diff options
Diffstat (limited to 'hook_tpm2')
-rw-r--r-- | hook_tpm2 | 187 |
1 files changed, 0 insertions, 187 deletions
diff --git a/hook_tpm2 b/hook_tpm2 deleted file mode 100644 index e06ea4bc20b5..000000000000 --- a/hook_tpm2 +++ /dev/null @@ -1,187 +0,0 @@ -#!/usr/bin/ash - -run_hook() { - local ckeyfile tpmkeypub tpmkeypriv tpmkeyparent tpmkeyindex tpmkeyoffset tpmkeysize - local tkdev tkarg1 tkarg2 tkarg3 resolved extendargs pcrbanklist pcrextendnum pcrextendalg - local tpmload pcrbank unseal unsealout tpmok noop - - # This file will be loaded by the encrypt hook - ckeyfile="/crypto_keyfile.bin" - - # Rootfs location for sealed key files - tpmkeypub="/tpm_keyfile.pub" - tpmkeypriv="/tpm_keyfile.priv" - - # TPM device - [ -z $tpmdev ] && tpmdev="/dev/tpmrm0" - export TPM2TOOLS_TCTI="device:${tpmdev}" - - # Parse tpmkey command line argument - if [ -n "$tpmkey" ]; then - IFS=: read tkdev tkarg1 tkarg2 tkarg3 <<EOF -$tpmkey -EOF - unset IFS - - case "$tkdev" in - rootfs) - # Key is in initcpio root filesystem. Use files in place - if [ -z "$tkarg3" ]; then - tpmkeypub="${tkarg1}.pub" - tpmkeypriv="${tkarg1}.priv" - tpmkeyparent="$tkarg2" - else - tpmkeypub="$tkarg1" - tpmkeypriv="$tkarg2" - tpmkeyparent="$tkarg3" - fi - ;; - nvram) - # Key is in NVRAM. Populate NVRAM variables - tpmkeyindex="$tkarg1" - tpmkeyoffset="$tkarg2" - tpmkeysize="$tkarg3" - ;; - *) - # Key is on block device - # Locate, mount, and copy the key files - if resolved=$(resolve_device "${tkdev}" ${rootdelay}); then - mkdir /tpmkey - mount -r -t auto "$resolved" /tpmkey - - if [ -z "$tkarg3" ]; then - dd if="/tpmkey/${tkarg1}.pub" of="$tpmkeypub" >/dev/null 2>&1 - dd if="/tpmkey/${tkarg1}.priv" of="$tpmkeypriv" >/dev/null 2>&1 - tpmkeyparent="$tkarg2" - else - dd if="/tpmkey/${tkarg1}" of="$tpmkeypub" >/dev/null 2>&1 - dd if="/tpmkey/${tkarg2}" of="$tpmkeypriv" >/dev/null 2>&1 - tpmkeyparent="$tkarg3" - fi - - umount /tpmkey - rmdir /tpmkey - fi - ;; - esac - - # If there is no NVRAM index and no sealed files, print an error - if [ -z "$tpmkeyindex" ] && [ ! -f "$tpmkeypub" -o ! -f "$tpmkeypriv" ]; then - err "TPM keyfiles could not be opened" - fi - fi - - # Parse the tpmpcr variable - if [ -n "$tpmpcr" ]; then - case "$tpmpcr" in - extend*) - IFS="|" read extendargs pcrbanklist <<EOF -$tpmpcr -EOF - IFS=: read noop pcrextendnum pcrextendalg <<EOF -$extendargs -EOF - unset IFS - ;; - *) - pcrbanklist="$tpmpcr" - ;; - esac - fi - - # We must have a PCR list to retrieve a key - [ -n "$tpmkey" ] && [ -z "$pcrbanklist" ] && err "TPM PCR bank not specified" - - - # If we have a key and PCR list, decrypt it - if [ -n "$pcrbanklist" -a -n "$tpmkeyindex" ] || [ -n "$pcrbanklist" -a -f "$tpmkeypub" -a -f "$tpmkeypriv" ]; then - # Load key object if stored on disk - tpmload=0 - if [ -z "$tpmkeyindex" ]; then - if [ -n "$tpmprompt" ]; then - echo - tpm2_load -Q -C "$tpmkeyparent" -P file:- -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx 2>/dev/null - tpmload=$? - echo - else - tpm2_load -Q -C "$tpmkeyparent" -r "$tpmkeypriv" -u "$tpmkeypub" -c /tpmobject.ctx >/dev/null 2>&1 - tpmload=$? - fi - fi - - # Format nvram arguments - [ -n "$tpmkeyoffset" ] && tpmkeyoffset="--offset=${tpmkeyoffset}" - [ -n "$tpmkeysize" ] && tpmkeysize="--size=${tpmkeysize}" - - # Attempt to decrypt key with each PCR bank specified - unseal=1 - if [ $tpmload -eq 0 ]; then - IFS="|" - for pcrbank in $pcrbanklist; do - if [ -n "$tpmkeyindex" ]; then - unsealout=$(tpm2_nvread -Q $tpmkeyoffset $tpmkeysize -P "pcr:${pcrbank}" -o $ckeyfile "$tpmkeyindex" 2>&1) - unseal=$? - else - unsealout=$(tpm2_unseal -Q -c /tpmobject.ctx -p "pcr:${pcrbank}" -o "$ckeyfile" 2>&1) - unseal=$? - fi - if [ $unseal -eq 0 ]; then break; fi - done - unset IFS - fi - - # Check decryption resuts and report - tpmok=0 - if [ $unseal -eq 0 ]; then - tpmok=1 - elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then - err "TPM communication error" - elif echo "$unsealout" | grep -sqiE 'ERROR.*0x99D'; then - echo - echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" - echo "This is an indication that the boot configuration has been altered since" - echo "the TPM key was generated. This is normal after kernel updates or firmware" - echo "changes, however this could also indicate a malicious change to your system." - echo - elif [ -n "$tpmkeyindex" ]; then - err "Could not read key from TPM NVRAM" - elif [ $tpmload -ne 0 ]; then - err "Could not load TPM keyfile" - else - err "Could not unseal TPM keyfile" - fi - - if [ $tpmok -eq 0 ]; then - rm -f "$ckeyfile" - msg ":: TPM Could not decrypt LUKS key" - fi - fi - - # Extend specified PCR - if [ -n "$pcrextendnum" ] && [ -n "$pcrextendalg" ]; then - case "$pcrextendalg" in - sha1|sha224|sha256|sha384|sha512) - tpm2_pcrextend ${pcrextendnum}:${pcrextendalg}=$("${pcrextendalg}sum" /hooks/tpm2 2>/dev/null | cut -f1 -d' ') >/dev/null 2>&1 - if [ $? -ne 0 ]; then - err "Could not extend TPM PCR" - fi - ;; - *) - err "Hash algorithm not supported for PCR extend" - ;; - esac - fi - - # Cleanup - rm -f /tpmobject.ctx "$tpmkeypub" "$tpmkeypriv" -} - -run_cleanuphook() { - # Securely delete key if still present - if [ -f "$ckeyfile" ]; then - dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc >/dev/null 2>&1 - rm -f "$ckeyfile" - fi -} - -# vim: set ft=sh ts=4 sw=4 et: |