better error handeling in hooks

This commit is contained in:
Murphy 2023-12-10 01:30:13 -05:00
parent c602e69b18
commit 01bec20e6e
No known key found for this signature in database
GPG key ID: 988032A5638EE799
2 changed files with 65 additions and 31 deletions

View file

@ -3,7 +3,7 @@
device="/dev/nvme0n1p2"
slot="0"
keyloc="0x81000001"
pcr="sha256:7"
pcr="sha256:0,1,2,7"
ctx=""
rsapub=""

View file

@ -1,66 +1,100 @@
#!/usr/bin/ash
# vim: set ft=sh
tpm_cleanup() {
rm -fr /etc/tpm2
rm -f "$session"
rm -f "$verification"
}
tpm_error_cleanup() {
rm -f "$ckeyfile"
tpm_cleanup
}
quiet() {
$@ > /dev/null
}
run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
if [ ! -d "/etc/tpm2" ]; then
err "TPM data directory not found: /etc/tpm2"
tpm_cleanup
return
fi
ckeyfile="/crypto_keyfile.bin"
if [ -f $ckeyfile ]; then
err "Crypto keyfile already exists in root. Aborting!!!"
tpm_cleanup
return
fi
policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname"
rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx"
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
err "TPM load data missing"
tpm_cleanup
return
fi
pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc)
session="/session.ctx"
verification="/verification.tkt"
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
tpm2_startauthsession --policy-session -S $session 1> /dev/null
tpm2_policypcr -l $pcr -S $session 1> /dev/null
tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
if [ $? -eq 1 ]; then
echo
echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
echo "The boot configuration has been altered since the TPM key was generated. "
echo "This should NOT happen under normal use. Be paranoid."
echo
tpm_error_cleanup
return
fi
quiet tpm2_startauthsession --policy-session -S $session
quiet tpm2_policypcr -l $pcr -S $session
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$?
tpm2_flushcontext $session 1> /dev/null
quiet tpm2_flushcontext $session
rm -f $session
rm -f $verification
tpmok=0
if [ $unseal -eq 0 ]; then
tpmok=1
elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
echo "This is an indication that the boot configuration has been altered since"
echo "the TPM key was generated. This is normal after kernel updates or firmware"
echo "changes, however this could also indicate a malicious change to your system."
echo
if [ $unseal -gt 0 ]; then
if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
echo "This is an indication that the boot configuration has been altered since"
echo "the TPM key was generated. This is normal after kernel updates or firmware"
echo "changes, however this could also indicate a malicious change to your system."
echo
else
err "Could not unseal TPM keyfile"
fi
tpm_error_cleanup
else
err "Could not unseal TPM keyfile"
fi
if [ $tpmok -gt 0 ]; then
msg ":: LUKS key successfully decrypted by TPM"
else
rm -f "$ckeyfile"
msg ":: TPM Could not decrypt LUKS key"
tpm_cleanup
fi
rm -fr /etc/tpm2
}
run_cleanuphook() {