verify signature at runtime not gentime

This commit is contained in:
Freya Murphy 2023-12-09 14:24:58 -05:00
parent 94da5270c7
commit c602e69b18
3 changed files with 16 additions and 12 deletions

View file

@ -105,12 +105,6 @@ keygen() {
_RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy _RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
} }
verify() {
_STEP "verifying signer key"
_RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
_RUN tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $sig -t $verif -f rsassa
}
getkey() { getkey() {
_RUN tpm2_startauthsession --policy-session -S $session _RUN tpm2_startauthsession --policy-session -S $session
_RUN tpm2_policypcr -l $pcr -S $session _RUN tpm2_policypcr -l $pcr -S $session
@ -126,7 +120,9 @@ load() {
_RUN cp $policy /etc/tpm2/policy _RUN cp $policy /etc/tpm2/policy
_RUN cp $rsaname /etc/tpm2/rsaname _RUN cp $rsaname /etc/tpm2/rsaname
_RUN cp $verif /etc/tpm2/verification _RUN cp $rsapub /etc/tpm2/rsapub
_RUN cp $rsactx /etc/tpm2/rsactx
_RUN cp $sig /etc/tpm2/rsasig
_RUN printf "%s" "$pcr" > /etc/tpm2/pcr _RUN printf "%s" "$pcr" > /etc/tpm2/pcr
_RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc _RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
@ -156,7 +152,6 @@ all() {
reset reset
loadvars loadvars
keygen keygen
verify
load load
crypt crypt
cleanup cleanup

View file

@ -9,14 +9,18 @@ run_hook() {
policy="/etc/tpm2/policy" policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname" rsaname="/etc/tpm2/rsaname"
verification="/etc/tpm2/verification" rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx"
pcr=$(cat /etc/tpm2/pcr) pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc) keyloc=$(cat /etc/tpm2/keyloc)
tpmdev="/dev/tpmrm0"
session="/session.ctx" session="/session.ctx"
verification="/verification.tkt"
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
tpm2_startauthsession --policy-session -S $session 1> /dev/null tpm2_startauthsession --policy-session -S $session 1> /dev/null
tpm2_policypcr -l $pcr -S $session 1> /dev/null tpm2_policypcr -l $pcr -S $session 1> /dev/null
@ -30,6 +34,7 @@ run_hook() {
tpm2_flushcontext $session 1> /dev/null tpm2_flushcontext $session 1> /dev/null
rm -f $session rm -f $session
rm -f $verification
tpmok=0 tpmok=0
if [ $unseal -eq 0 ]; then if [ $unseal -eq 0 ]; then

View file

@ -10,12 +10,16 @@ build() {
add_binary "/usr/bin/tpm2_flushcontext" add_binary "/usr/bin/tpm2_flushcontext"
add_binary "/usr/bin/tpm2_startauthsession" add_binary "/usr/bin/tpm2_startauthsession"
add_binary "/usr/bin/tpm2_load" add_binary "/usr/bin/tpm2_load"
add_binary "/usr/bin/tpm2_loadexternal"
add_binary "/usr/bin/tpm2_verifysignature"
add_binary "/usr/lib/libtss2-tcti-device.so.0" add_binary "/usr/lib/libtss2-tcti-device.so.0"
add_file "/etc/tpm2/policy" add_file "/etc/tpm2/policy"
add_file "/etc/tpm2/rsaname" add_file "/etc/tpm2/rsaname"
add_file "/etc/tpm2/verification" add_file "/etc/tpm2/rsactx"
add_file "/etc/tpm2/rsapub"
add_file "/etc/tpm2/rsasig"
add_file "/etc/tpm2/pcr" add_file "/etc/tpm2/pcr"
add_file "/etc/tpm2/keyloc" add_file "/etc/tpm2/keyloc"