blob: 3f6b8327ea4a76bc3145f59ad0a626a4f0a7787c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#!/usr/bin/ash
# vim: set ft=sh
run_hook() {
local ckeyfile policy session rsaname verification keyloc pcr tpmdev session
ckeyfile="/crypto_keyfile.bin"
policy="/etc/tpm2/policy"
rsaname="/etc/tpm2/rsaname"
verification="/etc/tpm2/verification"
pcr=$(cat /etc/tpm2/pcr)
keyloc=$(cat /etc/tpm2/keyloc)
tpmdev="/dev/tpmrm0"
session="/session.ctx"
tpm2_startauthsession --policy-session -S $session 1> /dev/null
tpm2_policypcr -l $pcr -S $session 1> /dev/null
tpm2_policyauthorize -S $session -i $policy -n $rsaname -t $verification 1> /dev/null
local unsealout unseal
unsealout=$(tpm2_unseal -p session:$session -c $keyloc -o "$ckeyfile" 2>&1)
unseal=$?
tpm2_flushcontext $session 1> /dev/null
rm -f $session
tpmok=0
if [ $unseal -eq 0 ]; then
tpmok=1
elif echo "$unsealout" | grep -sqiE 'Could not load tcti'; then
err "TPM communication error"
elif echo "$unsealout" | grep -sqiE 'Error.*0x99d'; then
echo
echo "!!! TPM WARNING: PCR VALUES HAVE CHANGED !!!"
echo "This is an indication that the boot configuration has been altered since"
echo "the TPM key was generated. This is normal after kernel updates or firmware"
echo "changes, however this could also indicate a malicious change to your system."
echo
else
err "Could not unseal TPM keyfile"
fi
if [ $tpmok -gt 0 ]; then
msg ":: LUKS key successfully decrypted by TPM"
else
rm -f "$ckeyfile"
msg ":: TPM Could not decrypt LUKS key"
fi
rm -fr /etc/tpm2
}
run_cleanuphook() {
# Securely delete key if still present
if [ -f "$ckeyfile" ]; then
dd if=/dev/urandom of="$ckeyfile" bs=$(stat --printf="%s" "$ckeyfile") count=1 conv=notrunc 2>&1 >/dev/null
rm -f "$ckeyfile"
fi
}
|
