first try for ubuntu installation scripting

6 years ago · dbe9197625
6 changed files with 45 additions and 1 deletions
--- a/create-luks-tpm.sh
+++ b/create-luks-tpm.sh
@ -0,0 +1,19 @@
+#!bin/bash
+set -e
+
+CRYPTFS=/dev/nvme0n1p3
+
+echo "creating secret key"
+dd if=/dev/random of=/root/secret.bin bs=32 count=1
+cryptsetup luksAddKey $CRYPTFS /root/secret.bin
+
+echo "Creating TPM Policy with current available PCRs"
+tpm2_clear
+tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest
+tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context
+tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin
+tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context
+tpm2_evictcontrol -C o -c /root/load.context 0x81000000
+# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin 
+rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
+
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,12 @@
+#!bin/bash
+set -e
+
+cp -vf ./passphrase-from-tpm.sh /usr/sbin/ || exit 1
+cp -vf ./update-luks-tpm.sh /usr/sbin || exit 1
+cp -vf ./update-kernel /usr/sbin || exit 1
+cp -vf ./create-luks-tpm.sh /usr/sbin || exit 1
+
+cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/ || exit 2
+sed '/luks/$/,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh/' /etc/crypttab
+
+/usr/sbin/create-luks-tpm.sh
--- a/passphrase-from-tpm.sh
+++ b/passphrase-from-tpm.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+echo "Unlocking via TPM" >&2
+export TPM2TOOLS_TCTI="device:/dev/tpm0"
+/usr/local/bin/tpm2_unseal -c 0x81000000 -L sha256:0,1,4,5,7
+if [ $? -eq 0 ]; then
+	exit
+fi
+/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: "
--- a/tpm2-hook.sh
+++ b/tpm2-hook.sh
@ -0,0 +1,5 @@
+#!/bin/sh -e
+if [ "$1" = "prereqs" ]; then exit 0; fi
+. /usr/share/initramfs-tools/hook-functions
+copy_exec /usr//bin/tpm2_unseal
+copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0
--- a/update-kernel.sh
+++ b/update-kernel.sh
--- a/update-luks-tpm.sh
+++ b/update-luks-tpm.sh
@ -10,4 +10,3 @@ tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/l
 tpm2_evictcontrol -C o -c /root/load.context 0x81000000
 # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin 
 rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context
-chmod 400 /root/secret.bin