diff options
Diffstat (limited to 'gentpm.sh')
| -rwxr-xr-x | gentpm.sh | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/gentpm.sh b/gentpm.sh new file mode 100755 index 0000000..5e2bf1b --- /dev/null +++ b/gentpm.sh @@ -0,0 +1,165 @@ +#!/usr/bin/env bash + +device="/dev/nvme0n1p2" +slot="0" +keyloc="0x81000001" +pcr="sha256:7" + +ctx="" +rsapub="" +rsapriv="" +rsaname="" +rsactx="" +sealpub="" +sealpriv="" +sealname="" +sealctx="" +key="" +policy="" +authpolicy="" +sig="" +verif="" +session="" +out="" + +_STEP() { + printf '\x1b[34;1m>> %s\x1b[0m\n' "$*" 1>&2 +} + +_RUN() { + printf '$ \x1b[32;1m%s\x1b[0m\n' "$*" 1>&2 + "$@" +} + +loadvars() { + _STEP "reloading file locations" + + ctx="$out/prim.ctx" + + rsapub="$out/rsa.pub" + rsapriv="$out/rsa.priv" + rsaname="$out/rsa.name" + rsactx="$out/rsa.ctx" + + sealpub="$out/seal.pub" + sealpriv="$out/seal.priv" + sealname="$out/seal.name" + sealctx="$out/seal.ctx" + + key="$out/tpm.key" + + policy="$out/pcr.pol" + authpolicy="$out/auth.pol" + + sig="$out/pcr.pol.sig" + verif="$out/verification.tkt" + + session="$out/session.ctx" +} + +reset() { + _STEP "resetting tpm keys" + tpm2_clear + + _STEP "creating temp store" + out=$(mktemp --directory) +} + +new_context() { + _STEP "generating new context" + _RUN tpm2_startauthsession -S $session + _RUN tpm2_policypcr -Q -S $session -l $pcr -L $policy + _RUN tpm2_flushcontext $session +} + +keygen() { + + _RUN tpm2_createprimary -Q -C o -c $ctx + + _STEP "creating encryption key" + _RUN dd if=/dev/urandom bs=1 count=32 status=none 1> $key + + _STEP "creating signing keypair" + _RUN openssl genrsa -out $rsapriv 2048 + _RUN openssl rsa -in $rsapriv -out $rsapub -pubout + + new_context + + _STEP "loading signing keypair" + _RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname + + _STEP "creating signer policy" + _RUN tpm2_startauthsession -S $session + _RUN tpm2_policyauthorize -S $session -L $authpolicy -n $rsaname -i $policy + _RUN tpm2_flushcontext $session + + _STEP "creating sealing object" + _RUN tpm2_create -g sha256 -u $sealpub -r $sealpriv -i $key -C $ctx -L $authpolicy + + _STEP "loading sealing object" + _RUN tpm2_evictcontrol -C o -c $keyloc + _RUN tpm2_load -Q -C $ctx -u $sealpub -r $sealpriv -n $sealname -c $sealctx + _RUN tpm2_evictcontrol -c $sealctx $keyloc -C o + + _STEP "signing pcr policy" + _RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy +} + +verify() { + _STEP "verifying signer key" + _RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname + _RUN tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $sig -t $verif -f rsassa +} + +getkey() { + _RUN tpm2_startauthsession --policy-session -S $session + _RUN tpm2_policypcr -l $pcr -S $session + _RUN tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verif + _RUN tpm2_unseal -p session:$session -c $keyloc + _RUN tpm2_flushcontext $session +} + +load() { + _STEP "storing public data in etc" + _RUN rm -fr /etc/tpm2 + _RUN mkdir -p /etc/tpm2 + + _RUN cp $policy /etc/tpm2/policy + _RUN cp $rsaname /etc/tpm2/rsaname + _RUN cp $verif /etc/tpm2/verification + + _RUN printf "%s" "$pcr" > /etc/tpm2/pcr + _RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc +} + +crypt() { + _STEP "copying key to crypt luks" + password="" + read -sp "Enter luks password: " password + echo + + _RUN cryptsetup luksKillSlot $device $slot <<EOF +$password +EOF + + _RUN cryptsetup luksAddKey $device $key <<EOF +$password +EOF +} + +cleanup() { + _STEP "cleaning up" + _RUN rm -fr "$out" +} + +all() { + reset + loadvars + keygen + verify + load + crypt + cleanup +} + +$@ |