verify signature at runtime not gentime
This commit is contained in:
parent
94da5270c7
commit
c602e69b18
3 changed files with 16 additions and 12 deletions
11
gentpm.sh
11
gentpm.sh
|
|
@ -105,12 +105,6 @@ keygen() {
|
|||
_RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
|
||||
}
|
||||
|
||||
verify() {
|
||||
_STEP "verifying signer key"
|
||||
_RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
|
||||
_RUN tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $sig -t $verif -f rsassa
|
||||
}
|
||||
|
||||
getkey() {
|
||||
_RUN tpm2_startauthsession --policy-session -S $session
|
||||
_RUN tpm2_policypcr -l $pcr -S $session
|
||||
|
|
@ -126,7 +120,9 @@ load() {
|
|||
|
||||
_RUN cp $policy /etc/tpm2/policy
|
||||
_RUN cp $rsaname /etc/tpm2/rsaname
|
||||
_RUN cp $verif /etc/tpm2/verification
|
||||
_RUN cp $rsapub /etc/tpm2/rsapub
|
||||
_RUN cp $rsactx /etc/tpm2/rsactx
|
||||
_RUN cp $sig /etc/tpm2/rsasig
|
||||
|
||||
_RUN printf "%s" "$pcr" > /etc/tpm2/pcr
|
||||
_RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
|
||||
|
|
@ -156,7 +152,6 @@ all() {
|
|||
reset
|
||||
loadvars
|
||||
keygen
|
||||
verify
|
||||
load
|
||||
crypt
|
||||
cleanup
|
||||
|
|
|
|||
11
tpm2_hook
11
tpm2_hook
|
|
@ -9,14 +9,18 @@ run_hook() {
|
|||
|
||||
policy="/etc/tpm2/policy"
|
||||
rsaname="/etc/tpm2/rsaname"
|
||||
verification="/etc/tpm2/verification"
|
||||
rsapub="/etc/tpm2/rsapub"
|
||||
rsasig="/etc/tpm2/rsasig"
|
||||
rsactx="/etc/tpm2/rsactx"
|
||||
|
||||
pcr=$(cat /etc/tpm2/pcr)
|
||||
keyloc=$(cat /etc/tpm2/keyloc)
|
||||
|
||||
tpmdev="/dev/tpmrm0"
|
||||
|
||||
session="/session.ctx"
|
||||
verification="/verification.tkt"
|
||||
|
||||
tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
|
||||
tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
|
||||
|
||||
tpm2_startauthsession --policy-session -S $session 1> /dev/null
|
||||
tpm2_policypcr -l $pcr -S $session 1> /dev/null
|
||||
|
|
@ -30,6 +34,7 @@ run_hook() {
|
|||
tpm2_flushcontext $session 1> /dev/null
|
||||
|
||||
rm -f $session
|
||||
rm -f $verification
|
||||
|
||||
tpmok=0
|
||||
if [ $unseal -eq 0 ]; then
|
||||
|
|
|
|||
|
|
@ -10,12 +10,16 @@ build() {
|
|||
add_binary "/usr/bin/tpm2_flushcontext"
|
||||
add_binary "/usr/bin/tpm2_startauthsession"
|
||||
add_binary "/usr/bin/tpm2_load"
|
||||
add_binary "/usr/bin/tpm2_loadexternal"
|
||||
add_binary "/usr/bin/tpm2_verifysignature"
|
||||
|
||||
add_binary "/usr/lib/libtss2-tcti-device.so.0"
|
||||
|
||||
add_file "/etc/tpm2/policy"
|
||||
add_file "/etc/tpm2/rsaname"
|
||||
add_file "/etc/tpm2/verification"
|
||||
add_file "/etc/tpm2/rsactx"
|
||||
add_file "/etc/tpm2/rsapub"
|
||||
add_file "/etc/tpm2/rsasig"
|
||||
add_file "/etc/tpm2/pcr"
|
||||
add_file "/etc/tpm2/keyloc"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue