initial

1 files changed, 67 insertions, 0 deletions

diff --git a/tpm2_hook b/tpm2_hook
new file mode 100755
index 0000000..3f6b832
--- /dev/null
+++ b/tpm2_hook
@@ -0,0 +1,67 @@
+#!/usr/bin/ash
+# vim: set ft=sh
+
+run_hook() {	
+
+	local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
+
+	ckeyfile="/crypto_keyfile.bin"
+
+	policy="/etc/tpm2/policy"
+	rsaname="/etc/tpm2/rsaname"
+	verification="/etc/tpm2/verification"
+
+	pcr=$(cat /etc/tpm2/pcr)
+	keyloc=$(cat /etc/tpm2/keyloc)
+
+	tpmdev="/dev/tpmrm0"
+
+	session="/session.ctx"
+
+	tpm2_startauthsession --policy-session -S $session 1> /dev/null
+	tpm2_policypcr -l $pcr -S $session 1> /dev/null
+	tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
+
+	local unsealout unseal
+
+	unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
+	unseal=$?
+
+	tpm2_flushcontext $session 1> /dev/null
+
+	rm -f $session
+
+	tpmok=0
+	if [ $unseal -eq 0 ]; then
+		tpmok=1
+	elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
+		err "TPM communication error"
+	elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
+		echo
+		echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
+		echo "This is an indication that the boot configuration has been altered since"
+		echo "the TPM key was generated. This is normal after kernel updates or firmware"
+		echo "changes, however this could also indicate a malicious change to your system."
+		echo
+	else
+		err "Could not unseal TPM keyfile"
+	fi
+
+	if [ $tpmok -gt 0 ]; then
+		msg ":: LUKS key successfully decrypted by TPM"
+	else
+		rm -f "$ckeyfile"
+		msg ":: TPM Could not decrypt LUKS key"
+	fi
+
+	rm -fr /etc/tpm2
+
+}
+
+run_cleanuphook() {
+	# Securely delete key if still present
+	if [ -f "$ckeyfile" ]; then
+		dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null
+		rm -f "$ckeyfile"
+	fi
+}