blob: 4653f42361bc5faa6af0766c136c1ca7e4db3307 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
#!/usr/bin/env bash
device="/dev/nvme0n1p2"
slot="0"
keyloc="0x81000001"
pcr="sha256:0,1,2,7"
ctx=""
rsapub=""
rsapriv=""
rsaname=""
rsactx=""
sealpub=""
sealpriv=""
sealname=""
sealctx=""
key=""
policy=""
authpolicy=""
sig=""
verif=""
session=""
out=""
_STEP() {
printf '\x1b[34;1m>> %s\x1b[0m\n' "$*" 1>&2
}
_RUN() {
printf '$ \x1b[32;1m%s\x1b[0m\n' "$*" 1>&2
"$@"
}
loadvars() {
_STEP "reloading file locations"
ctx="$out/prim.ctx"
rsapub="$out/rsa.pub"
rsapriv="$out/rsa.priv"
rsaname="$out/rsa.name"
rsactx="$out/rsa.ctx"
sealpub="$out/seal.pub"
sealpriv="$out/seal.priv"
sealname="$out/seal.name"
sealctx="$out/seal.ctx"
key="$out/tpm.key"
policy="$out/pcr.pol"
authpolicy="$out/auth.pol"
sig="$out/pcr.pol.sig"
verif="$out/verification.tkt"
session="$out/session.ctx"
}
reset() {
_STEP "resetting tpm keys"
tpm2_clear
_STEP "creating temp store"
out=$(mktemp --directory)
}
new_context() {
_STEP "generating new context"
_RUN tpm2_startauthsession -S $session
_RUN tpm2_policypcr -Q -S $session -l $pcr -L $policy
_RUN tpm2_flushcontext $session
}
keygen() {
_RUN tpm2_createprimary -Q -C o -c $ctx
_STEP "creating encryption key"
_RUN dd if=/dev/urandom bs=1 count=32 status=none 1> $key
_STEP "creating signing keypair"
_RUN openssl genrsa -out $rsapriv 2048
_RUN openssl rsa -in $rsapriv -out $rsapub -pubout
new_context
_STEP "loading signing keypair"
_RUN tpm2_loadexternal -G rsa -C o -u $rsapub -c $rsactx -n $rsaname
_STEP "creating signer policy"
_RUN tpm2_startauthsession -S $session
_RUN tpm2_policyauthorize -S $session -L $authpolicy -n $rsaname -i $policy
_RUN tpm2_flushcontext $session
_STEP "creating sealing object"
_RUN tpm2_create -g sha256 -u $sealpub -r $sealpriv -i $key -C $ctx -L $authpolicy
_STEP "loading sealing object"
_RUN tpm2_evictcontrol -C o -c $keyloc
_RUN tpm2_load -Q -C $ctx -u $sealpub -r $sealpriv -n $sealname -c $sealctx
_RUN tpm2_evictcontrol -c $sealctx $keyloc -C o
_STEP "signing pcr policy"
_RUN openssl dgst -sha256 -sign $rsapriv -out $sig $policy
}
getkey() {
_RUN tpm2_startauthsession --policy-session -S $session
_RUN tpm2_policypcr -l $pcr -S $session
_RUN tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verif
_RUN tpm2_unseal -p session:$session -c $keyloc
_RUN tpm2_flushcontext $session
}
load() {
_STEP "storing public data in etc"
_RUN rm -fr /etc/tpm2
_RUN mkdir -p /etc/tpm2
_RUN cp $policy /etc/tpm2/policy
_RUN cp $rsaname /etc/tpm2/rsaname
_RUN cp $rsapub /etc/tpm2/rsapub
_RUN cp $rsactx /etc/tpm2/rsactx
_RUN cp $sig /etc/tpm2/rsasig
_RUN printf "%s" "$pcr" > /etc/tpm2/pcr
_RUN printf "%s" "$keyloc" > /etc/tpm2/keyloc
}
crypt() {
_STEP "copying key to crypt luks"
password=""
read -sp "Enter luks password: " password
echo
_RUN cryptsetup luksKillSlot $device $slot <<EOF
$password
EOF
_RUN cryptsetup luksAddKey $device $key <<EOF
$password
EOF
}
cleanup() {
_STEP "cleaning up"
_RUN rm -fr "$out"
}
all() {
reset
loadvars
keygen
load
crypt
cleanup
}
$@
|
