better error handeling in hooks

This commit is contained in:
Freya Murphy 2023-12-10 01:30:13 -05:00
parent c602e69b18
commit 01bec20e6e
No known key found for this signature in database
GPG key ID: 988032A5638EE799
2 changed files with 65 additions and 31 deletions

View file

@ -3,7 +3,7 @@
device="/dev/nvme0n1p2" device="/dev/nvme0n1p2"
slot="0" slot="0"
keyloc="0x81000001" keyloc="0x81000001"
pcr="sha256:7" pcr="sha256:0,1,2,7"
ctx="" ctx=""
rsapub="" rsapub=""

View file

@ -1,66 +1,100 @@
#!/usr/bin/ash #!/usr/bin/ash
# vim: set ft=sh # vim: set ft=sh
tpm_cleanup() {
rm -fr /etc/tpm2
rm -f "$session"
rm -f "$verification"
}
tpm_error_cleanup() {
rm -f "$ckeyfile"
tpm_cleanup
}
quiet() {
$@ > /dev/null
}
run_hook() { run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
if [ ! -d "/etc/tpm2" ]; then
err "TPM data directory not found: /etc/tpm2"
tpm_cleanup
return
fi
ckeyfile="/crypto_keyfile.bin" ckeyfile="/crypto_keyfile.bin"
if [ -f $ckeyfile ]; then
err "Crypto keyfile already exists in root. Aborting!!!"
tpm_cleanup
return
fi
policy="/etc/tpm2/policy" policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname" rsaname="/etc/tpm2/rsaname"
rsapub="/etc/tpm2/rsapub" rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig" rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx" rsactx="/etc/tpm2/rsactx"
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
err "TPM load data missing"
tpm_cleanup
return
fi
pcr=$(cat /etc/tpm2/pcr) pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc) keyloc=$(cat /etc/tpm2/keyloc)
session="/session.ctx" session="/session.ctx"
verification="/verification.tkt" verification="/verification.tkt"
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
tpm2_startauthsession --policy-session -S $session 1> /dev/null if [ $? -eq 1 ]; then
tpm2_policypcr -l $pcr -S $session 1> /dev/null echo
tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
echo "The boot configuration has been altered since the TPM key was generated. "
echo "This should NOT happen under normal use. Be paranoid."
echo
tpm_error_cleanup
return
fi
quiet tpm2_startauthsession --policy-session -S $session
quiet tpm2_policypcr -l $pcr -S $session
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
local unsealout unseal local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1) unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$? unseal=$?
tpm2_flushcontext $session 1> /dev/null quiet tpm2_flushcontext $session
rm -f $session if [ $unseal -gt 0 ]; then
rm -f $verification if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
tpmok=0 elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
if [ $unseal -eq 0 ]; then echo
tpmok=1 echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then echo "This is an indication that the boot configuration has been altered since"
err "TPM communication error" echo "the TPM key was generated. This is normal after kernel updates or firmware"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then echo "changes, however this could also indicate a malicious change to your system."
echo echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!" else
echo "This is an indication that the boot configuration has been altered since" err "Could not unseal TPM keyfile"
echo "the TPM key was generated. This is normal after kernel updates or firmware" fi
echo "changes, however this could also indicate a malicious change to your system." tpm_error_cleanup
echo
else else
err "Could not unseal TPM keyfile"
fi
if [ $tpmok -gt 0 ]; then
msg ":: LUKS key successfully decrypted by TPM" msg ":: LUKS key successfully decrypted by TPM"
else tpm_cleanup
rm -f "$ckeyfile"
msg ":: TPM Could not decrypt LUKS key"
fi fi
rm -fr /etc/tpm2
} }
run_cleanuphook() { run_cleanuphook() {