diff --git a/create-luks-tpm.sh b/create-luks-tpm.sh index a6b015e..dc0c93c 100755 --- a/create-luks-tpm.sh +++ b/create-luks-tpm.sh @@ -4,16 +4,9 @@ set -e CRYPTFS=/dev/nvme0n1p3 echo "creating secret key" -dd if=/dev/random of=/root/secret.bin bs=32 count=1 +tpm2_getrandom 32 -o /root/secret.bin cryptsetup luksAddKey $CRYPTFS /root/secret.bin -echo "Creating TPM Policy with current available PCRs" -tpm2_clear -tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest -tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context -tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin -tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context -tpm2_evictcontrol -C o -c /root/load.context 0x81000000 -# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin -rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context +/usr/sbin/update-luks-tpm.sh + diff --git a/install.sh b/install.sh index 76f8496..f5aa009 100755 --- a/install.sh +++ b/install.sh @@ -11,4 +11,5 @@ awk -i inplace '/luks/{print $0 ",discard,initramfs,keyscript=/usr/sbin/passphra /usr/sbin/create-luks-tpm.sh /usr/sbin/update-kernel.sh +efibootmgr --create --disk $DISK --part 1 --label "ubuntu unified" --loader "\EFI\BOOT\Linux\Linux.efi" --verbose echo "Installed successfully! Please reboot and execute update-luks-tpm.sh afterwards" diff --git a/update-kernel.sh b/update-kernel.sh index 163a704..e47dbb6 100755 --- a/update-kernel.sh +++ b/update-kernel.sh @@ -1,11 +1,13 @@ #!/usr/bin/bash set -e PARTITION_ROOT=/dev/mapper/ubuntu--vg-ubuntu--lv +DISK=/dev/nvme0n1 + mkdir -p /boot/efi/EFI/Linux update-initramfs -u -k all LATEST=`ls -t /boot/vmlinuz* | head -1` VERSION=`file -bL $LATEST | grep -o 'version [^ ]*' | cut -d ' ' -f 2` -# echo "/vmlinuz-$VERSION root=/dev/mapper/vg-root rw loglevel=3 cryptdevice=PARTUUID=$(blkid -o value $PARTITION_ROOT | tail -n 1):lvm:allow-discards rd.luks.options=discard" > /boot/kernel-command-line.txt #Arch command line +### echo "/vmlinuz-$VERSION root=/dev/mapper/vg-root rw loglevel=3 cryptdevice=PARTUUID=$(blkid -o value $PARTITION_ROOT | tail -n 1):lvm:allow-discards rd.luks.options=discard" > /boot/kernel-command-line.txt #Arch command line echo "/vmlinuz-$VERSION root=$PARTITION_ROOT ro" > /boot/kernel-command-line.txt #Ubuntu command line objcopy \ --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \ @@ -13,4 +15,4 @@ objcopy \ --add-section .linux="/boot/vmlinuz-$VERSION" --change-section-vma .linux=0x40000 \ --add-section .initrd="/boot/initrd.img-$VERSION" --change-section-vma .initrd=0x3000000 \ "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/efi/EFI/Linux/Linux.efi" -cp -v /boot/efi/EFI/Linux/Linux.efi /boot/efi/EFI/BOOT/BOOTX64.EFI + diff --git a/update-luks-tpm.sh b/update-luks-tpm.sh index 8399c3b..3f7c628 100755 --- a/update-luks-tpm.sh +++ b/update-luks-tpm.sh @@ -1,12 +1,14 @@ #!/usr/bin/bash -set -e - echo "Updating TPM Policy with current available PCRs" + +set +e tpm2_evictcontrol -C o -c 0x81000000 + +set -e tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context tpm2_evictcontrol -C o -c /root/load.context 0x81000000 -# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin +# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin #proof that the persistence worked rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context