diff options
Diffstat (limited to 'install_tpm2')
-rw-r--r-- | install_tpm2 | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/install_tpm2 b/install_tpm2 new file mode 100644 index 000000000000..5a153515d252 --- /dev/null +++ b/install_tpm2 @@ -0,0 +1,47 @@ +#!/bin/bash + +build() { + add_module "tpm_tis" + add_module "tpm_crb" + + add_binary "/usr/bin/tpm2_unseal" "/usr/bin/tpm2_unseal" + add_binary "/usr/bin/tpm2_load" "/usr/bin/tpm2_load" + add_binary "/usr/bin/tpm2_nvread" "/usr/bin/tpm2_nvread" + add_binary "/usr/lib/libtss2-tcti-device.so.0" + + add_runscript +} + + +help() { + cat <<HELPEOF +This hook allows for an encrypted root device to use a key sealed by a +TPM 2.0. It should be placed immediately before the 'encrypt' hook. After +generating a TPM-sealed key, both 'tpmkey' and 'tpmpcr' should be +specified on the kernel command line. + +'tpmkey' has several formats: + + tpmkey=[device]:[path]:[handle] + tpmkey=[device]:[publicpath]:[privatepath]:[handle] + tpmkey=nvram:[index] + tpmkey=nvram:[index]:[offset]:[size] + +Where [device] represents the raw block device on which the key exists, +[path] is the absolute base path of the keyfiles within the device, and +[handle] is the TPM handle of the key's parent object. If only [path] is +specified, '.pub' and '.priv' will be appended to the path to locate the +public and private files, respectively. The absolute [publicpath] and +[privatepath] can be specified separately if needed. + +Setting [device] to 'nvram' indicates that the key is stored in TPM NVRAM. +In this case [index] is the NVRAM area index, [offset] is the offset of +the key in bytes and [size] is the size of the key in bytes. + +'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the +sealed key. Multiple specs can be separated by a '|' and key decryption +will be attempted with each set of banks. +HELPEOF +} + +# vim: set ft=sh ts=4 sw=4 et: |