From 43b923711ff86332d79c928dda3ce3d1feacb18c Mon Sep 17 00:00:00 2001 From: Michael Preisach Date: Fri, 14 Aug 2020 12:23:59 +0000 Subject: [PATCH] Primary key is be generated at every update of the PCRs - loading should be possible (future work) --- create-luks-tpm.sh | 3 +-- update-luks-tpm.sh | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/create-luks-tpm.sh b/create-luks-tpm.sh index 4507fc9..b3ae008 100755 --- a/create-luks-tpm.sh +++ b/create-luks-tpm.sh @@ -4,11 +4,10 @@ set -e CRYPTFS=/dev/nvme0n1p3 echo "creating secret key" +kdir -p /root/keys tpm2_getrandom 32 -o /root/keys/fde-secret.bin chmod 600 /root/keys/fde-secret.bin cryptsetup luksAddKey $CRYPTFS /root/keys/fde-secret.bin -mkdir -p /root/keys -tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context # /usr/sbin/update-luks-tpm.sh #not reqired before reboot diff --git a/update-luks-tpm.sh b/update-luks-tpm.sh index 59e9237..87a688a 100755 --- a/update-luks-tpm.sh +++ b/update-luks-tpm.sh @@ -5,9 +5,10 @@ set +e tpm2_evictcontrol -C o -c 0x81000000 set -e +tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/keys/e-primary.context tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3,4,5,6,7 -L /root/keys/pcr-policy.digest -tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/secret.bin +tpm2_create -g sha256 -u /root/keys/obj.pub -r /root/keys/obj.priv -C /root/keys/e-primary.context -L /root/keys/pcr-policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/keys/fde-secret.bin tpm2_load -C /root/keys/e-primary.context -u /root/keys/obj.pub -r /root/keys/obj.priv -c /root/keys/load.context tpm2_evictcontrol -C o -c /root/keys/load.context 0x81000000 -# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked +# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,2,3,4,5,6,7 -o /root/test.bin #proof that the persistence worked rm -f /root/keys/load.context /root/keys/obj.priv /root/keys/obj.pub /root/keys/pcr-policy.digest