-
Notifications
You must be signed in to change notification settings - Fork 10
/
tpm2PolicyConfig
53 lines (41 loc) · 1.85 KB
/
tpm2PolicyConfig
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env bash
if [ "${EUID}" -gt 0 ]; then
echo "Please run as root"
exit 1
fi
TPM_TEST=$(tpm2_pcrread sha256:0 | grep -Po "[0][x][A-Za-z0-9]+")
PCR_BANK=1
PCR_VALUES="0,2,3,7"
systemctl disable tpm2keyunlock.service
chmod 0755 tpm2Hook passphrase-from-tpm
cp tpm2Hook /usr/share/initramfs-tools/hooks/tpm2KeyUnlock
chown 0:0 /usr/share/initramfs-tools/hooks/tpm2KeyUnlock
cp passphrase-from-tpm /usr/local/bin/
chown 0:0 /usr/local/bin/passphrase-from-tpm
mkdir -p /etc/initramfs/post-update.d/
cp bootChain-update /etc/initramfs/post-update.d/
chmod +x /etc/initramfs/post-update.d/bootChain-update
cd /usr/local/var/tpm-manager || exit 1
cp /usr/local/var/tpm-manager/crypttab /etc/crypttab
if [[ $TPM_TEST = "" ]]; then
echo "TPM SHA 256 banks are disabled. To use SHA 256, enable SHA 256 PCR banks in BIOS with a compatible TPM."
echo "Falling back to SHA 1 PCR banks."
else
if [[ $TPM_TEST = '0x0000000000000000000000000000000000000000000000000000000000000000' ]]; then
echo "TPM SHA 256 PCR banks not populated. TPM Spec 1.x must be enabled to continue."
echo "Falling back to SHA 1 PCR banks."
else
PCR_BANK=256
fi
fi
tpm2_pcrread sha$PCR_BANK:$PCR_VALUES -o pcrs.bin
tpm2_createpolicy --policy-pcr -l sha$PCR_BANK:$PCR_VALUES -f pcrs.bin --policy policy.digest
tpm2_createprimary -c primary.context
tpm2_create -u obj.pub -r obj.priv -C primary.context -L policy.digest --attributes "noda|adminwithpolicy|fixedparent|fixedtpm" -i secret.bin
tpm2_load -C primary.context -u obj.pub -r obj.priv -c load.context
tpm2_evictcontrol -c load.context
sed -i "s/HASH/sha$PCR_BANK/g" /usr/local/bin/passphrase-from-tpm
REFERENCE=$(tpm2_getcap handles-persistent | grep -Po "[0][x][A-Za-z0-9]+" | tail -1)
sed -i "s/REFERENCE/$REFERENCE/g" /usr/local/bin/passphrase-from-tpm
sed -i "s/PCRVAL/$PCR_VALUES/g" /usr/local/bin/passphrase-from-tpm
update-initramfs -u