luks-tpm/gentpm.sh

#!/usr/bin/env bash

device="/dev/nvme0n1p2"
slot="0"
keyloc="0x81000001"
pcr="sha256:0,1,2,7"

ctx=""
rsapub=""
rsapriv=""
rsaname=""
rsactx=""
sealpub=""
sealpriv=""
sealname=""
sealctx=""
key=""
policy=""
authpolicy=""
sig=""
verif=""
session=""
out=""

_STEP() {
    printf '\x1b[34;1m>> %s\x1b[0m\n' "$*" 1>&2
}

_RUN() {
    printf '$ \x1b[32;1m%s\x1b[0m\n' "$*" 1>&2
    "$@"
}

loadvars() {
    _STEP "reloading file locations"
    
    ctx="$out/prim.ctx"
    
    rsapub="$out/rsa.pub"
    rsapriv="$out/rsa.priv"
    rsaname="$out/rsa.name"
    rsactx="$out/rsa.ctx"
    
    sealpub="$out/seal.pub"
    sealpriv="$out/seal.priv"
    sealname="$out/seal.name"
    sealctx="$out/seal.ctx"

    key="$out/tpm.key"

    policy="$out/pcr.pol"
    authpolicy="$out/auth.pol"
    
    sig="$out/pcr.pol.sig"
    verif="$out/verification.tkt"

    session="$out/session.ctx"
}

reset() {
    _STEP "resetting tpm keys"
    tpm2_clear

    _STEP "creating temp store"
    out=$(mktemp --directory)
}

new_context() {
    _STEP "generating new context"
    _RUN tpm2_startauthsession -S $session
    _RUN tpm2_policypcr -Q -S $session -l $pcr -L $policy
    _RUN tpm2_flushcontext $session
}

keygen() {
    
    _RUN tpm2_createprimary -Q -C o -c $ctx
    
    _STEP "creating encryption key"
    _RUN dd if=/dev/urandom bs=1 count=32 status=none 1> $key 
    
    _STEP "creating signing keypair"
    _RUN openssl genrsa -out $rsapriv 2048
    _RUN openssl rsa -in $rsapriv -out $rsapub -pubout
    
    new_context

    _STEP "loading signing keypair"
    _RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname

    _STEP "creating signer policy"
    _RUN tpm2_startauthsession -S $session
    _RUN tpm2_policyauthorize -S $session -L $authpolicy -n $rsaname -i $policy
    _RUN tpm2_flushcontext $session

    _STEP "creating sealing object"
    _RUN tpm2_create -g sha256 -u $sealpub -r $sealpriv -i $key -C $ctx -L $authpolicy

    _STEP "loading sealing object"
    _RUN tpm2_evictcontrol -C o -c $keyloc
    _RUN tpm2_load -Q -C $ctx -u $sealpub -r $sealpriv -n $sealname -c $sealctx
    _RUN tpm2_evictcontrol -c $sealctx $keyloc -C o

    _STEP "signing pcr policy"
    _RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
}

getkey() {
    _RUN tpm2_startauthsession --policy-session -S $session
    _RUN tpm2_policypcr -l $pcr -S $session
    _RUN tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verif
    _RUN tpm2_unseal -p session:$session -c $keyloc
    _RUN tpm2_flushcontext $session
}

load() {
    _STEP "storing public data in etc"
    _RUN rm -fr /etc/tpm2
    _RUN mkdir -p /etc/tpm2

    _RUN cp $policy /etc/tpm2/policy
    _RUN cp $rsaname /etc/tpm2/rsaname
    _RUN cp $rsapub /etc/tpm2/rsapub
    _RUN cp $rsactx /etc/tpm2/rsactx
    _RUN cp $sig /etc/tpm2/rsasig
    
    _RUN printf "%s" "$pcr" > /etc/tpm2/pcr
    _RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
}

crypt() {
    _STEP "copying key to crypt luks"
    password=""
    read -sp "Enter luks password: " password
    echo

    _RUN cryptsetup luksKillSlot $device $slot <<EOF
$password
EOF

    _RUN cryptsetup luksAddKey $device $key <<EOF
$password
EOF
}

cleanup() {
    _STEP "cleaning up"
    _RUN rm -fr "$out"
}

all() {
    reset
    loadvars
    keygen
    load
    crypt
    cleanup
}

$@