diff --git a/gentpm.sh b/gentpm.sh index f3af48d..4653f42 100755 --- a/gentpm.sh +++ b/gentpm.sh @@ -3,7 +3,7 @@ device="/dev/nvme0n1p2" slot="0" keyloc="0x81000001" -pcr="sha256:7" +pcr="sha256:0,1,2,7" ctx="" rsapub="" diff --git a/tpm2_hook b/tpm2_hook index 2acab94..c8aa261 100755 --- a/tpm2_hook +++ b/tpm2_hook @@ -1,66 +1,100 @@ #!/usr/bin/ash # vim: set ft=sh +tpm_cleanup() { + rm -fr /etc/tpm2 + rm -f "$session" + rm -f "$verification" +} + +tpm_error_cleanup() { + rm -f "$ckeyfile" + tpm_cleanup +} + +quiet() { + $@ > /dev/null +} + run_hook() { local ckeyfile policy session rsaname verification keyloc pcr tpmdev session + if [ ! -d "/etc/tpm2" ]; then + err "TPM data directory not found: /etc/tpm2" + tpm_cleanup + return + fi + ckeyfile="/crypto_keyfile.bin" + if [ -f $ckeyfile ]; then + err "Crypto keyfile already exists in root. Aborting!!!" + tpm_cleanup + return + fi + policy="/etc/tpm2/policy" rsaname="/etc/tpm2/rsaname" rsapub="/etc/tpm2/rsapub" rsasig="/etc/tpm2/rsasig" rsactx="/etc/tpm2/rsactx" + if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then + err "TPM load data missing" + tpm_cleanup + return + fi + pcr=$(cat /etc/tpm2/pcr) keyloc=$(cat /etc/tpm2/keyloc) session="/session.ctx" verification="/verification.tkt" - tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null - tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null + quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname + quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa - tpm2_startauthsession --policy-session -S $session 1> /dev/null - tpm2_policypcr -l $pcr -S $session 1> /dev/null - tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null + if [ $? -eq 1 ]; then + echo + echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!" + echo "The boot configuration has been altered since the TPM key was generated. " + echo "This should NOT happen under normal use. Be paranoid." + echo + tpm_error_cleanup + return + fi + + quiet tpm2_startauthsession --policy-session -S $session + quiet tpm2_policypcr -l $pcr -S $session + quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification local unsealout unseal unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1) unseal=$? - tpm2_flushcontext $session 1> /dev/null + quiet tpm2_flushcontext $session - rm -f $session - rm -f $verification - - tpmok=0 - if [ $unseal -eq 0 ]; then - tpmok=1 - elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then - err "TPM communication error" - elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then - echo - echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" - echo "This is an indication that the boot configuration has been altered since" - echo "the TPM key was generated. This is normal after kernel updates or firmware" - echo "changes, however this could also indicate a malicious change to your system." - echo + if [ $unseal -gt 0 ]; then + if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then + err "TPM communication error" + elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then + echo + echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" + echo "This is an indication that the boot configuration has been altered since" + echo "the TPM key was generated. This is normal after kernel updates or firmware" + echo "changes, however this could also indicate a malicious change to your system." + echo + else + err "Could not unseal TPM keyfile" + fi + tpm_error_cleanup else - err "Could not unseal TPM keyfile" - fi - - if [ $tpmok -gt 0 ]; then msg ":: LUKS key successfully decrypted by TPM" - else - rm -f "$ckeyfile" - msg ":: TPM Could not decrypt LUKS key" + tpm_cleanup fi - rm -fr /etc/tpm2 - } run_cleanuphook() {