luks-tpm/tpm2_hook

107 lines
2.6 KiB
Text
Raw Permalink Normal View History

2023-12-09 18:52:20 +00:00
#!/usr/bin/ash
# vim: set ft=sh
2023-12-10 06:30:13 +00:00
tpm_cleanup() {
rm -fr /etc/tpm2
rm -f "$session"
rm -f "$verification"
}
tpm_error_cleanup() {
rm -f "$ckeyfile"
tpm_cleanup
}
quiet() {
$@ > /dev/null
}
2023-12-09 18:52:20 +00:00
run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
2023-12-10 06:30:13 +00:00
if [ ! -d "/etc/tpm2" ]; then
err "TPM data directory not found: /etc/tpm2"
tpm_cleanup
return
fi
2023-12-09 18:52:20 +00:00
ckeyfile="/crypto_keyfile.bin"
2023-12-10 06:30:13 +00:00
if [ -f $ckeyfile ]; then
err "Crypto keyfile already exists in root. Aborting!!!"
tpm_cleanup
return
fi
2023-12-09 18:52:20 +00:00
policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname"
rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx"
2023-12-09 18:52:20 +00:00
2023-12-10 06:30:13 +00:00
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
err "TPM load data missing"
tpm_cleanup
return
fi
2023-12-09 18:52:20 +00:00
pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc)
session="/session.ctx"
verification="/verification.tkt"
2023-12-10 06:30:13 +00:00
quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
2023-12-09 18:52:20 +00:00
2023-12-10 06:30:13 +00:00
if [ $? -eq 1 ]; then
echo
echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
echo "The boot configuration has been altered since the TPM key was generated. "
echo "This should NOT happen under normal use. Be paranoid."
echo
tpm_error_cleanup
return
fi
quiet tpm2_startauthsession --policy-session -S $session
quiet tpm2_policypcr -l $pcr -S $session
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
2023-12-09 18:52:20 +00:00
local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$?
2023-12-10 06:30:13 +00:00
quiet tpm2_flushcontext $session
if [ $unseal -gt 0 ]; then
if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
echo "This is an indication that the boot configuration has been altered since"
echo "the TPM key was generated. This is normal after kernel updates or firmware"
echo "changes, however this could also indicate a malicious change to your system."
echo
else
err "Could not unseal TPM keyfile"
fi
tpm_error_cleanup
2023-12-09 18:52:20 +00:00
else
msg ":: LUKS key successfully decrypted by TPM"
2023-12-10 06:30:13 +00:00
tpm_cleanup
2023-12-09 18:52:20 +00:00
fi
}
run_cleanuphook() {
# Securely delete key if still present
if [ -f "$ckeyfile" ]; then
dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null
rm -f "$ckeyfile"
fi
}