-
Notifications
You must be signed in to change notification settings - Fork 5
/
install_sd_tpm2
88 lines (66 loc) · 3.12 KB
/
install_sd_tpm2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/bin/bash
build() {
add_module "tpm_tis"
add_module "tpm_crb"
add_binary "/usr/bin/tpm2_unseal"
add_binary "/usr/bin/tpm2_load"
add_binary "/usr/bin/tpm2_nvread"
add_binary "/usr/bin/tpm2_pcrextend"
add_binary "/usr/bin/sha1sum"
add_binary "/usr/bin/sha224sum"
add_binary "/usr/bin/sha256sum"
add_binary "/usr/bin/sha384sum"
add_binary "/usr/bin/sha512sum"
add_binary "/usr/lib/libtss2-tcti-device.so.0"
add_file "/usr/bin/tpm2_encrypt_hook"
add_file "/usr/lib/initcpio/hooks/tpm2"
add_systemd_unit "tpm2-unseal.service"
add_systemd_unit "tpm2-cleanup.service"
add_systemd_unit "cryptsetup-pre.target"
WANTS="/usr/lib/systemd/system/cryptsetup.target.wants"
mkdir -p "$BUILDROOT$WANTS"
add_symlink "$WANTS/cryptsetup-pre.target" "/usr/lib/systemd/system/cryptsetup-pre.target"
WANTS="/usr/lib/systemd/system/cryptsetup-pre.target.wants"
mkdir -p "$BUILDROOT$WANTS"
add_symlink "$WANTS/tpm2-unseal.service" "/usr/lib/systemd/system/tpm2-unseal.service"
WANTS="/usr/lib/systemd/system/initrd-cleanup.service.wants"
mkdir -p "$BUILDROOT$WANTS"
add_symlink "$WANTS/tpm2-cleanup.service" "/usr/lib/systemd/system/tpm2-cleanup.service"
[ -f /etc/tpm2-encrypt/params ] && add_file "/etc/tpm2-encrypt/params"
}
help() {
cat <<HELPEOF
This hook allows for an encrypted root device to use a key sealed by a
TPM 2.0. It should be placed immediately before the 'sd-encrypt' hook. After
generating a TPM-sealed key, both 'tpmkey' and 'tpmpcr' should be
specified on the kernel command line.
'tpmkey' has several formats:
tpmkey=[device]:[path]:[handle]
tpmkey=[device]:[publicpath]:[privatepath]:[handle]
tpmkey=nvram:[index]
tpmkey=nvram:[index]:[offset]:[size]
Where [device] represents the raw block device on which the key exists,
[path] is the absolute base path of the keyfiles within the device, and
[handle] is the TPM handle of the key's parent object. If only [path] is
specified, '.pub' and '.priv' will be appended to the path to locate the
public and private files, respectively. The absolute [publicpath] and
[privatepath] can be specified separately if needed.
If [device] is rootfs, the key files will be read from the initramfs root
file system.
Setting [device] to 'nvram' indicates that the key is stored in TPM NVRAM.
In this case [index] is the NVRAM area index, [offset] is the offset of
the key in bytes and [size] is the size of the key in bytes.
'tpmpcr' should hold the TPM2 PCR bank specification that will unlock the
sealed key. Multiple specs can be separated by a '|' and key decryption
will be attempted with each set of banks.
The 'tpmextend' parameter may be used to indicate a PCR to extend after the
key has been unsealed:
tpmextend=[alg]:[pcrnum]
Where [alg] is the bank algorithm and [pcrnum] is the PCR number to extend.
If the 'tpmprompt' command line parameter is set, the user will be
prompted for the parent encryption key password during boot. This password
will be used while loading the sealed key. This option has no effect when
the key is stored in NVRAM. Ex: tpmprompt=1
HELPEOF
}
# vim: set ft=sh ts=4 sw=4 et: