better error handeling in hooks

gentpm.sh

@@ -3,7 +3,7 @@
 device="/dev/nvme0n1p2"
 slot="0"
 keyloc="0x81000001"
-pcr="sha256:7"
+pcr="sha256:0,1,2,7"
 
 ctx=""
 rsapub=""

tpm2_hook

@@ -1,45 +1,83 @@
 #!/usr/bin/ash
 # vim: set ft=sh
 
+tpm_cleanup() {
+	rm -fr /etc/tpm2
+	rm -f "$session"
+	rm -f "$verification"
+}
+
+tpm_error_cleanup() {
+	rm -f "$ckeyfile"
+	tpm_cleanup
+}
+
+quiet() {
+	$@ > /dev/null
+}
+
 run_hook() {	
 
 	local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
 
+	if [ ! -d "/etc/tpm2" ]; then
+		err "TPM data directory not found: /etc/tpm2"
+		tpm_cleanup
+		return
+	fi
+
 	ckeyfile="/crypto_keyfile.bin"
 
+	if [ -f $ckeyfile ]; then
+		err "Crypto keyfile already exists in root. Aborting!!!"
+		tpm_cleanup
+		return
+	fi
+
 	policy="/etc/tpm2/policy"
 	rsaname="/etc/tpm2/rsaname"
 	rsapub="/etc/tpm2/rsapub"
 	rsasig="/etc/tpm2/rsasig"
 	rsactx="/etc/tpm2/rsactx"
 
+	if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
+		err "TPM load data missing"
+		tpm_cleanup
+		return
+	fi
+
 	pcr=$(cat /etc/tpm2/pcr)
 	keyloc=$(cat /etc/tpm2/keyloc)
 
 	session="/session.ctx"
 	verification="/verification.tkt"
 
-	tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
+	quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
-	tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
+	quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
 
-	tpm2_startauthsession --policy-session -S $session 1> /dev/null
+	if [ $? -eq 1 ]; then
-	tpm2_policypcr -l $pcr -S $session 1> /dev/null
+		echo
-	tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
+		echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
+		echo "The boot configuration has been altered since the TPM key was generated. "
+		echo "This should NOT happen under normal use. Be paranoid."
+		echo
+		tpm_error_cleanup
+		return
+	fi
+
+	quiet tpm2_startauthsession --policy-session -S $session
+	quiet tpm2_policypcr -l $pcr -S $session
+	quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
 
 	local unsealout unseal
 
 	unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
 	unseal=$?
 
-	tpm2_flushcontext $session 1> /dev/null
+	quiet tpm2_flushcontext $session
 
-	rm -f $session
+	if [ $unseal -gt 0 ]; then
-	rm -f $verification
+		if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
-
-	tpmok=0
-	if [ $unseal -eq 0 ]; then
-		tpmok=1
-	elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
 			err "TPM communication error"
 		elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
 			echo
@@ -51,16 +89,12 @@ run_hook() {
 		else
 			err "Could not unseal TPM keyfile"
 		fi
-
+		tpm_error_cleanup
-	if [ $tpmok -gt 0 ]; then
-		msg ":: LUKS key successfully decrypted by TPM"
 	else
-		rm -f "$ckeyfile"
+		msg ":: LUKS key successfully decrypted by TPM"
-		msg ":: TPM Could not decrypt LUKS key"
+		tpm_cleanup
 	fi
 
-	rm -fr /etc/tpm2
-
 }
 
 run_cleanuphook() {