20 +0100 |
| commit | 4507aa7a2be450a86516baf31a84230696f69e28 (patch) | |
| tree | f2c62eade38892cfb80a4398b580fbc3eba19438 | |
| parent | 1cede33019b9fbce32b8294e601e39cb3ab30f1c (diff) | |
| download | aur-4507aa7a2be450a86516baf31a84230696f69e28.tar.gz | |
upgpkg: tpm2-totp-git r1.51c2aee-2
- Add psmisc required by tests (for killall)
- Add demo mkinitcpio hook
| -rw-r--r-- | .SRCINFO | 7 | ||||
| -rw-r--r-- | PKGBUILD | 14 | ||||
| -rw-r--r-- | initcpio_hooks_tpm2-totp | 8 | ||||
| -rw-r--r-- | initcpio_install_tpm2-totp | 51 |
4 files changed, 75 insertions, 5 deletions
@@ -1,10 +1,11 @@ pkgbase = tpm2-totp-git pkgdesc = Attest the trustworthiness of a device against a human using time-based one-time passwords pkgver = r1.51c2aee - pkgrel = 1 + pkgrel = 2 url = https://github.com/AndreasFuchsSIT/tpm2-totp arch = x86_64 license = BSD + checkdepends = psmisc checkdepends = ibm-sw-tpm2 makedepends = git makedepends = autoconf-archive @@ -15,7 +16,11 @@ pkgbase = tpm2-totp-git provides = tpm2-totp conflicts = tpm2-totp source = git+https://github.com/AndreasFuchsSIT/tpm2-totp.git + source = initcpio_install_tpm2-totp + source = initcpio_hooks_tpm2-totp sha512sums = SKIP + sha512sums = cd8e3d6d2dd84ec1c24ecc5ff8b099325dfafc5fb0b6f2309c70005c345f37a944d8a1240f512e91de6b09679f23f9822cfc5f779f54e66ecfd34287b21f8cb1 + sha512sums = ae334b3e11ff89554de485c744556d88c789b773ff26dce9f2fc4c51a78eb12cd1094334a4ea43dc042c406e74b629e7ab5a68eeb36894d9635f81b2eaf02837 pkgname = tpm2-totp-git @@ -1,18 +1,22 @@ # Maintainer: Jonas Witschel <diabonas at gmx dot de> pkgname=tpm2-totp-git pkgver=r1.51c2aee -pkgrel=1 +pkgrel=2 pkgdesc='Attest the trustworthiness of a device against a human using time-based one-time passwords' arch=('x86_64') url='https://github.com/AndreasFuchsSIT/tpm2-totp' license=('BSD') depends=('qrencode' 'tpm2-tss') makedepends=('git' 'autoconf-archive' 'oath-toolkit' 'pandoc') -checkdepends=('ibm-sw-tpm2') +checkdepends=('psmisc' 'ibm-sw-tpm2') provides=("${pkgname%-git}") conflicts=("${pkgname%-git}") -source=("git+$url.git") -sha512sums=('SKIP') +source=("git+$url.git" + 'initcpio_install_tpm2-totp' + 'initcpio_hooks_tpm2-totp') +sha512sums=('SKIP' + 'cd8e3d6d2dd84ec1c24ecc5ff8b099325dfafc5fb0b6f2309c70005c345f37a944d8a1240f512e91de6b09679f23f9822cfc5f779f54e66ecfd34287b21f8cb1' + 'ae334b3e11ff89554de485c744556d88c789b773ff26dce9f2fc4c51a78eb12cd1094334a4ea43dc042c406e74b629e7ab5a68eeb36894d9635f81b2eaf02837') BUILDENV+=('!check') # see warning below before enabling tests pkgver() { @@ -45,4 +49,6 @@ package() { cd "${pkgname%-git}" make DESTDIR="$pkgdir" install install -Dm644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE" + install -Dm644 "$srcdir/initcpio_install_tpm2-totp" "$pkgdir/usr/lib/initcpio/install/tpm2-totp" + install -Dm644 "$srcdir/initcpio_hooks_tpm2-totp" "$pkgdir/usr/lib/initcpio/install/tpm2-totp" } diff --git a/initcpio_hooks_tpm2-totp b/initcpio_hooks_tpm2-totp new file mode 100644 index 000000000000..bb4d400077cc --- /dev/null +++ b/initcpio_hooks_tpm2-totp @@ -0,0 +1,8 @@ +#!/usr/bin/ash + +run_hook() { + echo 'Verification TOTP:' + tpm2-totp --time calculate +} + +# vim: set ft=sh ts=4 sw=4 et: diff --git a/initcpio_install_tpm2-totp b/initcpio_install_tpm2-totp new file mode 100644 index 000000000000..001324f8e145 --- /dev/null +++ b/initcpio_install_tpm2-totp @@ -0,0 +1,51 @@ +#!/bin/bash + +build() { + local mod + + if [[ $TPM_MODULES ]]; then + for mod in $TPM_MODULES; do + add_module "$mod" + done + else + add_all_modules '/tpm/' + fi + + add_binary 'tpm2-totp' + + # Force usage of device TCTI and suppress warnings issued by tpm2-tss + # when trying to load other TCTI libraries + add_file '/usr/lib/libtss2-tcti-device.so' '/usr/lib/libtss2-tcti-default.so' + + add_runscript +} + +help() { + cat <<HELPEOF +This hook displays a time-based one-time password (TOTP) sealed to a Trusted +Platform Module (TPM) to ensure that the boot process has not been tampered +with. To set this up, a secret needs to be generated first and sealed to the +TPM using + +tpm2-totp generate + +This stores the secret in the TPM and displays it to the user so that it can +be recorded on a different device (e.g. a TOTP app). When the hook is run, the +TOTP is calculated and displayed together with the current time so that it can +be compared with the output of the second device. This will only be successful +and show a matching output if the boot process has not changed (new UEFI +firmware, different boot loader, ...). + +Note that calculating the TOTP requires some entropy, which might be scarce +directly after startup. If the boot process appears to be stuck, it might help +to press some random keys to gather more entropy. A better alternative on modern +processors is to enable the use of the hardware random number generator (RNG) +by adding + +random.trust_cpu=on + +to the kernel command line. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: |