summarylogtreecommitdiffstats
path: root/initcpio_install_tpm2-totp
blob: eb22958104d4965bfa906d55ac19c61afb1c9b44 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/bin/bash

build() {
    local mod

    if [[ $TPM_MODULES ]]; then
        for mod in $TPM_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules /tpm/
    fi

    add_binary tpm2-totp

    # Force usage of device TCTI and suppress warnings issued by tpm2-tss
    # when trying to load other TCTI libraries
    add_file /usr/lib/libtss2-tcti-device.so /usr/lib/libtss2-tcti-default.so

    add_runscript
}

help() {
    cat <<HELPEOF
This hook displays a time-based one-time password (TOTP) sealed to a Trusted
Platform Module (TPM) to ensure that the boot process has not been tampered
with. To set this up, a secret needs to be generated first and sealed to the
TPM using

tpm2-totp generate

This stores the secret in the TPM and displays it to the user so that it can
be recorded on a different device (e.g. a TOTP app). When the hook is run, the
TOTP is calculated and displayed together with the current time so that it can
be compared with the output of the second device. This will only be successful
and show a matching output if the boot process has not changed (new UEFI
firmware, different boot loader, ...).

When using a custom NV index with the '--nvindex index' option of tpm2-totp,
this index needs to be specified as 'tpm2_totp_nvindex=index' on the kernel
command line.

Note that calculating the TOTP requires some entropy, which might be scarce
directly after startup. If the boot process appears to be stuck, it might help
to press some random keys to gather more entropy. A better alternative on modern
processors is to enable the use of the hardware random number generator (RNG)
by adding

random.trust_cpu=on

to the kernel command line.
HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et: