Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TPM 2.0 support #42

Merged
merged 8 commits into from Aug 29, 2023
Merged

Add TPM 2.0 support #42

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
5f09d6f
Fix alias expansion in anti-evil-maid-install
SergiiDmytruk Aug 7, 2023
00f820d
Change tcsd_ prefix to trousers_
SergiiDmytruk Jun 21, 2023
0ee247a
Extract tpmid() function
SergiiDmytruk Jun 21, 2023
acb1843
Extract tpmzsrk() function
SergiiDmytruk Jun 21, 2023
fd5aa35
Add forth parameter to tpm(un)sealdata functions
SergiiDmytruk Jun 22, 2023
13879fe
Extract tpmsealprepare() and don't skip sealing
SergiiDmytruk Jun 23, 2023
87175b0
Add TPM2 support
SergiiDmytruk Jun 23, 2023
62819a6
Offset plymouth messages in anti-evil-maid-unseal
SergiiDmytruk Aug 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22 changes: 17 additions & 5 deletions 90anti-evil-maid/anti-evil-maid-unseal
View file
Open in desktop
Expand Up @@ -17,6 +17,14 @@ LUKS_PCR=13
PLYMOUTH_MESSAGES=()

plymouth_message() {
if [ "${#PLYMOUTH_MESSAGES[@]}" -eq 0 ]; then
# add vertical "padding" to avoid printing messages over plymouth's
# prompt help
plymouth message --text=""
plymouth message --text=""
plymouth message --text=""
fi

plymouth message --text="$*"
PLYMOUTH_MESSAGES+=("$*")
}
Expand Down Expand Up @@ -111,7 +119,7 @@ done
mkdir -p "$CACHE_DIR"
echo "${LABEL##"$LABEL_PREFIX"}" >"$SUFFIX_CACHE"

Z=$(tpm_z_srk)
Z=$(tpmzsrk)

if [ -n "$Z" ]; then
true >"$SRK_PASSWORD_CACHE"
Expand All @@ -134,7 +142,8 @@ fi
# check freshness token

log "Unsealing freshness token..."
if tpmunsealdata "$Z" "$SEALED_SECRET_FRE" "$UNSEALED_SECRET"; then
if tpmunsealdata "$Z" "$SEALED_SECRET_FRE" "$UNSEALED_SECRET" \
"$TPM_DIR/$LABEL"; then
log "Freshness token unsealed."
true >"$CACHE_DIR/unseal-success"
else
Expand Down Expand Up @@ -164,7 +173,8 @@ fi

if otp; then
log "Unsealing TOTP shared secret seed..."
if tpmunsealdata "$Z" "$SEALED_SECRET_OTP" "$UNSEALED_SECRET"; then
if tpmunsealdata "$Z" "$SEALED_SECRET_OTP" "$UNSEALED_SECRET" \
"$TPM_DIR/$LABEL"; then
log "TOTP secret unsealed."

message ""
Expand All @@ -188,7 +198,8 @@ if otp; then
} &
totp_loop_pid=$!

if tpmunsealdata "$Z" "$SEALED_SECRET_KEY" "$UNSEALED_SECRET"; then
if tpmunsealdata "$Z" "$SEALED_SECRET_KEY" "$UNSEALED_SECRET" \
"$TPM_DIR/$LABEL"; then
for _ in 1 2 3; do
pass=$(systemd-ask-password --timeout=0 \
'LUKS key file password (or "t" to show text secret)')
Expand Down Expand Up @@ -222,7 +233,8 @@ fi

if ! otp; then
log "Unsealing text secret..."
if tpmunsealdata "$Z" "$SEALED_SECRET_TXT" "$UNSEALED_SECRET"; then
if tpmunsealdata "$Z" "$SEALED_SECRET_TXT" "$UNSEALED_SECRET" \
"$TPM_DIR/$LABEL"; then
{
message ""
message "$(cat "$UNSEALED_SECRET" 2>/dev/null)"
Expand Down
10 changes: 8 additions & 2 deletions 90anti-evil-maid/module-setup.sh
View file
Open in desktop
Expand Up @@ -43,16 +43,18 @@ install() {
sort \
tail \
tcsd \
tcsd_changer_identify \
trousers_changer_identify \
tee \
tpm_id \
tpm2_id \
tpm_nvinfo \
tpm_nvread \
tpm_nvread_stdout \
tpm_pcr_extend \
tpm_sealdata \
tpm_unsealdata \
tpm_z_srk \
tpm2_z_srk \
tr \
uniq \
wc \
Expand All @@ -66,7 +68,6 @@ install() {
tpm2_create \
tpm2_createprimary \
tpm2_evictcontrol \
tpm2_encryptdecrypt \
tpm2_flushcontext \
tpm2_load \
tpm2_nvdefine \
Expand All @@ -80,6 +81,11 @@ install() {
tpm2_policycommandcode \
tpm2_startauthsession \
tpm2_unseal
# other utilities
dracut_install \
mktemp \
openssl \
sha256sum
# such tpm2-tss libraries must be listed explicitly because they are
# discovered at runtime instead of being linked to during build
dracut_install \
Expand Down
3 changes: 2 additions & 1 deletion anti-evil-maid.spec.in
View file
Open in desktop
Expand Up @@ -8,7 +8,7 @@ Requires: trousers-changer >= 4.0.0
Requires: systemd >= 227
Requires: coreutils >= 8.25-2
Requires: scrypt qrencode oathtool
Requires: tpm2-tools
Requires: tpm2-tools openssl
Requires(post): dracut grub2-tools tboot systemd
Obsoletes: anti-evil-maid-dracut
Vendor: Invisible Things Lab
Expand Down Expand Up @@ -45,6 +45,7 @@ cp -r systemd $RPM_BUILD_ROOT/usr/lib
/usr/sbin/anti-evil-maid-install
/usr/sbin/anti-evil-maid-lib
/usr/sbin/anti-evil-maid-lib-tpm1
/usr/sbin/anti-evil-maid-lib-tpm2
/usr/sbin/anti-evil-maid-seal
/usr/sbin/anti-evil-maid-tpm-setup
/usr/share/doc/anti-evil-maid/README
Expand Down
1 change: 1 addition & 0 deletions sbin/anti-evil-maid-install
View file
Open in desktop
@@ -1,5 +1,6 @@
#!/bin/bash
set -euo pipefail
shopt -s expand_aliases
. anti-evil-maid-lib
LABEL_SUFFIX_CHARS=0-9a-zA-Z=.-
BOOT_DIR=/boot
Expand Down
19 changes: 13 additions & 6 deletions sbin/anti-evil-maid-lib
View file
Open in desktop
Expand Up @@ -174,6 +174,7 @@ removable() {
}

validatetpm() {
# makes sure TPM is there and can be used, determines TPM version
if [ ! -d "$SYSFS_TPM_DIR" ]; then
message "$SYSFS_TPM_DIR isn't present"
return 1
Expand All @@ -184,13 +185,19 @@ validatetpm() {
message "Failed to determine the version of the TPM"
return 1
fi

if [ "$_tpm_version" -eq 1 ]; then
# shellcheck source=../sbin/anti-evil-maid-lib-tpm1
source /sbin/anti-evil-maid-lib-tpm1
return 0
fi

if [ "$_tpm_version" -eq 2 ]; then
message "TPM 2.0 detected. TPM 2.0 is currently unsupported"
message "Note: some TPM 2.0 devices can be configured to act as TPM 1.2"
return 1
# shellcheck source=../sbin/anti-evil-maid-lib-tpm2
source /sbin/anti-evil-maid-lib-tpm2
return 0
fi

# shellcheck source=../sbin/anti-evil-maid-lib-tpm1
source /sbin/anti-evil-maid-lib-tpm1
return 0
message "Unexpected TPM version: $_tpm_version"
return 1
}
22 changes: 19 additions & 3 deletions sbin/anti-evil-maid-lib-tpm1
View file
Open in desktop
@@ -1,3 +1,11 @@
tpmid() {
tpm_id
}

tpmzsrk() {
tpm_z_srk
}

checktpmnvram() {
# checks whether the TPM NVRAM area is defined
# NOTE: tpm_nvinfo does not return non-zero if requested index
Expand Down Expand Up @@ -156,9 +164,16 @@ tpmpcrextend() {
tpm_pcr_extend "$_pcr" "$_hash"
}

tpmsealprepare() {
# does necessary preparations before the use of tpmsealdata, accepts path
# to media-specific storage of sealed data
true # nothing to do for TPM1
}

tpmsealdata() {
# seals source specified by second argument into destination specified by
# the third one, non-empty first argument signifies empty SRK password
# the third one, non-empty first argument signifies empty SRK password, the
# forth argument specifies path to AEM media-specific storage
_nosrkpass=()
if [ -n "$1" ]; then
_nosrkpass=( -z )
Expand All @@ -172,7 +187,8 @@ tpmsealdata() {

tpmunsealdata() {
# unseals source specified by second argument into destination specified by
# the third one, non-empty first argument signifies empty SRK password
# the third one, non-empty first argument signifies empty SRK password, the
# forth argument specifies path to AEM media-specific storage
_nosrkpass=()
if [ -n "$1" ]; then
_nosrkpass=( -z )
Expand Down Expand Up @@ -210,7 +226,7 @@ tpmstartservices() {
}

tpmstartinitrdservices() {
tcsd_changer_identify
trousers_changer_identify
# it forks
tcsd
}
Expand Down