better error handeling in hooks
This commit is contained in:
parent
c602e69b18
commit
01bec20e6e
2 changed files with 65 additions and 31 deletions
|
@ -3,7 +3,7 @@
|
||||||
device="/dev/nvme0n1p2"
|
device="/dev/nvme0n1p2"
|
||||||
slot="0"
|
slot="0"
|
||||||
keyloc="0x81000001"
|
keyloc="0x81000001"
|
||||||
pcr="sha256:7"
|
pcr="sha256:0,1,2,7"
|
||||||
|
|
||||||
ctx=""
|
ctx=""
|
||||||
rsapub=""
|
rsapub=""
|
||||||
|
|
94
tpm2_hook
94
tpm2_hook
|
@ -1,66 +1,100 @@
|
||||||
#!/usr/bin/ash
|
#!/usr/bin/ash
|
||||||
# vim: set ft=sh
|
# vim: set ft=sh
|
||||||
|
|
||||||
|
tpm_cleanup() {
|
||||||
|
rm -fr /etc/tpm2
|
||||||
|
rm -f "$session"
|
||||||
|
rm -f "$verification"
|
||||||
|
}
|
||||||
|
|
||||||
|
tpm_error_cleanup() {
|
||||||
|
rm -f "$ckeyfile"
|
||||||
|
tpm_cleanup
|
||||||
|
}
|
||||||
|
|
||||||
|
quiet() {
|
||||||
|
$@ > /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
run_hook() {
|
run_hook() {
|
||||||
|
|
||||||
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
|
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
|
||||||
|
|
||||||
|
if [ ! -d "/etc/tpm2" ]; then
|
||||||
|
err "TPM data directory not found: /etc/tpm2"
|
||||||
|
tpm_cleanup
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
ckeyfile="/crypto_keyfile.bin"
|
ckeyfile="/crypto_keyfile.bin"
|
||||||
|
|
||||||
|
if [ -f $ckeyfile ]; then
|
||||||
|
err "Crypto keyfile already exists in root. Aborting!!!"
|
||||||
|
tpm_cleanup
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
policy="/etc/tpm2/policy"
|
policy="/etc/tpm2/policy"
|
||||||
rsaname="/etc/tpm2/rsaname"
|
rsaname="/etc/tpm2/rsaname"
|
||||||
rsapub="/etc/tpm2/rsapub"
|
rsapub="/etc/tpm2/rsapub"
|
||||||
rsasig="/etc/tpm2/rsasig"
|
rsasig="/etc/tpm2/rsasig"
|
||||||
rsactx="/etc/tpm2/rsactx"
|
rsactx="/etc/tpm2/rsactx"
|
||||||
|
|
||||||
|
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
|
||||||
|
err "TPM load data missing"
|
||||||
|
tpm_cleanup
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
pcr=$(cat /etc/tpm2/pcr)
|
pcr=$(cat /etc/tpm2/pcr)
|
||||||
keyloc=$(cat /etc/tpm2/keyloc)
|
keyloc=$(cat /etc/tpm2/keyloc)
|
||||||
|
|
||||||
session="/session.ctx"
|
session="/session.ctx"
|
||||||
verification="/verification.tkt"
|
verification="/verification.tkt"
|
||||||
|
|
||||||
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
|
quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
|
||||||
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
|
quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
|
||||||
|
|
||||||
tpm2_startauthsession --policy-session -S $session 1> /dev/null
|
if [ $? -eq 1 ]; then
|
||||||
tpm2_policypcr -l $pcr -S $session 1> /dev/null
|
echo
|
||||||
tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
|
echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
|
||||||
|
echo "The boot configuration has been altered since the TPM key was generated. "
|
||||||
|
echo "This should NOT happen under normal use. Be paranoid."
|
||||||
|
echo
|
||||||
|
tpm_error_cleanup
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
quiet tpm2_startauthsession --policy-session -S $session
|
||||||
|
quiet tpm2_policypcr -l $pcr -S $session
|
||||||
|
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
|
||||||
|
|
||||||
local unsealout unseal
|
local unsealout unseal
|
||||||
|
|
||||||
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
|
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
|
||||||
unseal=$?
|
unseal=$?
|
||||||
|
|
||||||
tpm2_flushcontext $session 1> /dev/null
|
quiet tpm2_flushcontext $session
|
||||||
|
|
||||||
rm -f $session
|
if [ $unseal -gt 0 ]; then
|
||||||
rm -f $verification
|
if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
|
||||||
|
err "TPM communication error"
|
||||||
tpmok=0
|
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
|
||||||
if [ $unseal -eq 0 ]; then
|
echo
|
||||||
tpmok=1
|
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
|
||||||
elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
|
echo "This is an indication that the boot configuration has been altered since"
|
||||||
err "TPM communication error"
|
echo "the TPM key was generated. This is normal after kernel updates or firmware"
|
||||||
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
|
echo "changes, however this could also indicate a malicious change to your system."
|
||||||
echo
|
echo
|
||||||
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
|
else
|
||||||
echo "This is an indication that the boot configuration has been altered since"
|
err "Could not unseal TPM keyfile"
|
||||||
echo "the TPM key was generated. This is normal after kernel updates or firmware"
|
fi
|
||||||
echo "changes, however this could also indicate a malicious change to your system."
|
tpm_error_cleanup
|
||||||
echo
|
|
||||||
else
|
else
|
||||||
err "Could not unseal TPM keyfile"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $tpmok -gt 0 ]; then
|
|
||||||
msg ":: LUKS key successfully decrypted by TPM"
|
msg ":: LUKS key successfully decrypted by TPM"
|
||||||
else
|
tpm_cleanup
|
||||||
rm -f "$ckeyfile"
|
|
||||||
msg ":: TPM Could not decrypt LUKS key"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -fr /etc/tpm2
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
run_cleanuphook() {
|
run_cleanuphook() {
|
||||||
|
|
Loading…
Reference in a new issue