From c602e69b18f746b714864d906831f5391bf62e42 Mon Sep 17 00:00:00 2001
From: Freya Murphy <freya@freyacat.org>
Date: Sat, 9 Dec 2023 14:24:58 -0500
Subject: verify signature at runtime not gentime

---
 tpm2_hook | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'tpm2_hook')

diff --git a/tpm2_hook b/tpm2_hook
index 3f6b832..2acab94 100755
--- a/tpm2_hook
+++ b/tpm2_hook
@@ -9,14 +9,18 @@ run_hook() {
 
 	policy="/etc/tpm2/policy"
 	rsaname="/etc/tpm2/rsaname"
-	verification="/etc/tpm2/verification"
+	rsapub="/etc/tpm2/rsapub"
+	rsasig="/etc/tpm2/rsasig"
+	rsactx="/etc/tpm2/rsactx"
 
 	pcr=$(cat /etc/tpm2/pcr)
 	keyloc=$(cat /etc/tpm2/keyloc)
 
-	tpmdev="/dev/tpmrm0"
-
 	session="/session.ctx"
+	verification="/verification.tkt"
+
+	tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname 1> /dev/null
+	tpm2_verifysignature -c $rsactx -g sha256 -m $policy -s $rsasig -t $verification -f rsassa 1> /dev/null
 
 	tpm2_startauthsession --policy-session -S $session 1> /dev/null
 	tpm2_policypcr -l $pcr -S $session 1> /dev/null
@@ -30,6 +34,7 @@ run_hook() {
 	tpm2_flushcontext $session 1> /dev/null
 
 	rm -f $session
+	rm -f $verification
 
 	tpmok=0
 	if [ $unseal -eq 0 ]; then
-- 
cgit v1.2.3-freya