luks-tpm/tpm2_hook

#!/usr/bin/ash
# vim: set ft=sh

run_hook() {	

	local ckeyfile policy session rsaname verification keyloc pcr tpmdev session

	ckeyfile="/crypto_keyfile.bin"

	policy="/etc/tpm2/policy"
	rsaname="/etc/tpm2/rsaname"
	rsapub="/etc/tpm2/rsapub"
	rsasig="/etc/tpm2/rsasig"
	rsactx="/etc/tpm2/rsactx"

	pcr=$(cat /etc/tpm2/pcr)
	keyloc=$(cat /etc/tpm2/keyloc)

	session="/session.ctx"
	verification="/verification.tkt"

	tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
	tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null

	tpm2_startauthsession --policy-session -S $session 1> /dev/null
	tpm2_policypcr -l $pcr -S $session 1> /dev/null
	tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null

	local unsealout unseal

	unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
	unseal=$?

	tpm2_flushcontext $session 1> /dev/null

	rm -f $session
	rm -f $verification

	tpmok=0
	if [ $unseal -eq 0 ]; then
		tpmok=1
	elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
		err "TPM communication error"
	elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
		echo
		echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
		echo "This is an indication that the boot configuration has been altered since"
		echo "the TPM key was generated. This is normal after kernel updates or firmware"
		echo "changes, however this could also indicate a malicious change to your system."
		echo
	else
		err "Could not unseal TPM keyfile"
	fi

	if [ $tpmok -gt 0 ]; then
		msg ":: LUKS key successfully decrypted by TPM"
	else
		rm -f "$ckeyfile"
		msg ":: TPM Could not decrypt LUKS key"
	fi

	rm -fr /etc/tpm2

}

run_cleanuphook() {
	# Securely delete key if still present
	if [ -f "$ckeyfile" ]; then
		dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null
		rm -f "$ckeyfile"
	fi
}