166 lines
3.4 KiB
Bash
Executable file
166 lines
3.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
device="/dev/nvme0n1p2"
|
|
slot="0"
|
|
keyloc="0x81000001"
|
|
pcr="sha256:7"
|
|
|
|
ctx=""
|
|
rsapub=""
|
|
rsapriv=""
|
|
rsaname=""
|
|
rsactx=""
|
|
sealpub=""
|
|
sealpriv=""
|
|
sealname=""
|
|
sealctx=""
|
|
key=""
|
|
policy=""
|
|
authpolicy=""
|
|
sig=""
|
|
verif=""
|
|
session=""
|
|
out=""
|
|
|
|
_STEP() {
|
|
printf '\x1b[34;1m>> %s\x1b[0m\n' "$*" 1>&2
|
|
}
|
|
|
|
_RUN() {
|
|
printf '$ \x1b[32;1m%s\x1b[0m\n' "$*" 1>&2
|
|
"$@"
|
|
}
|
|
|
|
loadvars() {
|
|
_STEP "reloading file locations"
|
|
|
|
ctx="$out/prim.ctx"
|
|
|
|
rsapub="$out/rsa.pub"
|
|
rsapriv="$out/rsa.priv"
|
|
rsaname="$out/rsa.name"
|
|
rsactx="$out/rsa.ctx"
|
|
|
|
sealpub="$out/seal.pub"
|
|
sealpriv="$out/seal.priv"
|
|
sealname="$out/seal.name"
|
|
sealctx="$out/seal.ctx"
|
|
|
|
key="$out/tpm.key"
|
|
|
|
policy="$out/pcr.pol"
|
|
authpolicy="$out/auth.pol"
|
|
|
|
sig="$out/pcr.pol.sig"
|
|
verif="$out/verification.tkt"
|
|
|
|
session="$out/session.ctx"
|
|
}
|
|
|
|
reset() {
|
|
_STEP "resetting tpm keys"
|
|
tpm2_clear
|
|
|
|
_STEP "creating temp store"
|
|
out=$(mktemp --directory)
|
|
}
|
|
|
|
new_context() {
|
|
_STEP "generating new context"
|
|
_RUN tpm2_startauthsession -S $session
|
|
_RUN tpm2_policypcr -Q -S $session -l $pcr -L $policy
|
|
_RUN tpm2_flushcontext $session
|
|
}
|
|
|
|
keygen() {
|
|
|
|
_RUN tpm2_createprimary -Q -C o -c $ctx
|
|
|
|
_STEP "creating encryption key"
|
|
_RUN dd if=/dev/urandom bs=1 count=32 status=none 1> $key
|
|
|
|
_STEP "creating signing keypair"
|
|
_RUN openssl genrsa -out $rsapriv 2048
|
|
_RUN openssl rsa -in $rsapriv -out $rsapub -pubout
|
|
|
|
new_context
|
|
|
|
_STEP "loading signing keypair"
|
|
_RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
|
|
|
|
_STEP "creating signer policy"
|
|
_RUN tpm2_startauthsession -S $session
|
|
_RUN tpm2_policyauthorize -S $session -L $authpolicy -n $rsaname -i $policy
|
|
_RUN tpm2_flushcontext $session
|
|
|
|
_STEP "creating sealing object"
|
|
_RUN tpm2_create -g sha256 -u $sealpub -r $sealpriv -i $key -C $ctx -L $authpolicy
|
|
|
|
_STEP "loading sealing object"
|
|
_RUN tpm2_evictcontrol -C o -c $keyloc
|
|
_RUN tpm2_load -Q -C $ctx -u $sealpub -r $sealpriv -n $sealname -c $sealctx
|
|
_RUN tpm2_evictcontrol -c $sealctx $keyloc -C o
|
|
|
|
_STEP "signing pcr policy"
|
|
_RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
|
|
}
|
|
|
|
verify() {
|
|
_STEP "verifying signer key"
|
|
_RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
|
|
_RUN tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $sig -t $verif -f rsassa
|
|
}
|
|
|
|
getkey() {
|
|
_RUN tpm2_startauthsession --policy-session -S $session
|
|
_RUN tpm2_policypcr -l $pcr -S $session
|
|
_RUN tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verif
|
|
_RUN tpm2_unseal -p session:$session -c $keyloc
|
|
_RUN tpm2_flushcontext $session
|
|
}
|
|
|
|
load() {
|
|
_STEP "storing public data in etc"
|
|
_RUN rm -fr /etc/tpm2
|
|
_RUN mkdir -p /etc/tpm2
|
|
|
|
_RUN cp $policy /etc/tpm2/policy
|
|
_RUN cp $rsaname /etc/tpm2/rsaname
|
|
_RUN cp $verif /etc/tpm2/verification
|
|
|
|
_RUN printf "%s" "$pcr" > /etc/tpm2/pcr
|
|
_RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
|
|
}
|
|
|
|
crypt() {
|
|
_STEP "copying key to crypt luks"
|
|
password=""
|
|
read -sp "Enter luks password: " password
|
|
echo
|
|
|
|
_RUN cryptsetup luksKillSlot $device $slot <<EOF
|
|
$password
|
|
EOF
|
|
|
|
_RUN cryptsetup luksAddKey $device $key <<EOF
|
|
$password
|
|
EOF
|
|
}
|
|
|
|
cleanup() {
|
|
_STEP "cleaning up"
|
|
_RUN rm -fr "$out"
|
|
}
|
|
|
|
all() {
|
|
reset
|
|
loadvars
|
|
keygen
|
|
verify
|
|
load
|
|
crypt
|
|
cleanup
|
|
}
|
|
|
|
$@
|