blob: e084c41d3731005d040e25ecece17312a4849752 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
#!/bin/bash
build() {
add_module "tpm_tis"
add_module "tpm_crb"
add_binary "/usr/bin/tpm2_unseal"
add_binary "/usr/bin/tpm2_load"
add_binary "/usr/bin/tpm2_nvread"
add_binary "/usr/bin/tpm2_pcrextend"
add_binary "/usr/bin/sha1sum"
add_binary "/usr/bin/sha224sum"
add_binary "/usr/bin/sha256sum"
add_binary "/usr/bin/sha384sum"
add_binary "/usr/bin/sha512sum"
add_binary "/usr/lib/libtss2-tcti-device.so.0"
add_runscript
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device to use a key sealed by a
TPM 2.0. It should be placed immediately before the 'encrypt' hook. After
generating a TPM-sealed key, both 'tpmkey' and 'tpmpcr' should be
specified on the kernel command line.
'tpmkey' has several formats:
tpmkey=[device]:[path]:[handle]
tpmkey=[device]:[publicpath]:[privatepath]:[handle]
tpmkey=nvram:[index]
tpmkey=nvram:[index]:[offset]:[size]
Where [device] represents the raw block device on which the key exists,
[path] is the absolute base path of the keyfiles within the device, and
[handle] is the TPM handle of the key's parent object. If only [path] is
specified, '.pub' and '.priv' will be appended to the path to locate the
public and private files, respectively. The absolute [publicpath] and
[privatepath] can be specified separately if needed.
Setting [device] to 'nvram' indicates that the key is stored in TPM NVRAM.
In this case [index] is the NVRAM area index, [offset] is the offset of
the key in bytes and [size] is the size of the key in bytes.
'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the
sealed key. Multiple specs can be separated by a '|' and key decryption
will be attempted with each set of banks.
The first PCR bank spec may be used to indicate a PCR to extend after
unsealing the key.
If the 'tpmprompt' command line parameter is set, the user will be
prompted for the parent encryption key password during boot. This password
will be used while loading the sealed key. This option has no effect when
the key is stored in NVRAM. Ex: tpmprompt=1
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et:
|