From c602e69b18f746b714864d906831f5391bf62e42 Mon Sep 17 00:00:00 2001
From: Freya Murphy <freya@freyacat.org>
Date: Sat, 9 Dec 2023 14:24:58 -0500
Subject: [PATCH] verify signature at runtime not gentime

---
 gentpm.sh    | 11 +++--------
 tpm2_hook    | 11 ++++++++---
 tpm2_install |  6 +++++-
 3 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/gentpm.sh b/gentpm.sh
index 5e2bf1b..f3af48d 100755
--- a/gentpm.sh
+++ b/gentpm.sh
@@ -105,12 +105,6 @@ keygen() {
     _RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
 }
 
-verify() {
-    _STEP "verifying signer key"
-    _RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
-    _RUN tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $sig -t $verif -f rsassa
-}
-
 getkey() {
     _RUN tpm2_startauthsession --policy-session -S $session
     _RUN tpm2_policypcr -l $pcr -S $session
@@ -126,7 +120,9 @@ load() {
 
     _RUN cp $policy /etc/tpm2/policy
     _RUN cp $rsaname /etc/tpm2/rsaname
-    _RUN cp $verif /etc/tpm2/verification
+    _RUN cp $rsapub /etc/tpm2/rsapub
+    _RUN cp $rsactx /etc/tpm2/rsactx
+    _RUN cp $sig /etc/tpm2/rsasig
     
     _RUN printf "%s" "$pcr" > /etc/tpm2/pcr
     _RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
@@ -156,7 +152,6 @@ all() {
     reset
     loadvars
     keygen
-    verify
     load
     crypt
     cleanup
diff --git a/tpm2_hook b/tpm2_hook
index 3f6b832..2acab94 100755
--- a/tpm2_hook
+++ b/tpm2_hook
@@ -9,14 +9,18 @@ run_hook() {
 
 	policy="/etc/tpm2/policy"
 	rsaname="/etc/tpm2/rsaname"
-	verification="/etc/tpm2/verification"
+	rsapub="/etc/tpm2/rsapub"
+	rsasig="/etc/tpm2/rsasig"
+	rsactx="/etc/tpm2/rsactx"
 
 	pcr=$(cat /etc/tpm2/pcr)
 	keyloc=$(cat /etc/tpm2/keyloc)
 
-	tpmdev="/dev/tpmrm0"
-
 	session="/session.ctx"
+	verification="/verification.tkt"
+
+	tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
+	tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
 
 	tpm2_startauthsession --policy-session -S $session 1> /dev/null
 	tpm2_policypcr -l $pcr -S $session 1> /dev/null
@@ -30,6 +34,7 @@ run_hook() {
 	tpm2_flushcontext $session 1> /dev/null
 
 	rm -f $session
+	rm -f $verification
 
 	tpmok=0
 	if [ $unseal -eq 0 ]; then
diff --git a/tpm2_install b/tpm2_install
index 5657823..6f79207 100755
--- a/tpm2_install
+++ b/tpm2_install
@@ -10,12 +10,16 @@ build() {
     add_binary "/usr/bin/tpm2_flushcontext"
     add_binary "/usr/bin/tpm2_startauthsession"
     add_binary "/usr/bin/tpm2_load"
+    add_binary "/usr/bin/tpm2_loadexternal"
+    add_binary "/usr/bin/tpm2_verifysignature"
 
     add_binary "/usr/lib/libtss2-tcti-device.so.0"
 
     add_file "/etc/tpm2/policy"
     add_file "/etc/tpm2/rsaname"
-    add_file "/etc/tpm2/verification"
+    add_file "/etc/tpm2/rsactx"
+    add_file "/etc/tpm2/rsapub"
+    add_file "/etc/tpm2/rsasig"
     add_file "/etc/tpm2/pcr"
     add_file "/etc/tpm2/keyloc"