luks-tpm/tpm2_hook

106 lines
2.6 KiB
Bash
Executable file

#!/usr/bin/ash
# vim: set ft=sh
tpm_cleanup() {
rm -fr /etc/tpm2
rm -f "$session"
rm -f "$verification"
}
tpm_error_cleanup() {
rm -f "$ckeyfile"
tpm_cleanup
}
quiet() {
$@ > /dev/null
}
run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
if [ ! -d "/etc/tpm2" ]; then
err "TPM data directory not found: /etc/tpm2"
tpm_cleanup
return
fi
ckeyfile="/crypto_keyfile.bin"
if [ -f $ckeyfile ]; then
err "Crypto keyfile already exists in root. Aborting!!!"
tpm_cleanup
return
fi
policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname"
rsapub="/etc/tpm2/rsapub"
rsasig="/etc/tpm2/rsasig"
rsactx="/etc/tpm2/rsactx"
if [ ! -f $policy ] || [ ! -f $rsaname ] || [ ! -f $rsapub ] || [ ! -f $rsasig ] || [ ! -f $rsactx ]; then
err "TPM load data missing"
tpm_cleanup
return
fi
pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc)
session="/session.ctx"
verification="/verification.tkt"
quiet tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
quiet tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa
if [ $? -eq 1 ]; then
echo
echo "!!! TPM WARNING: COULD NOT VERIFY SIGNATURE !!!"
echo "The boot configuration has been altered since the TPM key was generated. "
echo "This should NOT happen under normal use. Be paranoid."
echo
tpm_error_cleanup
return
fi
quiet tpm2_startauthsession --policy-session -S $session
quiet tpm2_policypcr -l $pcr -S $session
quiet tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification
local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$?
quiet tpm2_flushcontext $session
if [ $unseal -gt 0 ]; then
if echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
echo "This is an indication that the boot configuration has been altered since"
echo "the TPM key was generated. This is normal after kernel updates or firmware"
echo "changes, however this could also indicate a malicious change to your system."
echo
else
err "Could not unseal TPM keyfile"
fi
tpm_error_cleanup
else
msg ":: LUKS key successfully decrypted by TPM"
tpm_cleanup
fi
}
run_cleanuphook() {
# Securely delete key if still present
if [ -f "$ckeyfile" ]; then
dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null
rm -f "$ckeyfile"
fi
}