From dbe919762595620ef605713663143be9ae37ff67 Mon Sep 17 00:00:00 2001 From: Michael Preisach Date: Sun, 21 Jun 2020 20:37:46 +0200 Subject: [PATCH] first try for ubuntu installation scripting --- create-luks-tpm.sh | 19 +++++++++++++++++++ install.sh | 12 ++++++++++++ passphrase-from-tpm.sh | 9 +++++++++ tpm2-hook.sh | 5 +++++ update-kernel.sh | 0 update-luks-tpm.sh | 1 - 6 files changed, 45 insertions(+), 1 deletion(-) create mode 100755 create-luks-tpm.sh create mode 100755 install.sh create mode 100755 passphrase-from-tpm.sh create mode 100755 tpm2-hook.sh mode change 100644 => 100755 update-kernel.sh mode change 100644 => 100755 update-luks-tpm.sh diff --git a/create-luks-tpm.sh b/create-luks-tpm.sh new file mode 100755 index 0000000..34d9e92 --- /dev/null +++ b/create-luks-tpm.sh @@ -0,0 +1,19 @@ +#!bin/bash +set -e + +CRYPTFS=/dev/nvme0n1p3 + +echo "creating secret key" +dd if=/dev/random of=/root/secret.bin bs=32 count=1 +cryptsetup luksAddKey $CRYPTFS /root/secret.bin + +echo "Creating TPM Policy with current available PCRs" +tpm2_clear +tpm2_createpolicy --policy-pcr -l sha256:0,1,4,5,7 -L /root/policy.digest +tpm2_createprimary -C e -g sha256 -G ecc256 -c /root/primary.context +tpm2_create -g sha256 -u /root/obj.pub -r /root/obj.priv -C /root/primary.context -L /root/policy.digest -a "noda|adminwithpolicy|fixedparent|fixedtpm" -i /root/secret.bin +tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/load.context +tpm2_evictcontrol -C o -c /root/load.context 0x81000000 +# tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin +rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context + diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..0e6b804 --- /dev/null +++ b/install.sh @@ -0,0 +1,12 @@ +#!bin/bash +set -e + +cp -vf ./passphrase-from-tpm.sh /usr/sbin/ || exit 1 +cp -vf ./update-luks-tpm.sh /usr/sbin || exit 1 +cp -vf ./update-kernel /usr/sbin || exit 1 +cp -vf ./create-luks-tpm.sh /usr/sbin || exit 1 + +cp -vf ./tpm2-hook.sh /etc/initramfs-tools/hooks/ || exit 2 +sed '/luks/$/,discard,initramfs,keyscript=/usr/sbin/passphrase-from-tpm.sh/' /etc/crypttab + +/usr/sbin/create-luks-tpm.sh diff --git a/passphrase-from-tpm.sh b/passphrase-from-tpm.sh new file mode 100755 index 0000000..c3d2212 --- /dev/null +++ b/passphrase-from-tpm.sh @@ -0,0 +1,9 @@ +#!/bin/sh +set -e +echo "Unlocking via TPM" >&2 +export TPM2TOOLS_TCTI="device:/dev/tpm0" +/usr/local/bin/tpm2_unseal -c 0x81000000 -L sha256:0,1,4,5,7 +if [ $? -eq 0 ]; then + exit +fi +/lib/cryptsetup/askpass "Unlocking the disk fallback $CRYPTTAB_SOURCE ($CRYPTTAB_NAME)\nEnter passphrase: " diff --git a/tpm2-hook.sh b/tpm2-hook.sh new file mode 100755 index 0000000..6b9a3b9 --- /dev/null +++ b/tpm2-hook.sh @@ -0,0 +1,5 @@ +#!/bin/sh -e +if [ "$1" = "prereqs" ]; then exit 0; fi +. /usr/share/initramfs-tools/hook-functions +copy_exec /usr//bin/tpm2_unseal +copy_exec /usr/lib/x86_64-linux-gnu/libtss2-tcti-device.so.0 diff --git a/update-kernel.sh b/update-kernel.sh old mode 100644 new mode 100755 diff --git a/update-luks-tpm.sh b/update-luks-tpm.sh old mode 100644 new mode 100755 index d6ee03d..8399c3b --- a/update-luks-tpm.sh +++ b/update-luks-tpm.sh @@ -10,4 +10,3 @@ tpm2_load -C /root/primary.context -u /root/obj.pub -r /root/obj.priv -c /root/l tpm2_evictcontrol -C o -c /root/load.context 0x81000000 # tpm2_unseal -c 0x81000000 -p pcr:sha1:0,1,4,5,7 -o /root/test.bin rm -f /root/load.context /root/obj.priv /root/obj.pub /root/policy.digest /root/primary.context -chmod 400 /root/secret.bin