better error handeling in hooks

This commit is contained in:
Freya Murphy 2023-12-10 01:30:13 -05:00
parent c602e69b18
commit 01bec20e6e
No known key found for this signature in database
GPG key ID: 988032A5638EE799
2 changed files with 65 additions and 31 deletions

View file

@ -3,7 +3,7 @@
device="/dev/nvme0n1p2"
slot="0"
keyloc="0x81000001"
pcr="sha256:7"
pcr="sha256:0,1,2,7"
ctx=""
rsapub=""

View file

@ -1,45 +1,83 @@
#!/usr/bin/ash
# vim: set ft=sh
tpm_cleanup() {
rm -fr /etc/tpm2
rm -f "$session"
rm -f "$verification"
}
tpm_error_cleanup() {
rm -f "$ckeyfile"
tpm_cleanup
}
quiet() {
$@ > /dev/null
}
run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
if [ ! -d "/etc/tpm2" ]; then
err "TPM data directory not found: /etc/tpm2"
tpm_cleanup
return
fi
ckeyfile="/crypto_keyfile.bin"
if [ -f $ckeyfile ]; then
err "Crypto keyfile already exists in root. Aborting!!!"
tpm_cleanup
return
fi
policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname"
rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx"
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
err "TPM load data missing"
tpm_cleanup
return
fi
pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc)
session="/session.ctx"
verification="/verification.tkt"
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
tpm2_startauthsession --policy-session -S $session 1> /dev/null
tpm2_policypcr -l $pcr -S $session 1> /dev/null
tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
if [ $? -eq 1 ]; then
echo
echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
echo "The boot configuration has been altered since the TPM key was generated. "
echo "This should NOT happen under normal use. Be paranoid."
echo
tpm_error_cleanup
return
fi
quiet tpm2_startauthsession --policy-session -S $session
quiet tpm2_policypcr -l $pcr -S $session
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$?
tpm2_flushcontext $session 1> /dev/null
quiet tpm2_flushcontext $session
rm -f $session
rm -f $verification
tpmok=0
if [ $unseal -eq 0 ]; then
tpmok=1
elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
if [ $unseal -gt 0 ]; then
if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
@ -51,16 +89,12 @@ run_hook() {
else
err "Could not unseal TPM keyfile"
fi
if [ $tpmok -gt 0 ]; then
msg ":: LUKS key successfully decrypted by TPM"
tpm_error_cleanup
else
rm -f "$ckeyfile"
msg ":: TPM Could not decrypt LUKS key"
msg ":: LUKS key successfully decrypted by TPM"
tpm_cleanup
fi
rm -fr /etc/tpm2
}
run_cleanuphook() {